Re: help with IP Masquerading, 2.4 kernel
Turn on forwarding: echo 1 /proc/sys/net/ipv4/ip_forward -- Dwayne C. Litzenberger - [EMAIL PROTECTED] pgphUNIWDB0hH.pgp Description: PGP signature
Re: help with IP Masquerading, 2.4 kernel
Oh yeah, instead, you can edit /etc/network/options and change: ip_forward=no to ip_foward=yes Then, either run /etc/init.d/networking restart, or reboot the system. -- Dwayne C. Litzenberger - [EMAIL PROTECTED] pgp6ccRNFlCig.pgp Description: PGP signature
Re: help with IP Masquerading, 2.4 kernel
Dwayne C. Litzenberger [EMAIL PROTECTED] writes: Turn on forwarding: echo 1 /proc/sys/net/ipv4/ip_forward That's already done. As I said, I can connect to remote systems through the firewall machine, and data flows back and forth. It's just that it freezes up within a couple of minutes, usually. Dan
help with IP Masquerading, 2.4 kernel
My main machine, scratchy, is connected to the net using PPPOE (PPP over ethernet) over DSL. I have another machine, cheddar, connected to a second ethernet card on scratchy with an ethernet crossover cable. I am trying to using netfilter (iptables) to masquerade cheddar behind scratchy, and it is almost working: pings and DNS lookups work fine, with no packets dropped and no errors. telnet and ssh work as well, until I try to transfer a lot of data at once (e.g. a screenful, such as appears when you bring up a man page), at which point the connection freezes. wget freezes immediately. But netstat -i doesn't show any errors or dropped packets, and there is nothing in the log files of any of the three machines involved. Connections between cheddar and scratchy and between scratchy and the outside world work perfectly. Any suggestions where to look further? Here's are some settings: cheddar# ifconfig eth0 Link encap:Ethernet HWaddr 00:01:03:85:AC:D8 inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:22 errors:0 dropped:0 overruns:0 frame:0 TX packets:28 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:11 Base address:0xd400 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16144 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 cheddar# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth0 0.0.0.0 192.168.0.1 0.0.0.0 UG0 00 eth0 scratchy# ifconfig eth0 Link encap:Ethernet HWaddr 00:80:C8:B9:FD:24 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:180469 errors:1 dropped:0 overruns:0 frame:16190 TX packets:173454 errors:87 dropped:0 overruns:0 carrier:153 collisions:1241 txqueuelen:100 RX bytes:113137907 (107.8 Mb) TX bytes:19757452 (18.8 Mb) Interrupt:3 Base address:0x300 eth1 Link encap:Ethernet HWaddr 00:E0:98:03:CF:B0 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:28329 errors:0 dropped:0 overruns:0 frame:0 TX packets:29667 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1911832 (1.8 Mb) TX bytes:42401143 (40.4 Mb) Interrupt:9 Base address:0x320 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16144 Metric:1 RX packets:26861 errors:0 dropped:0 overruns:0 frame:0 TX packets:26861 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:13163203 (12.5 Mb) TX bytes:13163203 (12.5 Mb) ppp0 Link encap:Point-to-Point Protocol inet addr:129.100.240.47 P-t-P:129.100.2.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:84071 errors:0 dropped:0 overruns:0 frame:0 TX packets:71905 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:93703135 (89.3 Mb) TX bytes:6373070 (6.0 Mb) scratchy# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 129.100.2.1 0.0.0.0 255.255.255.255 UH0 00 ppp0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth1 0.0.0.0 129.100.2.1 0.0.0.0 UG0 00 ppp0 scratchy# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.0.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Thanks for any help anyone can provide! Dan
Newbie needs help with IP-Masquerading
HELP!! I can't get IPMASQ working. I've recompiled my kernel to add MASQ support and I'm pretty sure that I got it right. I've read through the HOW-TO but I had problems following along (I think it was written with BSD in mind.not Sys5). Anywaysany ideas or suggestions would be helpful. I can't even tell you exactly what the problem is. All I know is that my windows machine can't hit the internet when going through the debian box. (It's not a DNS thing because I can't ping the DNS server from windows either.) -Jason
Re: Newbie needs help with IP-Masquerading
