Re: [masq] Problems after reinstall...
The "proper" way to do this is to edit /etc/sysconfig/network and change FORWAR_IPV4=false to FORWARD_IPV4=true -- Bill Eldridge Radio Free Asia [EMAIL PROTECTED] -Original Message- From: James Michael Keller <[EMAIL PROTECTED]> To: David A. Ranch <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Wednesday, July 29, 1998 4:40 PM Subject: Re: [masq] Problems after reinstall... >On Wed, 29 Jul 1998, David A. Ranch wrote: > >> >> >/proc/sys/net/ip_forwarding = 1 >> >> Try "echo "1" > /proc/sys/net/ipv4/ip_forwarding" >> >> Notice the addition of the ipv4 stuff. >> > yeap, noticed it was a typo :) But it appaears as if the -W eth0 >on my end should have been -W ppp0 ( or simply removed ) Works find >again. > > >> >> --David >> .--- -. >> | David A. Ranch - Remote Access/Linux/PC hardware [EMAIL PROTECTED] | >> ! >> `- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -' >> > >--- >=== >James Michael Keller | [EMAIL PROTECTED] > http://www.radix.net/~jmkeller >--- >Contents (c)1998 James Michael Keller. All rights reserved >=== > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >For daily digest info, email [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Domain logons from behind proxy
I think this has been addressed a few times, but without quite satisfactory results. I have a private subnet behind an NAT proxy server (IPMASQ), and a public subnet on the other side with the NT PDC on the public. (Using both NetBEUI & TCP/IP). The PDC will change later, but currently I'm trying to find out how this all works before I do that. I'm trying to make a client machine on the private side use only TCP/IP, no NetBEUI, and logon to the domain. I've tried various assortments of WINS on the proxy machine, on a single-card private Samba machine, various LMHOST configurations (one line that always seems to give a "too many columns" is the: 192.68.1.3mypdc#PRE#DOM:mydomain line out of the examples - the error says "obsolete syntax". Anyway, I'm up to about 120 different ways to do this (except for building a hole into the proxy, and making WINS run on the NT PDC itself) that don't work - I get a "can't log into domain, cached info used", though I can browse the net & do my shares as normal, I can't log in as an uncached user. If anyone has a simple step-by-step guide for setting up domain logons from behind a proxy, I for one would appreciate it. Thanks, Bill [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] I got a question about ipautofw
Depending on if you're logging in remotely, /usr/local/sbin and . (current directory) are probably not in your path - a security feature. Try typing the complete path: /usr/local/sbin/ipautofw --Bill EldridgeDeputy Director Technical OperationsRadio Free Asia[EMAIL PROTECTED] -Original Message-From: T. Kasikci <[EMAIL PROTECTED]>To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>Date: Tuesday, July 07, 1998 3:13 PMSubject: [masq] I got a question about ipautofw When I use the ipautofw command, I get the error "bash: ipautofw: command not found". Can someone try to explain what's going on here? I enabled ipautofw in my kernel and d/l the file from the masq apps page and installed it. The file is in my /usr/local/sbin directory. I included the line needed for ICQ, but I'm having problems with it. I tried going into /usr/local/sbin and typing out ipautofw just to see what would happen and I got that error. Any help would be much appreciated. Thanks, Tom
Re: [masq] [masq] Startup sequence
This is a problem I sometimes I had with using ethernet modules. You might need a lilo.conf entry to make it recognize faster, or switch to using a non-module driver for it. -- Bill Eldridge Radio Free Asia [EMAIL PROTECTED] -Original Message- From: Justin Slootsky <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Friday, June 26, 1998 12:27 PM Subject: [masq] Startup sequence >I have a file /etc/init.d/network that is called from /etc/init.d/boot, and >it looks like this... >#! /bin/sh >ifconfig lo 127.0.0.1 >route add -net 127.0.0.0 >IPADDR=207.236.16.59 >NETMASK=255.255.255.0 >NETWORK=207.236.16.0 >BROADCAST=207.236.16.255 >GATEWAY=207.236.16.1 >ifconfig eth0 ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST} >route add -net ${NETWORK} >[ "${GATEWAY}" ] && route add default gw ${GATEWAY} metric 1 >ifconfig eth0:0 192.168.1.1 broadcast 192.168.1.255 >route add -net 192.168.1.0 netmask 255.255.255.0 dev eth0:0 >#end file network > >my problem is, that at boot time, the ifconfig eth0:0 doesn't work, but after >my machine is up, if I run the network script, eth0:0 gets setup fine. >(what's the official technical name for eth0:0 ?) > >what needs to be run before eth0:0 gets configured? I know how to change >the order of things, I just don't know what needs to get done. > >thanks >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >For daily digest info, email [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] IP Masq Problems
> >If you have done 1-3 and you are using RedHat try running: > echo 1 > /proc/sys/net/ipv4/ip_forward >then see if it works. An alternative to this on RedHat is edit /etc/sysconfig/network and change: FORWARD_IPV4=false to FORWARD_IPV4=true - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] NT Domain logons
I'm running into problems trying to find a PDC on an NT box behind a proxy. All the packets are being masq'ed, but I'm bad password errors on the PDC, and my machine never successfully gets hold of a network logon. I have DNS resolution for Windows shares turned on, as well as trying with and without WINS (pointing to a server on the hidden side of the proxy). When I put the machine on the public net, it can log on fine. Is NetBIOS over TCP/IP doing something either through service announcements or logons that won't pass through a proxy? Any thoughts? -- Bill Eldridge Radio Free Asia [EMAIL PROTECTED] -Original Message- From: Steve Helder <[EMAIL PROTECTED]> To: Dave Cox <[EMAIL PROTECTED]>; [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Thursday, June 11, 1998 9:44 PM Subject: Re: [masq] [masq] [masq] IP - masquerade setup problems >Wow, I learned alot from this message and have my ip masquerading working >great! > >The problem was what dave had suggested and my IP masquerading was disabled. > >I enabled it at the command line and I was in business. > >Thanks everyone >-Original Message- >From: Dave Cox <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> >Date: Thursday, June 11, 1998 6:41 PM >Subject: Re: [masq] [masq] [masq] IP - masquerade setup problems > > > >You need to 'ipfwadm -F -p deny' first to set a default policy. then >you can 'ipfwadm -F -a ...' to append forwarding rules to the default >policy. Re-read the last sentence you quoted below. > >On 11 Jun 98 at 17:01, Bill Eldridge wrote: > >>From the man page: >> >> These rules regulate the acceptance of incoming IP >> local network interfaces are checked against the >> input firewall rules. The first rule that matches >> with a packet determines the policy to use and will >> also cause the rule's packet en byte counters being >> adapted. When no matching rule is found, the >> default policy for the input firewall is used. >> >> >>If you deny everything first, then any packet will match >>that denial, and be rejected. (which is the same way >>Ciscos do it). Unless I'm horribly confused. >>-- >>Bill Eldridge >>Radio Free Asia >>[EMAIL PROTECTED] >> >>-Original Message- >>From: Joachim Feise <[EMAIL PROTECTED]> >>To: Bill Eldridge <[EMAIL PROTECTED]> >>Cc: Steve Helder <[EMAIL PROTECTED]>; [EMAIL PROTECTED] >><[EMAIL PROTECTED]> Date: Thursday, June 11, 1998 4:54 PM >>Subject: Re: [masq] [masq] IP - masquerade setup problems >> >> >>>Bill Eldridge wrote: >>> >>>> Order matters, so if you deny everythingfirst, then the rules never >>meet the allowclauses later. As mmy first guess.