Re: WAN connection through a Linux machine
Oops - and now with reply-all... Hi. You should run both these commands (I will not disclose how you make it apply after-reboot for now) 1. echo 1 /proc/sys/net/ipv4/ip_forward 2. iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE Don't forget to set correct DNS on your host B Ez On Tue, Apr 20, 2010 at 8:29 AM, Dan Shimshoni danshi...@gmail.com wrote: Hello, First, I don't know much about iptables. Second, I have a Linux machine (A) with two nics, which is connected to the Internet via Bezeq ADSL router. This machines runs a pppoe connection to the intenet, so the connection is done via ppp0. On eth1 I have an inner IP address which I set manually (192.168.0.10). I have a second Linux machine (B), nearby. This machine is connected directly to machine A via ethernet cable. On eth0 I have an inner IP address which I set manually (192.168.0.11). So I can ping from 192.168.0.11 to 192.168.0.10. Sometimes I want to connect from machine B to the Internet via machine A. I suppose this is possible by setting some iptables rule on machine A, and setting it to work in forwarding mode. Could this done by setting one iptables rule on machine A? What is the proper rule to achieve it? DS ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: WAN connection through a Linux machine
Etzion Bar-Noy wrote: Oops - and now with reply-all... Hi. You should run both these commands (I will not disclose how you make it apply after-reboot for now) 1. echo 1 /proc/sys/net/ipv4/ip_forward 2. iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE Don't forget to set correct DNS on your host B Ez Also, RTFM MSS Squashing Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: WAN connection through a Linux machine
Hi, Well, this did not work at the first trial. Then, I added 192.168.0.10 as a default gateway on 192.168.0.10 : route add default gw 192.168.0.10 And it worked Thanks! DS On Tue, Apr 20, 2010 at 9:35 AM, Etzion Bar-Noy eza...@tournament.org.il wrote: Oops - and now with reply-all... Hi. You should run both these commands (I will not disclose how you make it apply after-reboot for now) 1. echo 1 /proc/sys/net/ipv4/ip_forward 2. iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE Don't forget to set correct DNS on your host B Ez On Tue, Apr 20, 2010 at 8:29 AM, Dan Shimshoni danshi...@gmail.com wrote: Hello, First, I don't know much about iptables. Second, I have a Linux machine (A) with two nics, which is connected to the Internet via Bezeq ADSL router. This machines runs a pppoe connection to the intenet, so the connection is done via ppp0. On eth1 I have an inner IP address which I set manually (192.168.0.10). I have a second Linux machine (B), nearby. This machine is connected directly to machine A via ethernet cable. On eth0 I have an inner IP address which I set manually (192.168.0.11). So I can ping from 192.168.0.11 to 192.168.0.10. Sometimes I want to connect from machine B to the Internet via machine A. I suppose this is possible by setting some iptables rule on machine A, and setting it to work in forwarding mode. Could this done by setting one iptables rule on machine A? What is the proper rule to achieve it? DS ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: WAN connection through a Linux machine
shachar, I googled for MSS Squashing. Got 0 results! What is this MSS Squashing? and how is it related to this issue? rgs, DS On Tue, Apr 20, 2010 at 10:44 AM, Shachar Shemesh shac...@shemesh.biz wrote: Etzion Bar-Noy wrote: Oops - and now with reply-all... Hi. You should run both these commands (I will not disclose how you make it apply after-reboot for now) 1. echo 1 /proc/sys/net/ipv4/ip_forward 2. iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE Don't forget to set correct DNS on your host B Ez Also, RTFM MSS Squashing Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: WAN connection through a Linux machine
Dan Shimshoni wrote: shachar, I googled for MSS Squashing. Got 0 results! What is this MSS Squashing? and how is it related to this issue? rgs, DS The term used in the iptables man page is clamp-mss-to-pmtu The ethernet maximal transfer unit (MTU) is 1500 bytes (more or less, but in practice, this is the default). Since pppoe has some overhead, the effective MTU on ppp0 is lower (about 1470 bytes). Packets sent out by your machine B broadcast the desired packet length on the return path through a TCP option called MSS (maximal segment size). Theoretically, TCP will figure out on its own that the path MTU (PMTU) is lower than the end MTU as advertised by the MSS. This has two disadvantages: 1. It has worse performance than advertising the correct number in the MSS to begin with 2. Some firewalls block the ICMP message used to report this case (code 3 type 4 - fragmentation needed but don't fragment set). As a result, you get black hole syndrom. The solution is to have iptables alter the MSS field of the TCP option to the value it knows is correct. Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: WAN connection through a Linux machine
ok, now this is more clear. But is this problem specific to this scenario? I mean, when I use a single machine to connect directly to the internet via bezeq ADSL , without running any iptables rules at all, using PPPOE , I should have the same problem, don't I ? Is there a solution in this case ? (remember, I cannot use this iptables clamp-mss-to-pmtuoption as in this scenario in fact I do not use iptables at all). Second, ifconfig ppp0 shows that the mtu is 1492. DS On Tue, Apr 20, 2010 at 1:56 PM, Shachar Shemesh shac...@shemesh.biz wrote: Dan Shimshoni wrote: shachar, I googled for MSS Squashing. Got 0 results! What is this MSS Squashing? and how is it related to this issue? rgs, DS The term used in the iptables man page is clamp-mss-to-pmtu The ethernet maximal transfer unit (MTU) is 1500 bytes (more or less, but in practice, this is the default). Since pppoe has some overhead, the effective MTU on ppp0 is lower (about 1470 bytes). Packets sent out by your machine B broadcast the desired packet length on the return path through a TCP option called MSS (maximal segment size). Theoretically, TCP will figure out on its own that the path MTU (PMTU) is lower than the end MTU as advertised by the MSS. This has two disadvantages: 1. It has worse performance than advertising the correct number in the MSS to begin with 2. Some firewalls block the ICMP message used to report this case (code 3 type 4 - fragmentation needed but don't fragment set). As a result, you get black hole syndrom. The solution is to have iptables alter the MSS field of the TCP option to the value it knows is correct. Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: WAN connection through a Linux machine
Dan Shimshoni wrote: ok, now this is more clear. But is this problem specific to this scenario? I mean, when I use a single machine to connect directly to the internet via bezeq ADSL , without running any iptables rules at all, using PPPOE , I should have the same problem, don't I ? No. The packets go out through the ppp0 interface, which already has a lower MTU (1492 by your report). As such, they already carry the right MSS. Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
WAN connection through a Linux machine
Hello, First, I don't know much about iptables. Second, I have a Linux machine (A) with two nics, which is connected to the Internet via Bezeq ADSL router. This machines runs a pppoe connection to the intenet, so the connection is done via ppp0. On eth1 I have an inner IP address which I set manually (192.168.0.10). I have a second Linux machine (B), nearby. This machine is connected directly to machine A via ethernet cable. On eth0 I have an inner IP address which I set manually (192.168.0.11). So I can ping from 192.168.0.11 to 192.168.0.10. Sometimes I want to connect from machine B to the Internet via machine A. I suppose this is possible by setting some iptables rule on machine A, and setting it to work in forwarding mode. Could this done by setting one iptables rule on machine A? What is the proper rule to achieve it? DS ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il