What does it say when you do: ipchains -L Ron Rademaker On Wed, 9 Aug 2000, Jason Schepman wrote: HELP!! I can't get IPMASQ working. I've recompiled my kernel to add MASQ support and I'm pretty sure that I got it right. I've read through the HOW-TO but I had problems following along (I think it was written with BSD in mind.not Sys5). Anywaysany ideas or suggestions would be helpful. I can't even tell you exactly what the problem is. All I know is that my windows machine can't hit the internet when going through the debian box. (It's not a DNS thing because I can't ping the DNS server from windows either.) -Jason -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Newbie needs help with IP-Masquerading
A list of steps you've already performed would be useful in order to pinpoint where things are going wrong. Cheers, Jason. --On Wednesday, August 9, 2000 6:22 -0500 Jason Schepman [EMAIL PROTECTED] wrote: HELP!! I can't get IPMASQ working. I've recompiled my kernel to add MASQ support and I'm pretty sure that I got it right. I've read through the HOW-TO but I had problems following along (I think it was written with BSD in mind.not Sys5). Anywaysany ideas or suggestions would be helpful. I can't even tell you exactly what the problem is. All I know is that my windows machine can't hit the internet when going through the debian box. (It's not a DNS thing because I can't ping the DNS server from windows either.) -Jason -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Help with IP masquerading
Thanks for assistance! Following you advices I moved toward 1.3 and was happy to looking on upgrate without rebooting. It was great! On Mon, 26 May 1997, A. M. Varon wrote: On Mon, 26 May 1997, Hamish Moffatt wrote: Long answer: You have to say yes to the experimental drivers in order for the option ip masq to appear. kernel 2.0.27 partially supports ip masq, so you have to patch the kernel with some files to fully use it. If possible, get the kernel 2.0.30, the ip masq patches has been incorporated in the kernel as modules. Huh? Haven't all of 2.0.x supported this? I've been running it for months and months; 2.0.24, 27 and 29 definately all have it built in and I'd guess earlier than that too. It was only a patch in the 1.2.x and early 1.3.x days. The usual support for ip masq like the www,ftp,telnet,pop,smtp etc. is there. But if you want: FTP keep alive support, CUSeeMe module,ICMP masquerading, VDOLive module, RealAudio module, Quake Module, ipautofw support, etc. you still have to patch the 2.0.29 or lower kernel. regards, =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Andre M. Varon Lasaltech, Incorported Technical Head Fax-Tel: (034)433-3520 e-mail : [EMAIL PROTECTED] web page: http://www.lasaltech.com/andre.html =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Eugene Sevinian Cosmic Ray Division Yerevan Phisics Institute Alikhanian's Brothers str.2 375036 Yerevan 36 Armenia URL: http://www.yerphi.am/crd/prs/sevinian.html Phone: 374-2-352041 (YerPhI), 374-2-344873 (aprt.) Fax: 374-2-350030 -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
I also was advised to use ip-masq. to solve some routing problems, but when I tried to compile kernel (2.0.27) enabling ip-masq. I found that this option could not be activated from 'make xconfig' menus. Why? How should I activate this option? Thanks, Eugene Sevinian Cosmic Ray Division Yerevan Phisics Institute Alikhanian's Brothers str.2 375036 Yerevan 36 Armenia URL: http://www.yerphi.am/crd/prs/sevinian.html Phone: 374-2-352041 (YerPhI), 374-2-344873 (aprt.) Fax: 374-2-350030 -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
On Mon, 26 May 1997, Eugene Sevinian wrote: I also was advised to use ip-masq. to solve some routing problems, but when I tried to compile kernel (2.0.27) enabling ip-masq. I found that this option could not be activated from 'make xconfig' menus. Why? How should I activate this option? Short Answer: Read the IP masq howto. Long answer: You have to say yes to the experimental drivers in order for the option ip masq to appear. kernel 2.0.27 partially supports ip masq, so you have to patch the kernel with some files to fully use it. If possible, get the kernel 2.0.30, the ip masq patches has been incorporated in the kernel as modules. regards, =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Andre M. Varon Lasaltech, Incorported Technical Head Fax-Tel: (034)433-3520 e-mail : [EMAIL PROTECTED] web page: http://www.lasaltech.com/andre.html =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