-- >>> >>>That is not quite right, actually, it is wrong. >>>For security reasons, you always should deny everything first, and >>subsequently >>>allow things like forwarding. >>>Did you enable forwarding in the proc fs? Try adding this line to your rc >>>script: >>>echo 1 > /proc/sys/net/ipv4/ip_forward >>> >>>Oh, and please don't send HTML-formatted messages. ASCII is preferred (I >>hope I >>>didn't copy the tags over when I copied the text). >>> >>>-Joe >>> >>>> Bill Eldridge >>>> Radio Free Asia >>>> [EMAIL PROTECTED] >>>> >>>>-Original Message- >>>>From: Steve Helder <[EMAIL PROTECTED]> >>>>To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> >>>>Date: Thursday, June 11, 1998 2:36 PM >>>>Subject: [masq] IP - masquerade setup problemsI am attempting to >>use IP-Masquerading on a newly >>>>installed Redhat 5.1 Linux box. I am connected to my ISP using >>PPP and can ping the nameservers from >>>>Linux. I have followed the instructions in the Linux IP >>Masquerade mini HOWTO by Ambrose Au for setting >>>>up my Windows 95 machine. After I set it up I can ping the >>ethernet card on the Linux box which is >>>>10.0.100.5 but can't get any further. (pinging the nameservers) I >>have setup the ipfwadm -F -p deny and >>>>ipfwadm -F -a m S 10.0.100.0/24 -D 0.0.0.0/0 on the Linux box. >I >>am assuming I am close but missing >>>>something. Any assistance would be appreciated Steve Helde
Re: [masq] [masq] [masq] IP - masquerade setup problems
Again, I don't think you're appending to the default - the default comes last, the '-p' switch just saying "don't evaluate this immediately, evaluate it when all else fails". Rules are appended to a starting state of nothing. -- Bill Eldridge Radio Free Asia [EMAIL PROTECTED] -Original Message- From: Dave Cox <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Thursday, June 11, 1998 6:26 PM Subject: Re: [masq] [masq] [masq] IP - masquerade setup problems You need to 'ipfwadm -F -p deny' first to set a default policy. then you can 'ipfwadm -F -a ...' to append forwarding rules to the default policy. Re-read the last sentence you quoted below. On 11 Jun 98 at 17:01, Bill Eldridge wrote: >From the man page: > > These rules regulate the acceptance of incoming IP > local network interfaces are checked against the > input firewall rules. The first rule that matches > with a packet determines the policy to use and will > also cause the rule's packet en byte counters being > adapted. When no matching rule is found, the > default policy for the input firewall is used. > > >If you deny everything first, then any packet will match >that denial, and be rejected. (which is the same way >Ciscos do it). Unless I'm horribly confused. >-- >Bill Eldridge >Radio Free Asia >[EMAIL PROTECTED] > >-Original Message- >From: Joachim Feise <[EMAIL PROTECTED]> >To: Bill Eldridge <[EMAIL PROTECTED]> >Cc: Steve Helder <[EMAIL PROTECTED]>; [EMAIL PROTECTED] ><[EMAIL PROTECTED]> Date: Thursday, June 11, 1998 4:54 PM >Subject: Re: [masq] [masq] IP - masquerade setup problems > > >>Bill Eldridge wrote: >> >>> Order matters, so if you deny everythingfirst, then the rules never >meet the allowclauses later. As mmy first guess.-- >> >>That is not quite right, actually, it is wrong. >>For security reasons, you always should deny everything first, and >subsequently >>allow things like forwarding. >>Did you enable forwarding in the proc fs? Try adding this line to your rc >>script: >>echo 1 > /proc/sys/net/ipv4/ip_forward >> >>Oh, and please don't send HTML-formatted messages. ASCII is preferred (I >hope I >>didn't copy the tags over when I copied the text). >> >>-Joe >> >>> Bill Eldridge >>> Radio Free Asia >>> [EMAIL PROTECTED] >>> >>>-Original Message- >>>From: Steve Helder <[EMAIL PROTECTED]> >>>To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> >>>Date: Thursday, June 11, 1998 2:36 PM >>>Subject: [masq] IP - masquerade setup problemsI am attempting to >use IP-Masquerading on a newly >>>installed Redhat 5.1 Linux box. I am connected to my ISP using >PPP and can ping the nameservers from >>>Linux. I have followed the instructions in the Linux IP >Masquerade mini HOWTO by Ambrose Au for setting >>>up my Windows 95 machine. After I set it up I can ping the >ethernet card on the Linux box which is >>>10.0.100.5 but can't get any further. (pinging the nameservers) I >have setup the ipfwadm -F -p deny and >>>ipfwadm -F -a m S 10.0.100.0/24 -D 0.0.0.0/0 on the Linux box. I >am assuming I am close but missing >>>something. Any assistance would be appreciated Steve Helder >> >> >>-- >>Joachim Feise Microsoft Certified Solution Developer >>mailto:[EMAIL PROTECTED] http://www.ics.uci.edu/~jfeise/ >>mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] >>- > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] For >additional commands, e-mail: [EMAIL PROTECTED] For daily >digest info, email [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] IP - masquerade setup problems
