-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 23 Oct 1998, Fuzzy Fox wrote:
| To: IP Masquerading List <[EMAIL PROTECTED]>
| From: Fuzzy Fox <[EMAIL PROTECTED]>
| Subject: Re: [masq] Dial-in user doesn't see localnet at all
| Date: Fri, 23 Oct 1998 12:15:43 -0500
| X-Mailer: Mutt 0.93.1i
|
| Derek T. Murphy <[EMAIL PROTECTED]> wrote:
| >
| > -----------------
| > ----------- | Linux-2.0.34 |
| > | dial-up |<---->ppp0 |
| > |static IP| | eth0<====>192.168.36.0 local network
| > | address | | 192.168.36.50|
| > ----------- | |
| > | eth1<====>204.4.21.240 router to the "world"
| > | 204.4.21.50 |
| > -----------------
| >
| > ipfwadm -F -a accept -S 192.168.36.0/24 -D 192.168.36.0/24 -o
| > ipfwadm -F -a masquerade -S 192.168.36.0/24 -D 204.4.0.0/16 -o
| > ipfwadm -F -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o
|
| This first rule doesn't make sense on the surface. Why would anyone
| forward a packet that is to and from the same network? I don't think
I put that first rule in expecting it would allow ppp0 to see the
localnet, and the localnet to see the machine on ppp0, since they BOTH
live on the 192.168.36.0 network. The dial-in machines are laptops that
are sometimes connected to the LAN via PCMCIA ethernet cards. That's
where they get their static IP numbers from.
| you need that rule at all. Your second rule masquerades from the local
| net to the global net, I assume that works?
Like a charm. As it sits, ppp0 users get out through 204.4.21.240 just
FINE... they just cannot see 192.168.36.0 at all. That's why I decided
that I needed rules at ip-up time.
|
| > #!/bin/sh
| > # /etc/ppp/ip-up
| > /sbin/ipfwadm -F -i accept -W $1 -S 192.168.36.0/24 -D $5 -o
| > /sbin/ipfwadm -F -i accept -W $1 -S $5 -D 0.0.0.0/0 -o
| > /sbin/ipfwadm -F -i accept -W $1 -S 0.0.0.0/0 -D $5 -o
|
| As another poster noted, you're using -W to indicate the interface we
| come from, but what you need to specify is the interface the packet will
| route TO. In the first rule, this is correct, because a packet routed
| to the "$5" address will want to go through the corresponding "$1"
| interface. However, the second rule needs to specify no particular
| interface, since we can't tell whether it should forward through eth0 or
| eth1. The third rule is correct, but isn't it redundant with the first
| rule? That is, the third covers all cases, including those represented
| by the first, and since it's being (i)nserted, it will override the
| first rule.
I think you and Chris Johnson are right. It _looks_ (now that you've
pointed it out, I can see it, he said with a sheepish grin) like I'm
sending incoming ppp0 traffic BACK to ppp0, but why don't the packets log
at all? If ppp0 pings 204.4.21.50, the packets show up; if it pings
192.168.36.50, NOTHING show up.
|
| Say, shouldn't you be masquerading if you go through eth1, anyway? Do
| you really mean to just "accept" the packet? Are the static IP
I figured the masquerading rule for the net would handle any ppp0 users,
and what I needed was a forwarding rule from ppp0; it seemed to work.
| addresses routable back to your Linux box? If not, you need two rules,
| one for eth0 (accept), and another for eth1 (masquerade).
|
| > When the user disconnects, /etc/ppp/ip-down runs and removes the above
| > rules properly.
|
| Good!
|
| > With the "-o" to enable logging set in EVERY rule, a dial-in user pinging
| > 192.168.36.50 (the localnet interface on the dial-in host), NOTHING shows
| > in the logs. Not line one!
|
| Not at all? Shouldn't the final "reject everything" rule be logging
| something?
That's what I _thought_ would happen. But it doesn't.
I'll try this out tonight or tommorrow (It's for a different firm than my
employer...) and report back. Thank you for your time and effort!!!
/etc/rc.d/rc.ipfwadm will consist of
ipfwadm -F -a masquerade -S 192.168.36.0/24 -D 204.4.0.0/16 -o
ipfwadm -F -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o
and the ip-up will be
/sbin/ipfwadm -F -i accept -W $1 -S 192.168.36.0/24 -D $5 -o
/sbin/ipfwadm -F -i accept -W eth1 -S $5 -D 0.0.0.0/0 -o
Just as an aside, this will be their first ever non-Microsoft operating
system installed, so I _really_ want it to work well!
Thanks again!
- Derek Murphy -
Systems Administrator, DocuLink International |
138-880 Wellington St. Ottawa Ontario Canada | PGP public key at
K1R 6K7 (613) 563-2266(fax) 563-3210(voice) | http://ludwig.doculink.com
"People should *THINK*; computers should WORK"|
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by mkpgp, a Pine/PGP interface on Linux-2.0.x.
iQC1AwUBNjDWMO0qVrnIA6PFAQHBwwT+IuUPQF26fm/yp9kR2NLwo9HoX2tB9PQM
/1riM6iKtR/3PMXfucHR/aMt/PASNHkeWOfRl2hGF2BiPCwGf5t1/6sj0btgbXWZ
L4nyT00w8NA1h9VZ6cJiTNKzFKFL63h57uqimVc3JklgOlE0IMBdzWg1BHIbIL0j
73RzmyHAewxsj9HpDtEImDB/GSRLIYKzYczkPRnav1Vwk4G3KHVRrA==
=s05v
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