On Mon, May 26, 1997 at 01:33:03PM +0400, Eugene Sevinian wrote: I also was advised to use ip-masq. to solve some routing problems, but when I tried to compile kernel (2.0.27) enabling ip-masq. I found that this option could not be activated from 'make xconfig' menus. Why? How should I activate this option? You need to enable firewalling; masquerading should become available then. Hamish -- Hamish Moffatt, StudIEAust[EMAIL PROTECTED] Student, computer science computer systems engineering.3rd year, RMIT. http://yallara.cs.rmit.edu.au/~moffatt (PGP key here) CPOM: [ ] 46% The opposite of a profound truth may well be another profound truth. --Bohr -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
On Tue, May 27, 1997 at 11:23:36AM +0800, A. M. Varon wrote: Long answer: You have to say yes to the experimental drivers in order for the option ip masq to appear. kernel 2.0.27 partially supports ip masq, so you have to patch the kernel with some files to fully use it. If possible, get the kernel 2.0.30, the ip masq patches has been incorporated in the kernel as modules. Huh? Haven't all of 2.0.x supported this? I've been running it for months and months; 2.0.24, 27 and 29 definately all have it built in and I'd guess earlier than that too. It was only a patch in the 1.2.x and early 1.3.x days. Hamish -- Hamish Moffatt, StudIEAust[EMAIL PROTECTED] Student, computer science computer systems engineering.3rd year, RMIT. http://yallara.cs.rmit.edu.au/~moffatt (PGP key here) CPOM: [ ] 46% The opposite of a profound truth may well be another profound truth. --Bohr -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
I also was advised to use ip-masq. to solve some routing problems, but when I tried to compile kernel (2.0.27) enabling ip-masq. I found that this option could not be activated from 'make xconfig' menus. Why? How should I activate this option? You should have been first enable prompting for experimental parts of the kernel (and IP firewalling) . Alex Y. Thanks, Eugene Sevinian Cosmic Ray Division Yerevan Phisics Institute Alikhanian's Brothers str.2 375036 Yerevan 36 Armenia URL: http://www.yerphi.am/crd/prs/sevinian.html Phone: 374-2-352041 (YerPhI), 374-2-344873 (aprt.) Fax: 374-2-350030 -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
On Mon, 26 May 1997, Hamish Moffatt wrote: Long answer: You have to say yes to the experimental drivers in order for the option ip masq to appear. kernel 2.0.27 partially supports ip masq, so you have to patch the kernel with some files to fully use it. If possible, get the kernel 2.0.30, the ip masq patches has been incorporated in the kernel as modules. Huh? Haven't all of 2.0.x supported this? I've been running it for months and months; 2.0.24, 27 and 29 definately all have it built in and I'd guess earlier than that too. It was only a patch in the 1.2.x and early 1.3.x days. The usual support for ip masq like the www,ftp,telnet,pop,smtp etc. is there. But if you want: FTP keep alive support, CUSeeMe module,ICMP masquerading, VDOLive module, RealAudio module, Quake Module, ipautofw support, etc. you still have to patch the 2.0.29 or lower kernel. regards, =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Andre M. Varon Lasaltech, Incorported Technical Head Fax-Tel: (034)433-3520 e-mail : [EMAIL PROTECTED] web page: http://www.lasaltech.com/andre.html =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
On Wed, 21 May 1997, Francois Gouget wrote: Yep, I have the same situation, and name resolution works fine. The only things I've found that don't work are ftp (dir listings only, file gets by wget and netscape work fine (which I don't understand)) and ping. This must be related to masquerading (i.e. not diald). For ftp to work you must load a specific module: ip_masq_ftp. I think this module also does the icmp masquerading (for ping). This is because ftp sends a port number and has the server call you back at that port. There are other specific modules for some other protocols. The modules that I have are: ip_masq_raudio, ip_masq_vdolive, ip_masq_cuseeme, ip_masq_irc. Yes, that is correct. These extra masquerading modules were only included in the standard linux kernel since version 2.0.30 (or was it 2.0.29?). Before then, you had to download the masquerading patches (go to http://www.linuxhq.com for all your official and unofficial kernel patches - if you want to know about the kernel, this is one of the best sites around), patch the kernel and recompile. What this means is that unless debian's kernel