>That is correct, but the first line is >ipfwadm -F -p deny >which is the default policy. If you look at your quote, you see that the default >policy is examined last. > Ahhh, but then that line could go anywhere, since it's setting the default. But setting an actual rule to deny everything would kill the effect of any lines following it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] IP - masquerade setup problems
>From the man page: These rules regulate the acceptance of incoming IP local network interfaces are checked against the input firewall rules. The first rule that matches with a packet determines the policy to use and will also cause the rule's packet en byte counters being adapted. When no matching rule is found, the default policy for the input firewall is used. If you deny everything first, then any packet will match that denial, and be rejected. (which is the same way Ciscos do it). Unless I'm horribly confused. -- Bill Eldridge Radio Free Asia [EMAIL PROTECTED] -Original Message- From: Joachim Feise <[EMAIL PROTECTED]> To: Bill Eldridge <[EMAIL PROTECTED]> Cc: Steve Helder <[EMAIL PROTECTED]>; [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Thursday, June 11, 1998 4:54 PM Subject: Re: [masq] [masq] IP - masquerade setup problems >Bill Eldridge wrote: > >> Order matters, so if you deny everythingfirst, then the rules never meet the allowclauses later. As mmy first guess.-- > >That is not quite right, actually, it is wrong. >For security reasons, you always should deny everything first, and subsequently >allow things like forwarding. >Did you enable forwarding in the proc fs? Try adding this line to your rc >script: >echo 1 > /proc/sys/net/ipv4/ip_forward > >Oh, and please don't send HTML-formatted messages. ASCII is preferred (I hope I >didn't copy the tags over when I copied the text). > >-Joe > >> Bill Eldridge >> Radio Free Asia >> [EMAIL PROTECTED] >> >>-Original Message- >>From: Steve Helder <[EMAIL PROTECTED]> >>To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> >>Date: Thursday, June 11, 1998 2:36 PM >>Subject: [masq] IP - masquerade setup problemsI am attempting to use IP-Masquerading on a newly >>installed Redhat 5.1 Linux box. I am connected to my ISP using PPP and can ping the nameservers from >>Linux. I have followed the instructions in the Linux IP Masquerade mini HOWTO by Ambrose Au for setting >>up my Windows 95 machine. After I set it up I can ping the ethernet card on the Linux box which is >>10.0.100.5 but can't get any further. (pinging the nameservers) I have setup the ipfwadm -F -p deny and >>ipfwadm -F -a m S 10.0.100.0/24 -D 0.0.0.0/0 on the Linux box. I am assuming I am close but missing >>something. Any assistance would be appreciated Steve Helder > > >-- >Joachim Feise Microsoft Certified Solution Developer >mailto:[EMAIL PROTECTED] http://www.ics.uci.edu/~jfeise/ >mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] >- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] IP - masquerade setup problems
Order matters, so if you deny everything first, then the rules never meet the allow clauses later. As mmy first guess. --Bill EldridgeRadio Free Asia[EMAIL PROTECTED] -Original Message-From: Steve Helder <[EMAIL PROTECTED]>To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>Date: Thursday, June 11, 1998 2:36 PMSubject: [masq] IP - masquerade setup problems I am attempting to use IP-Masquerading on a newly installed Redhat 5.1 Linux box. I am connected to my ISP using PPP and can ping the nameservers from Linux. I have followed the instructions in the Linux IP Masquerade mini HOWTO by Ambrose Au for setting up my Windows 95 machine. After I set it up I can ping the ethernet card on the Linux box which is 10.0.100.5 but can't get any further. (pinging the nameservers) I have setup the ipfwadm -F -p deny and ipfwadm -F -a m S 10.0.100.0/24 -D 0.0.0.0/0 on the Linux box. I am assuming I am close but missing something. Any assistance would be appreciated Steve Helder
