/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Jack Vrouwes <[EMAIL PROTECTED]> wrote:
>
> I have followed the Linux IP Masquerade Howto. (Actually, I did that
> 3 times.) Testing is successful from Sections 5.1 thru 5.7. Test 5.8
> fails with no pings from the internal box being returned. (Pings are
> being returned if issued from the gateway box, however.)
Ideas:
You don't have IP forwarding enabled.
Your FORWARD chain doesn't permit the traffic to go out.
Your POSTROUTING chain doesn't MASQ your traffic properly.
It may be instructive to run "tcpdump" on different interfaces to see
what happens.
For instance, while the internal host is pinging the internet, you
should see this on your gateway box's internal interface:
# tcpdump -n -i eth0 icmp
tcpdump: listening on eth0
23:17:51.787455 192.168.0.10 > 66.218.71.198: icmp: echo request
23:17:51.880012 66.218.71.198 > 192.168.0.10: icmp: echo reply
23:17:52.782173 192.168.0.10 > 66.218.71.198: icmp: echo request
23:17:52.870928 66.218.71.198 > 192.168.0.10: icmp: echo reply
23:17:53.783179 192.168.0.10 > 66.218.71.198: icmp: echo request
23:17:53.875196 66.218.71.198 > 192.168.0.10: icmp: echo reply
23:17:54.787204 192.168.0.10 > 66.218.71.198: icmp: echo request
23:17:54.874478 66.218.71.198 > 192.168.0.10: icmp: echo reply
You should see this on your gateway's external interface:
# tcpdump -n -i ppp0 icmp
tcpdump: listening on ppp0
23:19:00.487068 66.228.134.33 > 66.218.71.198: icmp: echo request
23:19:00.572338 66.218.71.198 > 66.228.134.33: icmp: echo reply
23:19:01.488106 66.228.134.33 > 66.218.71.198: icmp: echo request
23:19:01.576946 66.218.71.198 > 66.228.134.33: icmp: echo reply
23:19:02.491052 66.228.134.33 > 66.218.71.198: icmp: echo request
23:19:02.577342 66.218.71.198 > 66.228.134.33: icmp: echo reply
23:19:03.489092 66.228.134.33 > 66.218.71.198: icmp: echo request
23:19:03.572721 66.218.71.198 > 66.228.134.33: icmp: echo reply
As you can see, the echo requests show as coming from the internal
network on the internal interface, but are NAT'd to be coming from the
firewall's external network when leaving the external interface.
Obviously this is a working example, which is why echo replies are
shown. However, in your non-working case, you should see if you can
find any replies coming back, which will help you determine the source
of the problem.
For instance, if the replies don't come back at all, look at the
outgoing source IP on your packets. Is it your gateway's actual IP? If
not, then there's no way the replies will find their way to you.
If replies do come back on the external interface, but not the internal,
it means that your NAT isn't working, or perhaps that the FORWARD chain
is not permitting the traffic to re-enter your network.
If you don't even see the requests leaving the external interface in the
first place, it means your IP forwarding isn't really enabled, or the
FORWARD chain isn't permitting the packets to traverse the firewall.
> According to Section 7.4 I issued on the gateway:
> "ps aux | grep -e routed -e gated"
> I don't know what the response means, but here it is:
> "root 1096 0.0 0.1 3572 628 pts/1 S 16:04 0:00 grep -e
> routed -e gated".
> THIS MAY WELL BE THE PROBLEM, but I wouldn't know what to do about it!
The command searches the list of running processes, for any named
"routed" or "gated". Since all you found was your own "grep" command
that you ran from the command line, it shows that neither of those
processes are running.
I don't know why you were instructed to look for those. Almost nobody
would ever run such processes on their system without knowingly doing so.
--
[EMAIL PROTECTED] == Fuzzy Fox == David DeSimone
"I used to think I was a child; now I think I am an adult.
Not because I no longer do childish things, but because
those I call adults are no more mature than I am.
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