package maintainer (Herbert Xu) applied the bumper masquerading patches before compiling, then people with kernel 2.0.27 will need to recompile their kernel to get masquerading support for irc, ftp, real audio, ping, etc... alternatively, they can download kernel-image-2.0.30 from frozen or unstable. Personally, I think it is much better to install kernel-source and make-kpkg and compile your own custom kernel that suits your system. The debian pre-compiled kernels are useful, but should really only be used to install a system. IP Masquerading is a cool hack, but it isn't perfect (yet!). craig -- craig sanders networking consultant Available for casual or contract temporary autonomous zone system administration tasks. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
On Wed, 21 May 1997, Francois Gouget wrote: Most Linux documentation advises against running bind, saying that it's [...] get it workingit only takes a few minutes at most. I would rather say that it took me a several hours but perhaps I'm worse than average. for a site that doesn't need to be primary or secondary for any domains, bind installation configuration should only take a few minutes. The only thing you need to know is the IP address of a forwarder (optional but recommended) and whether you want debian's bindconfig to run a primary for the 127.in-addr.arpa domain (reverse lookup for localhost) - the answer to that question is yes...i can't think of any reason for saying no. If you need to run a primary or secondary name server (not advised on a dial-up connection - nameservers are meant to be on the net permanently) then configuration will take longer than that, of course. BTW, if you're using diald you'll probably want to configure it so that it doesn't bring up the link every time you want to resolve a name. But you'll want to do that whether you're running bind or not. In fact if you're using diald having a local bind server is perhaps more trouble than it's worth. Here is why: - Either diald does not bring the connection up for DNS requests. Then applications will seem to hang if the result for their DNS query is not in the cache. They will stay blocked in some gethostbyname call until the DNS server times out which takes quite a long time. With some X applications you can completely freeze the X server (with netscape click on a menu. It does it's name lookup right here and it seems to block X). OK, you might be able to speed that up. try editing your /etc/ppp/ip-{up,down} scripts so that: - when the link goes down, use ipfwadm to 'reject' (not 'deny') outbound packets for upd port 53 (allow for your internal network, but reject for 0.0.0.0/0). bind should get a 'no route to host' reply whenever it attempts to do a lookup. With any luck, it will return the error result immediately rather than trying again. - when the link goes up, use ipfwadm to remove the udp 53 block. I haven't tested any of this. I don't know if it works, but it's worth a try. (i'd test it myself but i don't use either IP Masquerading or diald on any of my machines) - The second problem does not depend on whether DNS bring the PPP link up. If your IP address is dynamically assigned by you ISP and you type ftp ftp.debian.org and the name lookup is returned by the local DNS cache then the first packet on the network is the first packet for the TCP conenction. But I noticed that in that case diald seems to send the packet with the wrong source IP address, i.e. that of the fake serial device instead of the one of the fresh new PPP connection. Consequence the connection will never make it, you have to abort ftp and restart it. This effectively prevents me from using diald with the DES client. that sounds like a problem with either diald or IP masquerading...or possibly a routing problem. it seems unrelated to bind. have you tried putting a wrapper script around your des ftp client? send a couple of pings first, and then run ftp? craig -- craig sanders networking consultant Available for casual or contract temporary autonomous zone system administration tasks. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
