IP MASQ won't work

IP MASQ won't work

Post by Chri » Wed, 03 Sep 2003 02:53:55



Hi, I am trying to run a IP MASQ firewall for 2 computers. The
linuxbox will sit in between the university network and my 2 winboxes.
eth0 is the exterior interface, eth1 is the interior. I have
everything except the firewall script setup. I have used a couple from
different HOWTOs and none of them will work. I have even tried just
"iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" with everything
else set to accept, and it won't work.
Here is the script I am currently using:

#!/bin/bash
#
# rc.firewall-2.4
#
#               Initial SIMPLE IP Masquerade test for 2.4.x kernels
#               using IPTABLES.  
#
#               Once IP Masquerading has been tested, with this simple
#               ruleset, it is highly recommended to use a stronger
#               IPTABLES ruleset either given later in this HOWTO or
#               from another reputable resource.
#
#
#

echo -e "\n\nLoading simple rc.firewall\n"

# The location of the iptables and kernel module programs
#
#   If your Linux distribution came with a copy of iptables,
#   most likely all the programs will be located in /sbin.  If
#   you manually compiled iptables, the default location will
#   be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

#Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the natting will occur and the internal network
#  should preferably be addressed with a RFC1918 private address
#  scheme.
#
#  For this example, "eth0" is external and "eth1" is internal"
#
#
#  NOTE:  If this doesnt EXACTLY fit your configuration, you must
#         change the EXTIF or INTIF variables above. For example:
#
#            If you are a PPPoE or analog modem user:
#
#               EXTIF="ppp0"
#
#
EXTIF="eth0"
INTIF="eth1"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"

#======================================================================
#== No editing beyond this line is required for initial MASQ testing
==

echo -en "   loading modules: "

# Need to verify that all modules have all required dependencies
#
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

# With the new IPTABLES code, the core MASQ functionality is now
either
# modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES
# options as MODULES.  If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.  
#
#  NOTE: The following items are listed ONLY for informational
reasons.
#        There is no reason to manual load these modules unless your
#        kernel is either mis-configured or you intentionally disabled
#        the kernel module autoloader.
#

# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ
#        modules are shown below but are commented out from loading.
# ===============================================================

echo "----------------------------------------------------------------------"

#Load the main body of the IPTABLES module - "iptable"
#  - Loaded automatically when the "iptables" command is invoked
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
$MODPROBE ip_tables

#Load the IPTABLES filtering module - "iptable_filter"
#  - Loaded automatically when filter policies are activated

#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack  module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the
"ip_conntrack_ftp"
# module
#
#  - This module is loaded automatically when MASQ functionality is
#    enabled
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack

#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp

#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc

#Load the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat

#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp

#Loads the IRC NAT functionality into the core IPTABLES code
# Require to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
#echo -e "ip_nat_irc"
#$MODPROBE ip_nat_irc

echo "----------------------------------------------------------------------"

# Just to be complete, here is a list of the remaining kernel modules
# and their function.  Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# --------------------------------------------------------------------
#
#    ipt_mark       - this target marks a given packet for future
action.
#                     This automatically loads the ipt_MARK module
#
#    ipt_tcpmss     - this target allows to manipulate the TCP MSS
#                     option for braindead remote firewalls.
#                     This automatically loads the ipt_TCPMSS module
#
#    ipt_limit      - this target allows for packets to be limited to
#                     to many hits per sec/min/hr
#
#    ipt_multiport  - this match allows for targets within a range
#                     of port numbers vs. listing each port
individually
#
#    ipt_state      - this match allows to catch packets with various
#                     IP and TCP flags set/unset
#
#    ipt_unclean    - this match allows to catch packets that have
invalid
#                     IP/TCP flags set
#
#    iptable_filter - this module allows for packets to be DROPped,
#                     REJECTed, or LOGged.  This module automatically
#                     loads the following modules:
#
#                     ipt_LOG - this target allows for packets to be
#                               logged
#
#                     ipt_REJECT - this target DROPs the packet and
returns
#                                  a configurable ICMP packet back to
the
#                                  sender.
#
#    iptable_mangle - this target allows for packets to be manipulated
#                     for things like the TCPMSS option, etc.

echo -e "   Done loading modules.\n"

#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP,
#   enable this following option.  This enables dynamic-address
hacking
#   which makes the life with Diald and similar programs much easier.
#
echo "   Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Enable simple IP forwarding and Masquerading
#
#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or
SNAT.
#
#  NOTE #2:  The following is an example for an internal LAN address
in the
#            192.168.0.x network with a 255.255.255.0 or a "24" bit
subnet mask
#            connecting to the Internet on external interface "eth0".
This
#            example will MASQ internal traffic out to the Internet
but not
#            allow non-initiated traffic into your internal network.
#
#            
#         ** Please change the above network numbers, subnet mask, and
your
#         *** Internet connection interface name to match your setup
#        