Re: [masq] [masq] IPFWADM -question 2
/sbin/ipfwadm -F -a accept -S 10.10.10.0/24 -D 128.0.0.0/8 /sbin/ipfwadm -F -a accept -S 128.0.0.0/8 -D 10.10.10.0/24 /sbin/ipfwadm -F -a masquerade -S 128.0.0.0/8 -D 0.0.0.0/0 To erase the previous policies, do: /sbin/ipfwadm -F -f >Excuse me but there is some trouble, ipfwadm -F -a [need policy] -S 10.10.10.0/24 > >you haven't indicate any policy after the append... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] IPFWADM -question 2
/sbin/ipfwadm -F -a -S 10.10.10.0/24 -D 128.0.0.0/8 /sbin/ipfwadm -F -a -S 128.0.0.0/8 -D 10.10.10.0/24 /sbin/ipfwadm -F -a -m -S 128.0.0.0/8 -D 0.0.0.0/0 >Well, excuse me but i think there was a misunderstandign, maybe for me bad >expalnation. >The thing that i wan to do is not a complictaed routing, but only having a >pc of the net 10.10.10.0 >reaching the net 128.0.0.0 that is internal.I do not want that the >masquerade work for the address going from 128.0.0.0 until >128.255.255.255.Thios because i have my internal network so steupped. >I know about the use of ip classes, but i found this solutions and i have >to conform myself. >The difficult is to abotain the non masquerade of that address, because to >deny o reject is simply, but i don't want to reject the packets but i want >this packets reach directly, with their headers the net 128.0.0.0. > > >I hopp ethis is most clear than before. > > > thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] IPFWADM -question 2
Welp, there are basically 2 scenarios: 1) If I use the Masq, as long as it has a route to the originating machine, it sends it there. 2) if it has a default route, it'll go there instead. BGP either has the route information to the inside net, or it doesn't. If so, the route works, whether 0 hops or 100. Any other algorithm is the same. If the gateway has a false (non-workable) route to that network address, then you're screwed - it'll spit bad packets to a different router. -- Bill Eldridge Radio Free Asia [EMAIL PROTECTED] -Original Message- From: Andrej Todosic <[EMAIL PROTECTED]> To: Bill Eldridge <[EMAIL PROTECTED]> Cc: Michele Nicosia <[EMAIL PROTECTED]>; [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Wednesday, June 10, 1998 10:29 PM Subject: Re: [masq] [masq] IPFWADM -question 2 >i dont want to sound rude but i do know what masquerading is :) > > > >what i meant is you cannot ping from the internet a box behind a >masqserver > >think for a sec : > >ping 192.168.0.1 > >no router has a default gateway for this ( on the internet ) it will go as >far as the first BGP router . then it will stop right there >cause bgp has no gateways it actually contains all the routing tables in >memory . > >now if you had on your box specified : >add route 192.168.0.0 gw ip.address.of.masq.server > >then it would be working if all the routers bewtween you and the box would >allow source routing . > > >router will say : > >why do you wont me to take you to your gateway when i know which gateway >is best for you anyway ? piss off . > > > > > >Andrej Todosic >Operations Analyst >[EMAIL PROTECTED] > > >On Wed, 10 Jun 1998, Bill Eldridge wrote: > >> >> >> >IF I UNDERSTAND YOU RIGHT YOU WANT TO MASQUERADE THE INTERNET ON YOUR LAN >> > >> >FOR THAT you have to allow masquerading >> >BUT >> >you also have to use your linux box as a gateway for your network address >> >( destination) >> > >> >this is called source routing and any sain admin especially big isp 's are >> >for security reasons configured to drop source routed frames >> >> >> >> >> >so for this to work you most likely have to be 0 hops away from the linux >> >box >> > >> >thats all if you have private ips on you local lan . >> > >> > otherwise if they are public then you dont need masq you can use >> >firewalling features just fine >> > >> >> >> No, this isn't source routing. Masquerade simply lets a Linux box >> handle all the conversations with the internet in a very legal, secure >> manner, just as a company might have a few public numbers and >> lots of private extensions. All traffic going to the internet carries >> the Masq Linux box's ID, and it's up to that Linux box to pass the >> return traffic on to the correct internal destination, by keeping track >> of port assignments. >> >> You can run various routing protocols internally, including gated, >> rip, or just static routes, and you don't have to be within 0 hops >> of the Linux box. The Linux box just has to know how to get to >> you. >> >> You should be able to set up rules on the masq box to pass >> certain IP ranges on both sides through without doing masquerading. >> However, the external machines will then need to know the route >> to the internal machine addresses, something that's not needed >> if traffic is Masq'ed. >> >> > >> >> Hi all, >> >> i'm looking for some solutions to this problem with IPFWADM. >> >> i have two nic on a linux machine that act as routr and firewall. >> >> eth0 is internal on the network 128.1.1.1 for example, eth1 is >> >> external 10.1.1.1. >> >> Well when i try to reach from a pc on to the external network an ip >> >> on the internal , and in this case i do not need the masqeade, it act as >> >> for the internet masquerding the ip of any pc on the eth1. >> >> Is it possible to masquerade all the internet 0.0.0.0/0 less than >> >> 128.1.1.1, i do not want to reject or deny to this adddress, it is only >> >> need to have a connection direct, without masqerade.The table routing is >> >> correct for than ip the router is not the ppp0 interface but a real gw >> >> on the internet. >> >> Now i'm trying with the reject but like i say it is not for me purpose. >> >> - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] IPFWADM -question 2
>IF I UNDERSTAND YOU RIGHT YOU WANT TO MASQUERADE THE INTERNET ON YOUR LAN > >FOR THAT you have to allow masquerading >BUT >you also have to use your linux box as a gateway for your network address >( destination) > >this is called source routing and any sain admin especially big isp 's are >for security reasons configured to drop source routed frames >so for this to work you most likely have to be 0 hops away from the linux >box > >thats all if you have private ips on you local lan . > > otherwise if they are public then you dont need masq you can use >firewalling features just fine > No, this isn't source routing. Masquerade simply lets a Linux box handle all the conversations with the internet in a very legal, secure manner, just as a company might have a few public numbers and lots of private extensions. All traffic going to the internet carries the Masq Linux box's ID, and it's up to that Linux box to pass the return traffic on to the correct internal destination, by keeping track of port assignments. You can run various routing protocols internally, including gated, rip, or just static routes, and you don't have to be within 0 hops of the Linux box. The Linux box just has to know how to get to you. You should be able to set up rules on the masq box to pass certain IP ranges on both sides through without doing masquerading. However, the external machines will then need to know the route to the internal machine addresses, something that's not needed if traffic is Masq'ed. > >> Hi all, >> i'm looking for some solutions to this problem with IPFWADM. >> i have two nic on a linux machine that act as routr and firewall. >> eth0 is internal on the network 128.1.1.1 for example, eth1 is >> external 10.1.1.1. >> Well when i try to reach from a pc on to the external network an ip >> on the internal , and in this case i do not need the masqeade, it act as >> for the internet masquerding the ip of any pc on the eth1. >> Is it possible to masquerade all the internet 0.0.0.0/0 less than >> 128.1.1.1, i do not want to reject or deny to this adddress, it is only >> need to have a connection direct, without masqerade.The table routing is >> correct for than ip the router is not the ppp0 interface but a real gw >> on the internet. >> Now i'm trying with the reject but like i say it is not for me purpose. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] FTP broken