On Wed, 21 May 1997, Lars Hallberg wrote: Craig, sorry, got to ask You one thing... Humm, I use diald. It do for some reason lose the first package on a new fresh conection. My ugly workaround is to have no local nameresolving and the nameserver listed multiple times in /etc/resolv.conf. This way the first nameresolving atempt fails, but brings up the link, the nemeresolving is then retryed (thanks to multipel entrys in resolv.conf) and evrething comes upp as expected. This ugly workaround is expensiv as I cant have any lokal nameresolving. Much iritating as my ISP's DNS is frekvently down... I don't use diald, but here's an idea that may help. It's untested, and i have no way of testing it. It's worth trying, though...it might help, and it certainly can't hurt to try it. Instead of listing the remote nameserver several times in /etc/resolv.conf, try listing the local (127.0.0.1) nameserver several times. It may also help to list your ISP's nameserver as a forwarder a few times in /var/named/boot.options (but probably not). This should (I hope) achieve the same result, with the added advantage of a local DNS cache. BTW, Don't run bind in slave (forward-only) mode if your ISP's nameserver is flaky...actually if your ISP can't even get a nameserver to run properly, you should consider finding one who can. DNS is a 'mission-critical' network service. It is something that is worth putting in a lot of effort to fix if it's broken - if your name server is unreliable, then EVERYTHING else on the network which depends on it (i.e. almost every network related program) is going to be unreliable. craig -- craig sanders networking consultant Available for casual or contract temporary autonomous zone system administration tasks. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
On Tue, 20 May 1997, Benjamin T. White wrote: **I can not do domain name resolution with my new setup** The ip masquerading seems to work with most network traffic. Packets sent by IP number are forwarded appropriately. I can telnet and use my web browser on my macs if I use IP numbers. DNS resolution works great on the linux box, and I have triple checked the nameserver addresses on the macs. When I do a name lookup on the mac I can see the modem SD light periodicly lighting up, so I assume that DNS queries are being sent, but now replys. I can do a name lookup on the linux system without difficulty. The nameservers on both machines are configured identically. The kicker: booting with my old slackware setup fixes this problem, without changing anything on the macs. DNS is one of the limitations of masquerading. It doesn't work. The solution is to install bind on your linux machine (make it use your ISP as a forwarder). It's actually pretty easy with debian - the install script asks a few simple questions and configures it for you. For just a forwarding name server you wont need to ever do any more configuration of bind. Most Linux documentation advises against running bind, saying that it's way too difficult to configure. Nothing could be further from the truth. It was true that a few years ago (when much of the Linux net docco was first being written) that bind was quite unstable, but it's never been terribly difficult to get running. Nowadays, it's very stable and, with the debian package, is probably one of the easiest things to get workingit only takes a few minutes at most. IMO, the benefits of having a local caching name server far outweigh the difficulty of installing it. once that's done, configure the Macs to use the Linux machine. BTW, if you're using diald you'll probably want to configure it so that it doesn't bring up the link every time you want to resolve a name. But you'll want to do that whether you're running bind or not. craig -- craig sanders networking consultant Available for casual or contract temporary autonomous zone system administration tasks. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
On Wed, 21 May 1997, Craig Sanders wrote: On Tue, 20 May 1997, Benjamin T. White wrote: **I can not do domain name resolution with my new setup** The ip ... other stuff deleted ... The kicker: booting with my old slackware setup fixes this problem, without changing anything on the macs. DNS is one of the limitations of masquerading. It doesn't work. The solution is to install bind on your linux machine (make it use your ISP as a forwarder). It's actually pretty easy with debian - the install script asks a few simple questions and configures it for you. For just a forwarding name server you wont need to ever do any more configuration of bind. Most Linux documentation advises against running bind, saying that it's way too difficult to configure. Nothing could be further from the truth. It was true that a few years ago (when much of the Linux net docco was first being written) that bind