RH5 and ICMP Masquerade not working

RH5 and ICMP Masquerade not working

Post by Andy Hal » Thu, 08 Jan 1998 04:00:00



Hello.

I have just installed Redhat 5 on a machine (fresh install) that had
previously been running RH4.2 with a 2.0.30 kernel.

On the previous setup I had an IP masquerade configuration of several
TCP and UDP protocols that also included ICMP masquerading to permit
ping,traceroute etc. from an internal network to the outside world via
ISDN.   All services on that setup including ICMP worked correctly.

After having done the upgrade, all TCP and UDP services work properly
but not ICMP.

IPFWADM complains as follows:

ipfwadm -F -a masq -P icmp -S 0.0.0.0/0 -D 0.0.0.0/0

/ipfwadm: masquerading not allowed with protocol ICMP
Try `/tmp/ipfwadm -h' for more information.

I have checked the kernel setups and all relevant parameters appear to
be correct:

CONFIG_IP_FORWARD=y
# CONFIG_IP_MULTICAST is not set
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_VERBOSE=y
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_IPAUTOFW=y
CONFIG_IP_MASQUERADE_ICMP=y
# CONFIG_IP_TRANSPARENT_PROXY is not set
CONFIG_IP_ALWAYS_DEFRAG=y
CONFIG_IP_ACCT=y
# CONFIG_IP_ROUTER is not set
# CONFIG_NET_IPIP is not set
CONFIG_IP_NOSR=y

IP forwarding is turned on on the control panel setting.

I have also tried the new 2.0.33 kernel and see no difference with that.

Has anybody else seen this or perhaps have some suggestions as to what
the problem might be?

thanks.

andy

 
 
 

RH5 and ICMP Masquerade not working

Post by Tom Hutto » Thu, 08 Jan 1998 04:00:00



> Hello.

> I have just installed Redhat 5 on a machine (fresh install) that had
> previously been running RH4.2 with a 2.0.30 kernel.

> On the previous setup I had an IP masquerade configuration of several
> TCP and UDP protocols that also included ICMP masquerading to permit
> ping,traceroute etc. from an internal network to the outside world via
> ISDN.   All services on that setup including ICMP worked correctly.

> After having done the upgrade, all TCP and UDP services work properly
> but not ICMP.

> IPFWADM complains as follows:

> ipfwadm -F -a masq -P icmp -S 0.0.0.0/0 -D 0.0.0.0/0

> /ipfwadm: masquerading not allowed with protocol ICMP
> Try `/tmp/ipfwadm -h' for more information.

> I have checked the kernel setups and all relevant parameters appear to
> be correct:

> CONFIG_IP_FORWARD=y
> # CONFIG_IP_MULTICAST is not set
> CONFIG_IP_FIREWALL=y
> CONFIG_IP_FIREWALL_VERBOSE=y
> CONFIG_IP_MASQUERADE=y
> CONFIG_IP_MASQUERADE_IPAUTOFW=y
> CONFIG_IP_MASQUERADE_ICMP=y
> # CONFIG_IP_TRANSPARENT_PROXY is not set
> CONFIG_IP_ALWAYS_DEFRAG=y
> CONFIG_IP_ACCT=y
> # CONFIG_IP_ROUTER is not set
> # CONFIG_NET_IPIP is not set
> CONFIG_IP_NOSR=y

> IP forwarding is turned on on the control panel setting.

> I have also tried the new 2.0.33 kernel and see no difference with that.

> Has anybody else seen this or perhaps have some suggestions as to what
> the problem might be?

Sounds like you have an old IPFWADM program ...

--

Remove the <<!!!!>> and !! from the address to reply ..

For the auto-spamers, here's a few addresses from the FCC...




And for good measure......

