/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */
I have been struggling with an IPTABLES firewall on a Linux 2.4.18 kernel (Mandrake 8.2 to be specific). Network setup: External interface: eth1 IP Address: dhcp Internal interface: eth0 IP Address: 192.168.0.1 Internal network: 192.168.0.0 Subnet: 255.255.255.0 Default Gateway: DHCP assigned - usually 205.206.8.1 It is mostly working now (PHEW), but there are still a few glitches that seem to relate mainly to some practices followed by my ISP. Specifically, when I ping my default gateway from an internal network computer I get the following results: ping 205.206.8.1 > Pinging 205.206.8.1 with 32 bytes of data" > Request timed out. > Request timed out. > Request timed out. > Request timed out. I ran TCPDUMP -i eth1 to get some idea what was happening (I highly recommend this utility to remove hours of guesswork). The results are as follows: 05:07:41.485746 205.206.10.148 > 205.206.8.1: icmp: echo request 05:07:41.496699 209.115.152.60 > 205.206.10.148: icmp: echo reply [tos 0x28] 05:07:42.914690 205.206.10.148 > 205.206.8.1: icmp: echo request 05:07:42.925245 209.115.152.60 > 205.206.10.148: icmp: echo reply [tos 0x28] 05:07:43.929918 205.206.10.148 > 205.206.8.1: icmp: echo request 05:07:43.939868 209.115.152.60 > 205.206.10.148: icmp: echo reply [tos 0x28] 05:07:44.946469 205.206.10.148 > 205.206.8.1: icmp: echo request 05:07:44.956948 209.115.152.60 > 205.206.10.148: icmp: echo reply [tos 0x28] It appears from the above that MASQing is going out correcly. The top line shows the internal IP address has been changed to the external IP address (205.206.10.148) and forwarded to 205.206.8.1. There appears to be something funny with the second line which shows the icmp echo reply coming from 209.115.152.60 NOT from the gateway 205.206.8.1. I suspect that the address change messes up MASQing. Undaunted, I also ran the following ping from an internal network computer to an internet address: ping 198.80.55.1 > Reply from 198.80.55.1: bytes=32 time=11ms TTL=251 > Reply from 198.80.55.1: bytes=32 time=12ms TTL=251 > Reply from 198.80.55.1: bytes=32 time=11ms TTL=251 > Reply from 198.80.55.1: bytes=32 time=12ms TTL=251 Note that the ping was successful. I ran TCPDUMP -i eth1 for this ping as well: 05:11:16.777462 205.206.10.148 > 198.80.55.1: icmp: echo request 05:11:16.788182 198.80.55.1 > 205.206.10.148: icmp: echo reply (DF) [tos 0x28] 05:11:17.795390 205.206.10.148 > 198.80.55.1: icmp: echo request 05:11:17.806507 198.80.55.1 > 205.206.10.148: icmp: echo reply (DF) [tos 0x28] 05:11:18.798062 205.206.10.148 > 198.80.55.1: icmp: echo request 05:11:18.808805 198.80.55.1 > 205.206.10.148: icmp: echo reply (DF) [tos 0x28] 05:11:19.813426 205.206.10.148 > 198.80.55.1: icmp: echo request 05:11:19.824169 198.80.55.1 > 205.206.10.148: icmp: echo reply (DF) [tos 0x28] 05:11:21.771256 arp who-has 205.206.8.1 tell 205.206.10.148 Notice that there was no change in the external address, 198.80.55.1, between the first and second lines. As I mentioned, my firewall is basically working. Is there any way to get ping to the default gateway to work from inside my internal network? I hope this discussion will be of some use to others in tracking down problems with ISP DHCP set ups. Your archive list was extremely helpful. Thank you. Paul _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