#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
#    The default for FORWARD is DROP (REJECT is not a valid policy)
#
echo "   Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo "   FWD: Allow all connections OUT and only existing and related
ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 done.\n"

<--------end of script--------->

 
 
 

IP MASQ won't work

Post by Chri » Thu, 04 Sep 2003 06:31:46


shock...@yahoo.com (Chris) wrote in message <news:4d23a468.0309010953.60a27bdb@posting.google.com>...
> Hi, I am trying to run a IP MASQ firewall for 2 computers. The
> linuxbox will sit in between the university network and my 2 winboxes.
> eth0 is the exterior interface, eth1 is the interior. I have
> everything except the firewall script setup. I have used a couple from
> different HOWTOs and none of them will work. I have even tried just
> "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" with everything
> else set to accept, and it won't work.
> Here is the script I am currently using:

> #!/bin/bash
> #
> # rc.firewall-2.4
> #
> #               Initial SIMPLE IP Masquerade test for 2.4.x kernels
> #               using IPTABLES.  
> #
> #               Once IP Masquerading has been tested, with this simple
> #               ruleset, it is highly recommended to use a stronger
> #               IPTABLES ruleset either given later in this HOWTO or
> #               from another reputable resource.
> #
> #
> #

> echo -e "\n\nLoading simple rc.firewall\n"

> # The location of the iptables and kernel module programs
> #
> #   If your Linux distribution came with a copy of iptables,
> #   most likely all the programs will be located in /sbin.  If
> #   you manually compiled iptables, the default location will
> #   be in /usr/local/sbin
> #
> # ** Please use the "whereis iptables" command to figure out
> # ** where your copy is and change the path below to reflect
> # ** your setup
> #
> IPTABLES=/sbin/iptables
> DEPMOD=/sbin/depmod
> MODPROBE=/sbin/modprobe

> #Setting the EXTERNAL and INTERNAL interfaces for the network
> #
> #  Each IP Masquerade network needs to have at least one
> #  external and one internal network.  The external network
> #  is where the natting will occur and the internal network
> #  should preferably be addressed with a RFC1918 private address
> #  scheme.
> #
> #  For this example, "eth0" is external and "eth1" is internal"
> #
> #
> #  NOTE:  If this doesnt EXACTLY fit your configuration, you must
> #         change the EXTIF or INTIF variables above. For example:
> #
> #            If you are a PPPoE or analog modem user:
> #
> #               EXTIF="ppp0"
> #
> #
> EXTIF="eth0"
> INTIF="eth1"
> echo "   External Interface:  $EXTIF"
> echo "   Internal Interface:  $INTIF"

> #======================================================================
> #== No editing beyond this line is required for initial MASQ testing
> ==

> echo -en "   loading modules: "

> # Need to verify that all modules have all required dependencies
> #
> echo "  - Verifying that all kernel modules are ok"
> $DEPMOD -a

> # With the new IPTABLES code, the core MASQ functionality is now
> either
> # modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES
> # options as MODULES.  If your kernel is compiled correctly, there is
> # NO need to load the kernel modules manually.  
> #
> #  NOTE: The following items are listed ONLY for informational
> reasons.
> #        There is no reason to manual load these modules unless your
> #        kernel is either mis-configured or you intentionally disabled
> #        the kernel module autoloader.
> #

> # Upon the commands of starting up IP Masq on the server, the
> # following kernel modules will be automatically loaded:
> #
> # NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ
> #        modules are shown below but are commented out from loading.
> # ===============================================================

> echo "----------------------------------------------------------------------"

> #Load the main body of the IPTABLES module - "iptable"
> #  - Loaded automatically when the "iptables" command is invoked
> #
> #  - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "ip_tables, "
> $MODPROBE ip_tables

> #Load the IPTABLES filtering module - "iptable_filter"
> #  - Loaded automatically when filter policies are activated

> #Load the stateful connection tracking framework - "ip_conntrack"
> #
> # The conntrack  module in itself does nothing without other specific
> # conntrack modules being loaded afterwards such as the
> "ip_conntrack_ftp"
> # module
> #
> #  - This module is loaded automatically when MASQ functionality is
> #    enabled
> #
> #  - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "ip_conntrack, "
> $MODPROBE ip_conntrack

> #Load the FTP tracking mechanism for full FTP tracking
> #
> # Enabled by default -- insert a "#" on the next line to deactivate
> #
> echo -en "ip_conntrack_ftp, "
> $MODPROBE ip_conntrack_ftp

> #Load the IRC tracking mechanism for full IRC tracking
> #
> # Enabled by default -- insert a "#" on the next line to deactivate
> #
> echo -en "ip_conntrack_irc, "
> $MODPROBE ip_conntrack_irc