---------------------------------------------------------------------
|  By sending me unsolicitated commercial email you agree to pay my |
| standard consulting fee of $250/hr for examining your message (a  |
| minimum charge of one (1) hour).  The bill for my service will be |
| sent to you along with my analysis of your message.               |
---------------------------------------------------------------------

 
 
 

RH5 and ICMP Masquerade not working

Post by Andy Hal » Thu, 08 Jan 1998 04:00:00


Tom

I wondered about this, but not from the version point of view. I have tried
IPFWADM from several sources (all 2.3.0).  These were the original site in
Holland, and the source and binary RPMs from Redhat which has patches
presumably to work witht  the glibc setup.   Result was the same.

I wondering if there is an easy way to tell whether this is actually a
kernel problem or ipfwadm (perhaps by looking at the /proc area.....?

andy



>> Hello.

>> I have just installed Redhat 5 on a machine (fresh install) that had
>> previously been running RH4.2 with a 2.0.30 kernel.

>> On the previous setup I had an IP masquerade configuration of several
>> TCP and UDP protocols that also included ICMP masquerading to permit
>> ping,traceroute etc. from an internal network to the outside world via
>> ISDN.   All services on that setup including ICMP worked correctly.

>> After having done the upgrade, all TCP and UDP services work properly
>> but not ICMP.

>> IPFWADM complains as follows:

>> ipfwadm -F -a masq -P icmp -S 0.0.0.0/0 -D 0.0.0.0/0

>> /ipfwadm: masquerading not allowed with protocol ICMP
>> Try `/tmp/ipfwadm -h' for more information.

>> I have checked the kernel setups and all relevant parameters appear to
>> be correct:

>> CONFIG_IP_FORWARD=y
>> # CONFIG_IP_MULTICAST is not set
>> CONFIG_IP_FIREWALL=y
>> CONFIG_IP_FIREWALL_VERBOSE=y
>> CONFIG_IP_MASQUERADE=y
>> CONFIG_IP_MASQUERADE_IPAUTOFW=y
>> CONFIG_IP_MASQUERADE_ICMP=y
>> # CONFIG_IP_TRANSPARENT_PROXY is not set
>> CONFIG_IP_ALWAYS_DEFRAG=y
>> CONFIG_IP_ACCT=y
>> # CONFIG_IP_ROUTER is not set
>> # CONFIG_NET_IPIP is not set
>> CONFIG_IP_NOSR=y

>> IP forwarding is turned on on the control panel setting.

>> I have also tried the new 2.0.33 kernel and see no difference with that.

>> Has anybody else seen this or perhaps have some suggestions as to what
>> the problem might be?

>Sounds like you have an old IPFWADM program ...

>--

>Remove the <<!!!!>> and !! from the address to reply ..

>For the auto-spamers, here's a few addresses from the FCC...




>And for good measure......

>---------------------------------------------------------------------
>|  By sending me unsolicitated commercial email you agree to pay my |
>| standard consulting fee of $250/hr for examining your message (a  |
>| minimum charge of one (1) hour).  The bill for my service will be |
>| sent to you along with my analysis of your message.               |
>---------------------------------------------------------------------

 
 
 

RH5 and ICMP Masquerade not working

Post by Tom Hutto » Fri, 09 Jan 1998 04:00:00



> Tom

> I wondered about this, but not from the version point of view. I have tried
> IPFWADM from several sources (all 2.3.0).  These were the original site in
> Holland, and the source and binary RPMs from Redhat which has patches
> presumably to work witht  the glibc setup.   Result was the same.

> I wondering if there is an easy way to tell whether this is actually a
> kernel problem or ipfwadm (perhaps by looking at the /proc area.....?

> andy



> >> Hello.

> >> I have just installed Redhat 5 on a machine (fresh install) that had
> >> previously been running RH4.2 with a 2.0.30 kernel.

> >> On the previous setup I had an IP masquerade configuration of several
> >> TCP and UDP protocols that also included ICMP masquerading to permit
> >> ping,traceroute etc. from an internal network to the outside world via
> >> ISDN.   All services on that setup including ICMP worked correctly.

> >> After having done the upgrade, all TCP and UDP services work properly
> >> but not ICMP.

