Re: [masq] Dial-in user doesn't see localnet at all

Fri, 23 Oct 1998 12:33:24 -0400 

Derek T. Murphy <[EMAIL PROTECTED]> wrote:
>
>                 -----------------
> -----------     |  Linux-2.0.34 |
> | dial-up |<---->ppp0           |
> |static IP|     |           eth0<====>192.168.36.0 local network
> | address |     |  192.168.36.50|
> -----------     |               |
>                 |           eth1<====>204.4.21.240 router to the "world"
>                 |   204.4.21.50 |
>                 -----------------
> 
> ipfwadm -F -a accept -S 192.168.36.0/24 -D 192.168.36.0/24  -o
> ipfwadm -F -a masquerade -S 192.168.36.0/24 -D 204.4.0.0/16 -o
> ipfwadm -F -a reject             -S 0.0.0.0/0 -D 0.0.0.0/0  -o

This first rule doesn't make sense on the surface.  Why would anyone
forward a packet that is to and from the same network?  I don't think
you need that rule at all.  Your second rule masquerades from the local
net to the global net, I assume that works?

> #!/bin/sh
> # /etc/ppp/ip-up
> /sbin/ipfwadm -F -i accept -W $1 -S 192.168.36.0/24 -D $5 -o
> /sbin/ipfwadm -F -i accept -W $1 -S $5 -D 0.0.0.0/0       -o
> /sbin/ipfwadm -F -i accept -W $1 -S 0.0.0.0/0 -D $5       -o

As another poster noted, you're using -W to indicate the interface we
come from, but what you need to specify is the interface the packet will
route TO.  In the first rule, this is correct, because a packet routed
to the "$5" address will want to go through the corresponding "$1"
interface.  However, the second rule needs to specify no particular
interface, since we can't tell whether it should forward through eth0 or
eth1.  The third rule is correct, but isn't it redundant with the first
rule?  That is, the third covers all cases, including those represented
by the first, and since it's being (i)nserted, it will override the
first rule.

Say, shouldn't you be masquerading if you go through eth1, anyway?  Do
you really mean to just "accept" the packet?  Are the static IP
addresses routable back to your Linux box?  If not, you need two rules,
one for eth0 (accept), and another for eth1 (masquerade).

> When the user disconnects, /etc/ppp/ip-down runs and removes the above
> rules properly.

Good!

> With the "-o" to enable logging set in EVERY rule, a dial-in user pinging
> 192.168.36.50 (the localnet interface on the dial-in host), NOTHING shows
> in the logs. Not line one!

Not at all?  Shouldn't the final "reject everything" rule be logging
something?

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)      || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/      ||                       -- Charlie Brown

PGP signature

Reply via email to