> #Load the general IPTABLES NAT code - "iptable_nat"
> #  - Loaded automatically when MASQ functionality is turned on
> #
> #  - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "iptable_nat, "
> $MODPROBE iptable_nat

> #Loads the FTP NAT functionality into the core IPTABLES code
> # Required to support non-PASV FTP.
> #
> # Enabled by default -- insert a "#" on the next line to deactivate
> #
> echo -en "ip_nat_ftp, "
> $MODPROBE ip_nat_ftp

> #Loads the IRC NAT functionality into the core IPTABLES code
> # Require to support NAT of IRC DCC requests
> #
> # Disabled by default -- remove the "#" on the next line to activate
> #
> #echo -e "ip_nat_irc"
> #$MODPROBE ip_nat_irc

> echo "----------------------------------------------------------------------"

> # Just to be complete, here is a list of the remaining kernel modules
> # and their function.  Please note that several modules should be only
> # loaded by the correct master kernel module for proper operation.
> # --------------------------------------------------------------------
> #
> #    ipt_mark       - this target marks a given packet for future
> action.
> #                     This automatically loads the ipt_MARK module
> #
> #    ipt_tcpmss     - this target allows to manipulate the TCP MSS
> #                     option for braindead remote firewalls.
> #                     This automatically loads the ipt_TCPMSS module
> #
> #    ipt_limit      - this target allows for packets to be limited to
> #                     to many hits per sec/min/hr
> #
> #    ipt_multiport  - this match allows for targets within a range
> #                     of port numbers vs. listing each port
> individually
> #
> #    ipt_state      - this match allows to catch packets with various
> #                     IP and TCP flags set/unset
> #
> #    ipt_unclean    - this match allows to catch packets that have
> invalid
> #                     IP/TCP flags set
> #
> #    iptable_filter - this module allows for packets to be DROPped,
> #                     REJECTed, or LOGged.  This module automatically
> #                     loads the following modules:
> #
> #                     ipt_LOG - this target allows for packets to be
> #                               logged
> #
> #                     ipt_REJECT - this target DROPs the packet and
> returns
> #                                  a configurable ICMP packet back to
> the
> #                                  sender.
> #
> #    iptable_mangle - this target allows for packets to be manipulated
> #                     for things like the TCPMSS option, etc.

> echo -e "   Done loading modules.\n"

> #CRITICAL:  Enable IP forwarding since it is disabled by default since
> #
> #           Redhat Users:  you may try changing the options in
> #                          /etc/sysconfig/network from:
> #
> #                       FORWARD_IPV4=false
> #                             to
> #                       FORWARD_IPV4=true
> #
> echo "   Enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward

> # Dynamic IP users:
> #
> #   If you get your IP address dynamically from SLIP, PPP, or DHCP,
> #   enable this following option.  This enables dynamic-address
> hacking
> #   which makes the life with Diald and similar programs much easier.
> #
> echo "   Enabling DynamicAddr.."
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr

> # Enable simple IP forwarding and Masquerading
> #
> #  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or
> SNAT.
> #
> #  NOTE #2:  The following is an example for an internal LAN address
> in the
> #            192.168.0.x network with a 255.255.255.0 or a "24" bit
> subnet mask
> #            connecting to the Internet on external interface "eth0".
> This
> #            example will MASQ internal traffic out to the Internet
> but not
> #            allow non-initiated traffic into your internal network.
> #
> #            
> #         ** Please change the above network numbers, subnet mask, and
> your
> #         *** Internet connection interface name to match your setup
> #        

> #Clearing any previous configuration
> #
> #  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
> #    The default for FORWARD is DROP (REJECT is not a valid policy)
> #
> echo "   Clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F

> echo "   FWD: Allow all connections OUT and only existing and related
> ones IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j LOG

> echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

> echo -e "\nrc.firewall-2.4 done.\n"

> <--------end of script--------->

...

read more »

 
 
 

IP MASQ won't work

Post by jack » Thu, 04 Sep 2003 14:55:25



>>Here is the script I am currently using:
> Does anybody have any clues as to why this script will not work? I am
> running Red Hat linux 7.3 with all updates.

Hi,

Your script seems to be ok, basically, but it would be helpful if You
could say what exactly "does not work"...

Firstly, the output of "lsmod" after running this script would be of
interest, and then "iptables -L -n -x -v", and this again with "-t nat"
appended - providing that Your script for itself doesn't produce any
errors. If so, post them first. I assume that some line breaks come
from posting the script and are not in the original one.

Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

 
 
 

IP MASQ won't work

Post by Chri » Fri, 05 Sep 2003 01:06:34




> >>Here is the script I am currently using:

> > Does anybody have any clues as to why this script will not work? I am
> > running Red Hat linux 7.3 with all updates.

> Hi,

> Your script seems to be ok, basically, but it would be helpful if You
> could say what exactly "does not work"...