> >> IPFWADM complains as follows:

> >> ipfwadm -F -a masq -P icmp -S 0.0.0.0/0 -D 0.0.0.0/0

> >> /ipfwadm: masquerading not allowed with protocol ICMP
> >> Try `/tmp/ipfwadm -h' for more information.

> >> I have checked the kernel setups and all relevant parameters appear to
> >> be correct:

> >> CONFIG_IP_FORWARD=y
> >> # CONFIG_IP_MULTICAST is not set
> >> CONFIG_IP_FIREWALL=y
> >> CONFIG_IP_FIREWALL_VERBOSE=y
> >> CONFIG_IP_MASQUERADE=y
> >> CONFIG_IP_MASQUERADE_IPAUTOFW=y
> >> CONFIG_IP_MASQUERADE_ICMP=y
> >> # CONFIG_IP_TRANSPARENT_PROXY is not set
> >> CONFIG_IP_ALWAYS_DEFRAG=y
> >> CONFIG_IP_ACCT=y
> >> # CONFIG_IP_ROUTER is not set
> >> # CONFIG_NET_IPIP is not set
> >> CONFIG_IP_NOSR=y

> >> IP forwarding is turned on on the control panel setting.

> >> I have also tried the new 2.0.33 kernel and see no difference with that.

> >> Has anybody else seen this or perhaps have some suggestions as to what
> >> the problem might be?

> >Sounds like you have an old IPFWADM program ...

Have you searched your system for an old copy of IPFWADM to make sure
that you are executing the version that you think?  Type IPFWADM --help
and see if it has options about ICMP.  The error message from the kernel
that I have gotten is that something to the effect that the target port
is not available, not the message that you describe.
--

Remove the <<!!!!>> and !! from the address to reply ..

For the auto-spamers, here's a few addresses from the FCC...




And for good measure......

---------------------------------------------------------------------
|  By sending me unsolicitated commercial email you agree to pay my |
| standard consulting fee of $250/hr for examining your message (a  |
| minimum charge of one (1) hour).  The bill for my service will be |
| sent to you along with my analysis of your message.               |
---------------------------------------------------------------------

 
 
 

RH5 and ICMP Masquerade not working

Post by Andy Hal » Fri, 09 Jan 1998 04:00:00


Tom

I checked the version of ipfwadm (source and binary) and it does have ICMP
as an option as well as the supporting code.

andy



>> Tom

>> I wondered about this, but not from the version point of view. I have
tried
>> IPFWADM from several sources (all 2.3.0).  These were the original site
in
>> Holland, and the source and binary RPMs from Redhat which has patches
>> presumably to work witht  the glibc setup.   Result was the same.

>> I wondering if there is an easy way to tell whether this is actually a
>> kernel problem or ipfwadm (perhaps by looking at the /proc area.....?

>> andy



>> >> Hello.

>> >> I have just installed Redhat 5 on a machine (fresh install) that had
>> >> previously been running RH4.2 with a 2.0.30 kernel.

>> >> On the previous setup I had an IP masquerade configuration of several
>> >> TCP and UDP protocols that also included ICMP masquerading to permit
>> >> ping,traceroute etc. from an internal network to the outside world via
>> >> ISDN.   All services on that setup including ICMP worked correctly.

>> >> After having done the upgrade, all TCP and UDP services work properly
>> >> but not ICMP.

>> >> IPFWADM complains as follows:

>> >> ipfwadm -F -a masq -P icmp -S 0.0.0.0/0 -D 0.0.0.0/0

>> >> /ipfwadm: masquerading not allowed with protocol ICMP
>> >> Try `/tmp/ipfwadm -h' for more information.

>> >> I have checked the kernel setups and all relevant parameters appear to
>> >> be correct:

>> >> CONFIG_IP_FORWARD=y
>> >> # CONFIG_IP_MULTICAST is not set
>> >> CONFIG_IP_FIREWALL=y
>> >> CONFIG_IP_FIREWALL_VERBOSE=y
>> >> CONFIG_IP_MASQUERADE=y
>> >> CONFIG_IP_MASQUERADE_IPAUTOFW=y
>> >> CONFIG_IP_MASQUERADE_ICMP=y
>> >> # CONFIG_IP_TRANSPARENT_PROXY is not set
>> >> CONFIG_IP_ALWAYS_DEFRAG=y
>> >> CONFIG_IP_ACCT=y
>> >> # CONFIG_IP_ROUTER is not set
>> >> # CONFIG_NET_IPIP is not set
>> >> CONFIG_IP_NOSR=y

>> >> IP forwarding is turned on on the control panel setting.

>> >> I have also tried the new 2.0.33 kernel and see no difference with
that.

>> >> Has anybody else seen this or perhaps have some suggestions as to what
>> >> the problem might be?

>> >Sounds like you have an old IPFWADM program ...

>Have you searched your system for an old copy of IPFWADM to make sure
>that you are executing the version that you think?  Type IPFWADM --help
>and see if it has options about ICMP.  The error message from the kernel
>that I have gotten is that something to the effect that the target port
>is not available, not the message that you describe.
>--

>Remove the <<!!!!>> and !! from the address to reply ..

>For the auto-spamers, here's a few addresses from the FCC...




>And for good measure......

>---------------------------------------------------------------------
>|  By sending me unsolicitated commercial email you agree to pay my |
>| standard consulting fee of $250/hr for examining your message (a  |
>| minimum charge of one (1) hour).  The bill for my service will be |
>| sent to you along with my analysis of your message.               |
>---------------------------------------------------------------------

 
 
 

RH5 and ICMP Masquerade not working

Post by Andy Hal » Sat, 10 Jan 1998 04:00:00


I just succeeded in fixing this.

The problem seems to lie with IPFWADM 2.3.0.

I downloaded, built and tried an alternative and very similar utility
called MASQD and this works fine, including correct ICMP from hosts in
the local net.   It has components to work locally and remotely and even
has a rather nice Win95/NT client with easy to use GUI.

thanks for all the help on this.

andy


>Tom

>I checked the version of ipfwadm (source and binary) and it does have ICMP
>as an option as well as the supporting code.

>andy



>>> Tom

>>> I wondered about this, but not from the version point of view. I have
>tried
>>> IPFWADM from several sources (all 2.3.0).  These were the original site
>in
>>> Holland, and the source and binary RPMs from Redhat which has patches
>>> presumably to work witht  the glibc setup.   Result was the same.

>>> I wondering if there is an easy way to tell whether this is actually a
>>> kernel problem or ipfwadm (perhaps by looking at the /proc area.....?

>>> andy



>>> >> Hello.

>>> >> I have just installed Redhat 5 on a machine (fresh install) that had
>>> >> previously been running RH4.2 with a 2.0.30 kernel.

>>> >> On the previous setup I had an IP masquerade configuration of several
>>> >> TCP and UDP protocols that also included ICMP masquerading to permit
>>> >> ping,traceroute etc. from an internal network to the outside world
via
>>> >> ISDN.   All services on that setup including ICMP worked correctly.

>>> >> After having done the upgrade, all TCP and UDP services work properly
>>> >> but not ICMP.

>>> >> IPFWADM complains as follows:

>>> >> ipfwadm -F -a masq -P icmp -S 0.0.0.0/0 -D 0.0.0.0/0

>>> >> /ipfwadm: masquerading not allowed with protocol ICMP
>>> >> Try `/tmp/ipfwadm -h' for more information.

>>> >> I have checked the kernel setups and all relevant parameters appear
to
>>> >> be correct:

>>> >> CONFIG_IP_FORWARD=y
>>> >> # CONFIG_IP_MULTICAST is not set
>>> >> CONFIG_IP_FIREWALL=y
>>> >> CONFIG_IP_FIREWALL_VERBOSE=y
>>> >> CONFIG_IP_MASQUERADE=y
>>> >> CONFIG_IP_MASQUERADE_IPAUTOFW=y
>>> >> CONFIG_IP_MASQUERADE_ICMP=y
>>> >> # CONFIG_IP_TRANSPARENT_PROXY is not set
>>> >> CONFIG_IP_ALWAYS_DEFRAG=y
>>> >> CONFIG_IP_ACCT=y
>>> >> # CONFIG_IP_ROUTER is not set
>>> >> # CONFIG_NET_IPIP is not set
>>> >> CONFIG_IP_NOSR=y

>>> >> IP forwarding is turned on on the control panel setting.

>>> >> I have also tried the new 2.0.33 kernel and see no difference with
>that.

>>> >> Has anybody else seen this or perhaps have some suggestions as to
what
>>> >> the problem might be?

>>> >Sounds like you have an old IPFWADM program ...

>>Have you searched your system for an old copy of IPFWADM to make sure
>>that you are executing the version that you think?  Type IPFWADM --help
>>and see if it has options about ICMP.  The error message from the kernel
>>that I have gotten is that something to the effect that the target port
>>is not available, not the message that you describe.
>>--

>>Remove the <<!!!!>> and !! from the address to reply ..

>>For the auto-spamers, here's a few addresses from the FCC...




>>And for good measure......

>>---------------------------------------------------------------------
>>|  By sending me unsolicitated commercial email you agree to pay my |
>>| standard consulting fee of $250/hr for examining your message (a  |
>>| minimum charge of one (1) hour).  The bill for my service will be |
>>| sent to you along with my analysis of your message.               |
>>---------------------------------------------------------------------

 
 
 

1. Help! IP-Masquerade not working, but ICMP does?!?

I've been at this for days now, and could really use some help right
about now.  I've checked all the relevant news groups, and done a
search on DejaNews, as well as read the relevant docs, and either I
missed the answer due to lack of caffeine, or this is a unique
problem.

I'm attempting to do away with WinGate by setting up a Linux gateway
on my LAN.  I've gotten past all the hurdles like setting up multiple
ethernet cards and strange SCSI controllers, but IP-Masquerading
refuses to be beaten.  I've followed all the steps in the howto,
compiled the kernel with the necessary options, and it just won't
budge.

However, there is one odd thing: I can ping internet hosts through the
gateway from my LAN.  DNS lookups also appear to be working, but none
of the other protocols get through.  And another thing I've noticed,
which may or may not be related, is that FTPing into the linux box
from the LAN takes forever, but does work in the end (I don't think
it's a DNS problem, I'm using IP addresses, not host names when
FTPing).

The configuration is as follows:
Cable modem with static IP feeding into a linux box.
Linux box is a P133 with 48MB/RAM, DECchip DS21041, and KTI ET32/Px
Linux box is using Slackware 3.4, kernel 2.0.33, anything even
remotely related to TCP/IP networking and IP-Masquerading enabled.
The Linux box can access both the internet and the intranet.
The intranet can access the linux box (although somewhat flakily,
judging by the FTP performance).
ipfwadm is setup according to the mini-howto
route -n lists both ethernet cards' IP addresses, and a default
gateway is specified.
And, as mentioned before, ICMP packets are somehow getting through the
linux box.

If any of you have any hints/tips, please email them to:


              http://home.bc.rogers.wave.ca/daybreak/lab/        \ | /
------------------------------------------------------------------ * -
        It's called the miracle of modern communications only    / | \
          because nothing modern is supposed to be a curse.

2. Menu Editor

3. IP Masquerading works, but does not masquerade from within the local network

4. PC version of uuencode and uudecode ?

5. icmp works, tcp not

6. Bogomips miss caclulated?

7. ICMP not working

8. ATARAID / access beyond end of device, kernel NULL pointer deference

9. ftp with masquerading (was 'Cannot get masquerading to work!')

10. "find" and "locate" commands not working, linux RH5.2

11. Need help: POP/SMTP not working (RH5.2)

12. Sound Blaster 16 does not work under RH5.2

13. RH5.2 tar command not working