was quite unstable, but it's never been terribly difficult to get running. Nowadays, it's very stable and, with the debian package, is probably one of the easiest things to get workingit only takes a few minutes at most. IMO, the benefits of having a local caching name server far outweigh the difficulty of installing it. once that's done, configure the Macs to use the Linux machine. BTW, if you're using diald you'll probably want to configure it so that it doesn't bring up the link every time you want to resolve a name. But you'll want to do that whether you're running bind or not. craig Craig, Thanks, easily installed and configured and now things seem to work like a charm. I still have a question or two if you don't mind. Why didn't I have this problem with 1.2.13/slackware? Why does ip masq mangle dns resolution? Thanks a million! Ben [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
On Wed, 21 May 1997, Craig Sanders wrote: On Tue, 20 May 1997, Benjamin T. White wrote: **I can not do domain name resolution with my new setup** The ip [...] DNS is one of the limitations of masquerading. It doesn't work. I have the same setup as Benjamin T except that I have two Linux machines. I could not prove it right now because I have installed a DNS server on the Linux doing the masquerading but if I remember well my 486 was able to do DNS resolution before I installed the new DNS. So that was through the IP masquerading. I have the kernel 2.0.27 and I load some optional IP masquerading modules (mainly ftp). Most Linux documentation advises against running bind, saying that it's [...] get it workingit only takes a few minutes at most. I would rather say that it took me a several hours but perhaps I'm worse than average. BTW, if you're using diald you'll probably want to configure it so that it doesn't bring up the link every time you want to resolve a name. But you'll want to do that whether you're running bind or not. In fact if you're using diald having a local bind server is perhaps more trouble than it's worth. Here is why: - Either diald does not bring the connection up for DNS requests. Then applications will seem to hang if the result for their DNS query is not in the cache. They will stay blocked in some gethostbyname call until the DNS server times out which takes quite a long time. With some X applications you can completely freeze the X server (with netscape click on a menu. It does it's name lookup right here and it seems to block X). - The second problem does not depend on whether DNS bring the PPP link up. If your IP address is dynamically assigned by you ISP and you type ftp ftp.debian.org and the name lookup is returned by the local DNS cache then the first packet on the network is the first packet for the TCP conenction. But I noticed that in that case diald seems to send the packet with the wrong source IP address, i.e. that of the fake serial device instead of the one of the fresh new PPP connection. Consequence the connection will never make it, you have to abort ftp and restart it. This effectively prevents me from using diald with the DES client. -- Francois Gouget [EMAIL PROTECTED]http://www.mygale.org/05/fgouget/ Wonder what to do with all your spare CPU cycles ! Participate to the DES cracking challenge with the SolNet team http://www.des.sollentuna.se/ -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
In message [EMAIL PROTECTED], Craig San ders writes: [...] IMO, the benefits of having a local caching name server far outweigh the difficulty of installing it. [...] BTW, if you're using diald you'll probably want to configure it so that it doesn't bring up the link every time you want to resolve a name. But you'll want to do that whether you're running bind or not. Craig, sorry, got to ask You one thing... Humm, I use diald. It do for some reason lose the first package on a new fresh conection. My ugly workaround is to have no local nameresolving and the nameserver listed multiple times in /etc/resolv.conf. This way the first nameresolving atempt fails, but brings up the link, the nemeresolving is then retryed (thanks to multipel entrys in resolv.conf) and evrething comes upp as expected. This ugly workaround is expensiv as I cant have any lokal nameresolving. Much iritating as my ISP's DNS is frekvently down... As I understands it this is a problem allot of peple on this list have and I wonder: Do You know a way to 'cleanly' configuer diald/pppd? Or do You know a less expensiv/ugly workaround? Pointers to FM is welcome. Hope I have not missed something obvius... TIA /Lars craig -- craig sanders networking consultant Available for casual or contract temporary autonomous zone system administration tasks. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] . -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