if [ -f /sbin/depmod ]; then /sbin/depmod -a fi if [ -f /sbin/modprobe ]; then /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_raudio fi -- Bill Eldridge Radio Free Asia [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Tuesday, May 26, 1998 6:03 PM Subject: [masq] FTP broken >Hello, > >I am not sure what happened or when. I set up IP Masquerade on a Linux >Box (slakware 2.0.30) and had telnet, FTP and HTTP working from a number >of machines behind the linux machine. For some reason, outgoing FTP does >not work anymore. To make matters worse, I am so new to linux, that I >don't know where to start looking. I have set up a minimum system and did >not intentionally filter any packets when set things up. > >After setting up eth0 & eth1, I set up for masqurade with: > > echo "1" /proc/sys/net/ipv4/ip_forward > ipfwadm -F -a m -S 192.168.200.0/24 -D 0.0.0.0/0 > >Here is a typical attempt to use FTP from my internal system to a system >elseware on the internet. If I use a dialup connection from the same >machine I have no problems. >-- >Name (brentwoodlake): brentwoodlake >331 Password required for brentwoodlake >Password: . >230 User brentwoodlake logged in. Access restrictions apply. ftp> ls >500 Illegal PORT Command >ftp> ls >500 Illegal PORT Command >ftp> cd .. >250 CWD command successful. >ftp> ls >500 Illegal PORT Command >ftp> > > >The login works, but after that I can't *do* anything. Other systems >complain about the PORT argument being wrong. > >Thanks in advance, >Mark Stamos > > > >-- >--- >[EMAIL PROTECTED] > >PGP PUBLIC KEY: > finger [EMAIL PROTECTED] >-- > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >For daily digest info, email [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] DHCP
My config for DHCP, 172.30.0.1 being a separate Masq Linux machine, but I don't think that's a problem (this machine running Masq as well, and handling routing through it. Now there is a small problem on 2.0.32 where you need a: echo "1" > /proc/sys/net/ipv4/ip_forward line to make IPMasq work at all, once you do that, everything's fine. (I put the line in /etc/rc.d/rc3.d/rc.local) Bill - server-identifier stream.yourcompany.org; shared-network TEST-NET-31-5 { subnet 172.30.0.0 netmask 255.255.252.0 { option routers 172.30.0.1; option subnet-mask 255.255.252.0; option domain-name "yourcompany.org"; option domain-name-servers dns.yourcompany.org; max-lease-time 18000; default-lease-time 18000; range 172.30.3.10 172.30.3.250; } } -- Bill Eldridge Radio Free Asia [EMAIL PROTECTED] -Original Message- From: Donald K. Wilson <[EMAIL PROTECTED]> To: Kenyon Ralph <[EMAIL PROTECTED]> Cc: masq-help <[EMAIL PROTECTED]>; David A. Ranch <[EMAIL PROTECTED]> Date: Monday, April 20, 1998 2:26 PM Subject: Re: [masq] DHCP >OK, let me try this again and put in some useful >information. >The setup we have here is ~30 desktop computers and a few NT >servers for file and print sharing, with a linux box as a >gateway to our ISP. We used to use DHCP, but I couldn't get >is to work with IP-masq, so I assigned IP numbers to all >machines. I don't really have a problem with this, as there >are some advantages to knowing exactly who is where. What I >would like to do is to have people from the field bring in >their laptops and plug them in to out network without me >having to assign them IP numbers and keep track of all of >them. I have been told this should work, but it doesn't. >If anyone has any hints, clues, or pointers to documentation >I would be grateful. BTW, everything else works wonderfully. > >dkw > >-- > Donald K. Wilson > Edge Diagnostic Systems > (408) 774-2253 > [EMAIL PROTECTED] >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >For daily digest info, email [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Problem with particular app
Okay, I have an app that tries to connect to port 2000 through a proxy. When outside the proxy, it works fine. The machine can connect to port 2000 otherwise, telnet & ftp & ping all work from within the proxy, and I took out SYN and RST cookies just in case there was some confusion there. Still no go. I also enabled verbose logging, but don't quite know where the logs are going. Running RedHat 5.0, Linux 2.0.32, ipfwadm-2.3.0-5 Thanks, Bill -- Bill Eldridge Radio Free Asia [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]