> Firstly, the output of "lsmod" after running this script would be of
> interest, and then "iptables -L -n -x -v", and this again with "-t nat"
> appended - providing that Your script for itself doesn't produce any
> errors. If so, post them first. I assume that some line breaks come
> from posting the script and are not in the original one.

> Cheers, Jack.

When I do lsmod after starting the script everything seems to be ok.
Here is the iptables output:

iptables -L -n -v -x
Chain INPUT (policy DROP 36 packets, 3024 bytes)
    pkts      bytes target     prot opt in     out     source        
     destination
       0        0 ACCEPT     all  --  eth1   *       192.168.1.100    
   192.168.1.1
       0        0 ACCEPT     all  --  eth1   *       192.168.1.101    
   192.168.1.1
     107    10239 ACCEPT     all  --  *      *       192.168.1.1      
   0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source        
     destination
       0        0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0        
   0.0.0.0/0          state RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0        
   0.0.0.0/0
       0        0 LOG        all  --  *      *       0.0.0.0/0        
   0.0.0.0/0          LOG flags 0 level 4

Chain OUTPUT (policy ACCEPT 143 packets, 13263 bytes)
    pkts      bytes target     prot opt in     out     source        
     destination

iptables -L -n -v -x -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source        
     destination

Chain POSTROUTING (policy ACCEPT 10 packets, 1428 bytes)
    pkts      bytes target     prot opt in     out     source        
     destination
       0        0 MASQUERADE  all  --  *      eth0    0.0.0.0/0      
    0.0.0.0/0

Chain OUTPUT (policy ACCEPT 10 packets, 1428 bytes)
    pkts      bytes target     prot opt in     out     source        
     destination
<------end of iptables output--------->

There are line breaks in the original script from the HOWTO, which I
just copied over. All i did was make any slight changes in the INPUT
chains or anything regaurding DHCP and such. The line break I believe
you are talking about are the #======== and #------- and echo
"---------". Those are put there just so things are separated nicely.
I'm sorry for being so general about my post, I must learn to stop
that.

 
 
 

IP MASQ won't work

Post by jack » Fri, 05 Sep 2003 16:37:58



> When I do lsmod after starting the script everything seems to be ok.
> Here is the iptables output:

> iptables -L -n -v -x
> Chain INPUT (policy DROP 36 packets, 3024 bytes)
>     pkts      bytes target     prot opt in     out     source        
>      destination
>        0        0 ACCEPT     all  --  eth1   *       192.168.1.100    
>    192.168.1.1
>        0        0 ACCEPT     all  --  eth1   *       192.168.1.101    
>    192.168.1.1
>      107    10239 ACCEPT     all  --  *      *       192.168.1.1      
>    0.0.0.0/0

You should withdraw this rule. Read about "spoofing ip addresses".
Better use something like "-i lo" for this.

Quote:> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>     pkts      bytes target     prot opt in     out     source        
>      destination
>        0        0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0        
>    0.0.0.0/0          state RELATED,ESTABLISHED
>        0        0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0        
>    0.0.0.0/0
>        0        0 LOG        all  --  *      *       0.0.0.0/0        
>    0.0.0.0/0          LOG flags 0 level 4

One question here: What does Your outside NIC (eth0) connect to?

For testing, it may be a good idea to simply allow everything to be
forwarded. This is not harmful, because Your inside clients cannot
be addressed directly from the outside, and everything else will be
dropped by the INPUT chain or has come through masquerading already
and will be sent to its destination.

Quote:> Chain OUTPUT (policy ACCEPT 143 packets, 13263 bytes)
>     pkts      bytes target     prot opt in     out     source        
>      destination

> iptables -L -n -v -x -t nat
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>     pkts      bytes target     prot opt in     out     source        
>      destination

> Chain POSTROUTING (policy ACCEPT 10 packets, 1428 bytes)
>     pkts      bytes target     prot opt in     out     source        
>      destination
>        0        0 MASQUERADE  all  --  *      eth0    0.0.0.0/0      
>     0.0.0.0/0

In what context did You list all this...? - Have You tried to reach
the world from one of Your clients already? If so, the counters should
be != 0 here.

Quote:> Chain OUTPUT (policy ACCEPT 10 packets, 1428 bytes)
>     pkts      bytes target     prot opt in     out     source        
>      destination
> <------end of iptables output--------->

> There are line breaks in the original script from the HOWTO, which I
> just copied over. All i did was make any slight changes in the INPUT
> chains or anything regaurding DHCP and such. The line break I believe
> you are talking about are the #======== and #------- and echo
> "---------". Those are put there just so things are separated nicely.

There were some comments broken, so that some words appeared at the
beginning of a line which will make them being read in as commands. -
If the script produces no errors on that, it okay.

The question is, what does eth0 connect to.

Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

 
 
 

IP MASQ won't work

Post by W Cardwel » Sat, 06 Sep 2003 21:39:01


RedHat has another way to enable and disable IP forwarding, in
/etc/sysctl.conf. Make sure yours says

net.ipv4.ip_forward=1

If that looks OK, can you post the output of 'ifconfig' and 'route -n' ?
--

wcardwell at nc dot rr dot com

 
 
 

IP MASQ won't work

Post by Chri » Sun, 07 Sep 2003 13:00:23




> > When I do lsmod after starting the script everything seems to be ok.
> > Here is the iptables output:

> > iptables -L -n -v -x
> > Chain INPUT (policy DROP 36 packets, 3024 bytes)
> >     pkts      bytes target     prot opt in     out     source        
> >      destination
> >        0        0 ACCEPT     all  --  eth1   *       192.168.1.100    
> >    192.168.1.1
> >        0        0 ACCEPT     all  --  eth1   *       192.168.1.101    
> >    192.168.1.1
> >      107    10239 ACCEPT     all  --  *      *       192.168.1.1      
> >    0.0.0.0/0

> You should withdraw this rule. Read about "spoofing ip addresses".
> Better use something like "-i lo" for this.

> > Chain FORWARD (policy DROP 0 packets, 0 bytes)
> >     pkts      bytes target     prot opt in     out     source        
> >      destination
> >        0        0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0        
> >    0.0.0.0/0          state RELATED,ESTABLISHED
> >        0        0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0        
> >    0.0.0.0/0
> >        0        0 LOG        all  --  *      *       0.0.0.0/0        
> >    0.0.0.0/0          LOG flags 0 level 4

> One question here: What does Your outside NIC (eth0) connect to?

> For testing, it may be a good idea to simply allow everything to be
> forwarded. This is not harmful, because Your inside clients cannot
> be addressed directly from the outside, and everything else will be
> dropped by the INPUT chain or has come through masquerading already
> and will be sent to its destination.

> > Chain OUTPUT (policy ACCEPT 143 packets, 13263 bytes)
> >     pkts      bytes target     prot opt in     out     source        
> >      destination

> > iptables -L -n -v -x -t nat
> > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> >     pkts      bytes target     prot opt in     out     source        
> >      destination

> > Chain POSTROUTING (policy ACCEPT 10 packets, 1428 bytes)
> >     pkts      bytes target     prot opt in     out     source        
> >      destination
> >        0        0 MASQUERADE  all  --  *      eth0    0.0.0.0/0      
> >     0.0.0.0/0

> In what context did You list all this...? - Have You tried to reach
> the world from one of Your clients already? If so, the counters should
> be != 0 here.

> > Chain OUTPUT (policy ACCEPT 10 packets, 1428 bytes)
> >     pkts      bytes target     prot opt in     out     source        
> >      destination
> > <------end of iptables output--------->

> > There are line breaks in the original script from the HOWTO, which I
> > just copied over. All i did was make any slight changes in the INPUT
> > chains or anything regaurding DHCP and such. The line break I believe
> > you are talking about are the #======== and #------- and echo
> > "---------". Those are put there just so things are separated nicely.

> There were some comments broken, so that some words appeared at the
> beginning of a line which will make them being read in as commands. -
> If the script produces no errors on that, it okay.

> The question is, what does eth0 connect to.

> Cheers, Jack.

eth0 is connected to my university network. I have tried forwarding
everything but that doesn't work.
 
 
 

IP MASQ won't work

Post by Chri » Sun, 07 Sep 2003 13:24:46



> RedHat has another way to enable and disable IP forwarding, in
> /etc/sysctl.conf. Make sure yours says

> net.ipv4.ip_forward=1

> If that looks OK, can you post the output of 'ifconfig' and 'route -n' ?

output of ifconfig

eth0      Link encap:Ethernet  HWaddr 00:04:5A:57:98:4A  
          inet addr:150.135.180.52  Bcast:150.135.181.255  Mask:255.255.254.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30896 errors:0 dropped:0 overruns:0 frame:0
          TX packets:463 errors:2 dropped:0 overruns:0 carrier:4
          collisions:18 txqueuelen:100
          RX bytes:2788946 (2.6 Mb)  TX bytes:53529 (52.2 Kb)
          Interrupt:11 Base address:0xcc00

eth1      Link encap:Ethernet  HWaddr 00:01:03:DE:08:CF  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:517 errors:0 dropped:0 overruns:0 frame:0
          TX packets:968 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:69822 (68.1 Kb)  TX bytes:285424 (278.7 Kb)
          Interrupt:10 Base address:0xec00

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1400 (1.3 Kb)  TX bytes:1400 (1.3 Kb)
<--------end of ifconfig--------->

output of route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
150.135.180.0   0.0.0.0         255.255.254.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         150.135.180.1   0.0.0.0         UG    0      0        0 eth0
<--------end of route----------->

 
 
 

IP MASQ won't work

Post by Chri » Mon, 08 Sep 2003 03:59:04





> > > When I do lsmod after starting the script everything seems to be ok.
> > > Here is the iptables output:

> > > iptables -L -n -v -x
> > > Chain INPUT (policy DROP 36 packets, 3024 bytes)
> > >     pkts      bytes target     prot opt in     out     source        
> > >      destination
> > >        0        0 ACCEPT     all  --  eth1   *       192.168.1.100    
> > >    192.168.1.1
> > >        0        0 ACCEPT     all  --  eth1   *       192.168.1.101    
> > >    192.168.1.1
> > >      107    10239 ACCEPT     all  --  *      *       192.168.1.1      
> > >    0.0.0.0/0

> > You should withdraw this rule. Read about "spoofing ip addresses".
> > Better use something like "-i lo" for this.

> > > Chain FORWARD (policy DROP 0 packets, 0 bytes)
> > >     pkts      bytes target     prot opt in     out     source        
> > >      destination
> > >        0        0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0        
> > >    0.0.0.0/0          state RELATED,ESTABLISHED
> > >        0        0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0        
> > >    0.0.0.0/0
> > >        0        0 LOG        all  --  *      *       0.0.0.0/0        
> > >    0.0.0.0/0          LOG flags 0 level 4

> > One question here: What does Your outside NIC (eth0) connect to?

> > For testing, it may be a good idea to simply allow everything to be
> > forwarded. This is not harmful, because Your inside clients cannot
> > be addressed directly from the outside, and everything else will be
> > dropped by the INPUT chain or has come through masquerading already
> > and will be sent to its destination.

> > > Chain OUTPUT (policy ACCEPT 143 packets, 13263 bytes)
> > >     pkts      bytes target     prot opt in     out     source        
> > >      destination

> > > iptables -L -n -v -x -t nat
> > > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> > >     pkts      bytes target     prot opt in     out     source        
> > >      destination

> > > Chain POSTROUTING (policy ACCEPT 10 packets, 1428 bytes)
> > >     pkts      bytes target     prot opt in     out     source        
> > >      destination
> > >        0        0 MASQUERADE  all  --  *      eth0    0.0.0.0/0      
> > >     0.0.0.0/0

> > In what context did You list all this...? - Have You tried to reach
> > the world from one of Your clients already? If so, the counters should
> > be != 0 here.

> > > Chain OUTPUT (policy ACCEPT 10 packets, 1428 bytes)
> > >     pkts      bytes target     prot opt in     out     source        
> > >      destination
> > > <------end of iptables output--------->

> > > There are line breaks in the original script from the HOWTO, which I
> > > just copied over. All i did was make any slight changes in the INPUT
> > > chains or anything regaurding DHCP and such. The line break I believe
> > > you are talking about are the #======== and #------- and echo
> > > "---------". Those are put there just so things are separated nicely.

> > There were some comments broken, so that some words appeared at the
> > beginning of a line which will make them being read in as commands. -
> > If the script produces no errors on that, it okay.

> > The question is, what does eth0 connect to.

> > Cheers, Jack.

> eth0 is connected to my university network. I have tried forwarding
> everything but that doesn't work.

I have been doing some testing but I can't seem to resolve this thing.
I am trying to use my laptop to connect to the internet through my
linuxbox, I can see the internet but I can only surf the web using ip
addresses. I can't ping or go to www.arizona.edu, but I can ping and
go to 128.196.133.81. In /etc/resolve.conf I have:
nameserver 128.196.11.233
nameserver 128.196.11.234
nameserver 128.196.11.235

As those are the nameservers I get on my desktop winbox when I run
ipconfig /all. My laptop connects to my linuxbox through eth1 with a
crossover cable. I have eth0 get its IP from the DHCP server, and eth1
is static at 192.168.1.1. I set my /etc/sysconfig/network file to get
the ip address of eth0 `ifconfig eth0 | grep 'inet addr' | awk '{print
$2}' | sed -e s/.*://' and assign it to GATEWAY and GATEWAYDEV=eth0.
/etc/sysctl.conf has net.ipv4.ip_forward = 1. I can ping
www.arizona.edu from a tty on the linuxbox. I am just unsure as to how
I can get the laptop to resolve domain names. Thank you for any help
you can provide.

 
 
 

IP MASQ won't work

Post by Chri » Tue, 09 Sep 2003 08:11:46






> > > > When I do lsmod after starting the script everything seems to be ok.
> > > > Here is the iptables output:

> > > > iptables -L -n -v -x
> > > > Chain INPUT (policy DROP 36 packets, 3024 bytes)
> > > >     pkts      bytes target     prot opt in     out     source        
> > > >      destination
> > > >        0        0 ACCEPT     all  --  eth1   *       192.168.1.100    
> > > >    192.168.1.1
> > > >        0        0 ACCEPT     all  --  eth1   *       192.168.1.101    
> > > >    192.168.1.1
> > > >      107    10239 ACCEPT     all  --  *      *       192.168.1.1      
> > > >    0.0.0.0/0

> > > You should withdraw this rule. Read about "spoofing ip addresses".
> > > Better use something like "-i lo" for this.

> > > > Chain FORWARD (policy DROP 0 packets, 0 bytes)
> > > >     pkts      bytes target     prot opt in     out     source        
> > > >      destination
> > > >        0        0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0        
> > > >    0.0.0.0/0          state RELATED,ESTABLISHED
> > > >        0        0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0        
> > > >    0.0.0.0/0
> > > >        0        0 LOG        all  --  *      *       0.0.0.0/0        
> > > >    0.0.0.0/0          LOG flags 0 level 4

> > > One question here: What does Your outside NIC (eth0) connect to?

> > > For testing, it may be a good idea to simply allow everything to be
> > > forwarded. This is not harmful, because Your inside clients cannot
> > > be addressed directly from the outside, and everything else will be
> > > dropped by the INPUT chain or has come through masquerading already
> > > and will be sent to its destination.

> > > > Chain OUTPUT (policy ACCEPT 143 packets, 13263 bytes)
> > > >     pkts      bytes target     prot opt in     out     source        
> > > >      destination

> > > > iptables -L -n -v -x -t nat
> > > > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> > > >     pkts      bytes target     prot opt in     out     source        
> > > >      destination

> > > > Chain POSTROUTING (policy ACCEPT 10 packets, 1428 bytes)
> > > >     pkts      bytes target     prot opt in     out     source        
> > > >      destination
> > > >        0        0 MASQUERADE  all  --  *      eth0    0.0.0.0/0      
> > > >     0.0.0.0/0

> > > In what context did You list all this...? - Have You tried to reach
> > > the world from one of Your clients already? If so, the counters should
> > > be != 0 here.

> > > > Chain OUTPUT (policy ACCEPT 10 packets, 1428 bytes)
> > > >     pkts      bytes target     prot opt in     out     source        
> > > >      destination
> > > > <------end of iptables output--------->

> > > > There are line breaks in the original script from the HOWTO, which I
> > > > just copied over. All i did was make any slight changes in the INPUT
> > > > chains or anything regaurding DHCP and such. The line break I believe
> > > > you are talking about are the #======== and #------- and echo
> > > > "---------". Those are put there just so things are separated nicely.

> > > There were some comments broken, so that some words appeared at the
> > > beginning of a line which will make them being read in as commands. -
> > > If the script produces no errors on that, it okay.

> > > The question is, what does eth0 connect to.

> > > Cheers, Jack.

> > eth0 is connected to my university network. I have tried forwarding
> > everything but that doesn't work.

> I have been doing some testing but I can't seem to resolve this thing.
> I am trying to use my laptop to connect to the internet through my
> linuxbox, I can see the internet but I can only surf the web using ip
> addresses. I can't ping or go to www.arizona.edu, but I can ping and
> go to 128.196.133.81. In /etc/resolve.conf I have:
> nameserver 128.196.11.233
> nameserver 128.196.11.234
> nameserver 128.196.11.235

> As those are the nameservers I get on my desktop winbox when I run
> ipconfig /all. My laptop connects to my linuxbox through eth1 with a
> crossover cable. I have eth0 get its IP from the DHCP server, and eth1
> is static at 192.168.1.1. I set my /etc/sysconfig/network file to get
> the ip address of eth0 `ifconfig eth0 | grep 'inet addr' | awk '{print
> $2}' | sed -e s/.*://' and assign it to GATEWAY and GATEWAYDEV=eth0.
> /etc/sysctl.conf has net.ipv4.ip_forward = 1. I can ping
> www.arizona.edu from a tty on the linuxbox. I am just unsure as to how
> I can get the laptop to resolve domain names. Thank you for any help
> you can provide.

Is there anything I may be missing?
 
 
 

IP MASQ won't work

Post by Horst Knobloc » Fri, 12 Sep 2003 04:29:43



Quote:>> eth0 is connected to my university network. I have tried forwarding
>> everything but that doesn't work.

> I have been doing some testing but I can't seem to resolve this thing.
> I am trying to use my laptop to connect to the internet through my
> linuxbox, I can see the internet but I can only surf the web using ip
> addresses. I can't ping or go to www.arizona.edu, but I can ping and
> go to 128.196.133.81. In /etc/resolve.conf I have:
> nameserver 128.196.11.233
> nameserver 128.196.11.234
> nameserver 128.196.11.235

Is this the /etc/resolv.conf of the laptop? If not check
whether on the laptop you also use proper name server
entries. Check wether they match with the entries
on the linux box.

Ciao, Horst
--
?When pings go wrong (It hurts me too)? E.Clapton/E.James/P.Tscharn

 
 
 

IP MASQ won't work

Post by Chri » Fri, 12 Sep 2003 14:11:35




> >> eth0 is connected to my university network. I have tried forwarding
> >> everything but that doesn't work.

> > I have been doing some testing but I can't seem to resolve this thing.
> > I am trying to use my laptop to connect to the internet through my
> > linuxbox, I can see the internet but I can only surf the web using ip
> > addresses. I can't ping or go to www.arizona.edu, but I can ping and
> > go to 128.196.133.81. In /etc/resolve.conf I have:
> > nameserver 128.196.11.233
> > nameserver 128.196.11.234
> > nameserver 128.196.11.235

> Is this the /etc/resolv.conf of the laptop? If not check
> whether on the laptop you also use proper name server
> entries. Check wether they match with the entries
> on the linux box.

> Ciao, Horst

The laptop runs windows, so there is no /etc/resolve.conf. But when I
run ipconfig /all in a command prompt, the DNS server is listed as
192.168.1.1, the IP address for eth1 on my linuxbox. Is there a way to
get the linuxbox to do the domain name resolutions without running
BIND or something? If not I guess I'll have to figure out how to setup
BIND. Thank you.
 
 
 

IP MASQ won't work

Post by Horst Knobloc » Fri, 12 Sep 2003 18:02:24






[...]
>> Is this the /etc/resolv.conf of the laptop? If not check
>> whether on the laptop you also use proper name server
>> entries. Check wether they match with the entries
>> on the linux box.

> The laptop runs windows, so there is no /etc/resolve.conf. But when I
> run ipconfig /all in a command prompt, the DNS server is listed as
> 192.168.1.1, the IP address for eth1 on my linuxbox.

You can configure the DNS addresses somewhere in the network
configuration section of windows. I would do this at least
for the time being.

Quote:> Is there a way to
> get the linuxbox to do the domain name resolutions without running
> BIND or something? If not I guess I'll have to figure out how to setup
> BIND. Thank you.

Don't use Bind, it is totally overkill for your situation.
Search for a caching DNS proxy, eg. http://cr.yp.to/djbdns.html
and run it on the Linux box.

Ciao, Horst
--
?When pings go wrong (It hurts me too)? E.Clapton/E.James/P.Tscharn

 
 
 

IP MASQ won't work

Post by Chri » Sat, 13 Sep 2003 01:23:54







>  [...]
> >> Is this the /etc/resolv.conf of the laptop? If not check
> >> whether on the laptop you also use proper name server
> >> entries. Check wether they match with the entries
> >> on the linux box.

> > The laptop runs windows, so there is no /etc/resolve.conf. But when I
> > run ipconfig /all in a command prompt, the DNS server is listed as
> > 192.168.1.1, the IP address for eth1 on my linuxbox.

> You can configure the DNS addresses somewhere in the network
> configuration section of windows. I would do this at least
> for the time being.

> > Is there a way to
> > get the linuxbox to do the domain name resolutions without running
> > BIND or something? If not I guess I'll have to figure out how to setup
> > BIND. Thank you.

> Don't use Bind, it is totally overkill for your situation.
> Search for a caching DNS proxy, eg. http://cr.yp.to/djbdns.html
> and run it on the Linux box.

> Ciao, Horst

Thank you for your help, I'm glad you told me nto to install BIND as I
was about to. I will try the caching DNS proxy, and report back my
luck.
 
 
 

IP MASQ won't work

Post by Chri » Sat, 13 Sep 2003 06:53:36








>  [...]
> > >> Is this the /etc/resolv.conf of the laptop? If not check
> > >> whether on the laptop you also use proper name server
> > >> entries. Check wether they match with the entries
> > >> on the linux box.

> > > The laptop runs windows, so there is no /etc/resolve.conf. But when I
> > > run ipconfig /all in a command prompt, the DNS server is listed as
> > > 192.168.1.1, the IP address for eth1 on my linuxbox.

> > You can configure the DNS addresses somewhere in the network
> > configuration section of windows. I would do this at least
> > for the time being.

> > > Is there a way to
> > > get the linuxbox to do the domain name resolutions without running
> > > BIND or something? If not I guess I'll have to figure out how to setup
> > > BIND. Thank you.

> > Don't use Bind, it is totally overkill for your situation.
> > Search for a caching DNS proxy, eg. http://cr.yp.to/djbdns.html
> > and run it on the Linux box.

> > Ciao, Horst

> Thank you for your help, I'm glad you told me nto to install BIND as I
> was about to. I will try the caching DNS proxy, and report back my
> luck.

Well I tried djbdns and my laptop still wouldn't resolve IP addresses.
So I installed BIND, and that's way out of my league. So I set the
DHCP server to give my LAN computers the IP address of the
university's DNS servers and now it all works, Thank everyone for
their help, even if it didn't get me to where I wanted to be. Maybe
someone will point out what I did wrong. Thaks again.