Lars Hallberg writes: As I understands it this is a problem allot of peple on this list have and I wonder: Do You know a way to 'cleanly' configuer diald/pppd? Or do You know a less expensiv/ugly workaround? Have you tried request-route? John HaslerThis posting is in the public domain. [EMAIL PROTECTED]Do with it what you will. Dancing Horse Hill Make money from it if you can; I don't mind. Elmwood, Wisconsin Do not send email advertisements to this address. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
Francois Gouget [EMAIL PROTECTED] writes: I have the same setup as Benjamin T except that I have two Linux machines. I could not prove it right now because I have installed a DNS server on the Linux doing the masquerading but if I remember well my 486 was able to do DNS resolution before I installed the new DNS. So that was through the IP masquerading. Yep, I have the same situation, and name resolution works fine. The only things I've found that don't work are ftp (dir listings only, file gets by wget and netscape work fine (which I don't understand)) and ping. -- Rob -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Help with IP masquerading
On 21 May 1997, Rob Browning wrote: Francois Gouget [EMAIL PROTECTED] writes: I have the same setup as Benjamin T except that I have two Linux machines. I could not prove it right now because I have installed a DNS server on the Linux doing the masquerading but if I remember well my 486 was able to do DNS resolution before I installed the new DNS. So that was through the IP masquerading. Yep, I have the same situation, and name resolution works fine. The only things I've found that don't work are ftp (dir listings only, file gets by wget and netscape work fine (which I don't understand)) and ping. This must be related to masquerading (i.e. not diald). For ftp to work you must load a specific module: ip_masq_ftp. I think this module also does the icmp masquerading (for ping). This is because ftp sends a port number and has the server call you back at that port. There are other specific modules for some other protocols. The modules that I have are: ip_masq_raudio, ip_masq_vdolive, ip_masq_cuseeme, ip_masq_irc. -- Francois Gouget [EMAIL PROTECTED]http://www.mygale.org/05/fgouget/ Wonder what to do with all your spare CPU cycles ! Participate to the DES cracking challenge with the SolNet team http://www.des.sollentuna.se/ -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Help with IP masquerading
Hello all, I have an interesting problem. I have a small LAN based on ethernet with a Linux box with a ppp connection to the internet acting as a gateway for two Macintosh computers: --- | Linux ||---Powermac with OpenTransport | || 192.168.1.2 ppp | | eth0 | ---| 192.168.1.1 || | || | ||---68K mac with MacTCP --- 192.168.1.3 The linux box runs pppd/diald. This setup has worked flawlessly for a year with a Slackware installation (kernel 1.2.13). I am now upgrading to Debian 1.2 (kernel 2.0.27) and have run into frustrating problems. After some hair pulling I have pppd/diald working on the new system. I have compiled in kernel support for ip masquerade and set up the forwarding with ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 Now the problem: **I can not do domain name resolution with my new setup** The ip masquerading seems to work with most network traffic. Packets sent by IP number are forwarded appropriately. I can telnet and use my web browser on my macs if I use IP numbers. DNS resolution works great on the linux box, and I have triple checked the nameserver addresses on the macs. When I do a name lookup on the mac I can see the modem SD light periodicly lighting up, so I assume that DNS queries are being sent, but now replys. I can do a name lookup on the linux system without difficulty. The nameservers on both machines are configured identically. The kicker: booting with my old slackware setup fixes this problem, without changing anything on the macs. I have searched the FAQ's without avail, any pointers to info or ideas to try would be much appreciated. Thanks in advance, Ben [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .