Trouble forwarding/routing packets - masquerade

Trouble forwarding/routing packets - masquerade

Post by Jonathan Crocket » Tue, 06 Jan 1998 04:00:00



Hello,

I have been trying to get a Linux box set up as a gateway to forward,
masquerade and route packets from 2 client machines ( Pentium running
Win95
or Linux, and a SUN UltraSparc 1, Solaris 2.6). The local network
machines
can see each other, but cannot see outside the local net. The gateway
linux
box can see both the local net and the outside world.

The gateway machine (gate) is running RedHat 4.2. I recompiled the
kernel
(2.0.30) with support for masquerading, forwarding, firewalls, etc as
documented in the various HOWTOs and FAQs. Here are my IP assignments:

  161.44.128.227 - ppp0 interface on gateway Linux (linked to .206)
  192.168.1.1    - eth0 interface on gateway Linux
  192.168.1.10   - ethernet interface on Pentium Win95/Linux
  192.168.1.144  - ethernet interface le0 on UltraSPARC Solaris 2.6

I've loaded ip_masq_ftp, ip_masq_irc, and ip_masq_raudio modules.

I've configured the forwarding rules as follows:

    /sbin/ipfwadm -F -p deny
    /sbin/ipfwadm -F -a accept -m -S 192.168.1.0/24 -D 0.0.0.0/0

The -I and -O rules are all set up to default accept.

My routing table looks like:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
161.44.128.206  0.0.0.0         255.255.255.255 UH    0      0        0
ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        2
eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        5
lo
0.0.0.0         161.44.128.206  0.0.0.0         UG    0      0       27
ppp0

IP forwarding is enabled. I checked /proc/sys/net/ipv4/ip-forward to
make
sure it contained 1.

The gate machine forwards _NO_ packets from the client machines. If I
try to
telnet to an outside address like 128.114.129.26, it will try a while,
and
then return unsuccessful.

I've used tcpdump to try to find out whats going on. If I look for a
packets with a specific host, like tcpdump -i eth0 host 128.114.129.26,
and
telnet to that address from my local net, all I see are some arp
requests on
the local net: arp who-has 128.114.129.26 tell 161.44.128.227. If I look
on
the ppp0 port, I see no packets with host address of 128.114.129.26.

Does anyone out there have a clue as to what might be wrong here? Gate
should be forwarding packets, but isn't.

Any insights would be greatly appreciated. I'll be eagerly watching this
newsgroup.

Thanks

-Jonathan


------------------------------------------------------------------------
Jonathan Crockett
Build Engineer
Global Alliances
Cisco Systems, Inc.
------------------------------------------------------------------------
"Life moves pretty fast. If you don't stop and look around once in a
while
you could miss it."

 
 
 

Trouble forwarding/routing packets - masquerade

Post by Alden Woodwar » Wed, 07 Jan 1998 04:00:00



> Hello,

> I have been trying to get a Linux box set up as a gateway to forward,
> masquerade and route packets from 2 client machines ( Pentium running
> Win95
> or Linux, and a SUN UltraSparc 1, Solaris 2.6). The local network
> machines
> can see each other, but cannot see outside the local net. The gateway
> linux
> box can see both the local net and the outside world.

> The gateway machine (gate) is running RedHat 4.2. I recompiled the
> kernel
> (2.0.30) with support for masquerading, forwarding, firewalls, etc as
> documented in the various HOWTOs and FAQs. Here are my IP assignments:

>   161.44.128.227 - ppp0 interface on gateway Linux (linked to .206)
>   192.168.1.1    - eth0 interface on gateway Linux
>   192.168.1.10   - ethernet interface on Pentium Win95/Linux
>   192.168.1.144  - ethernet interface le0 on UltraSPARC Solaris 2.6

> I've loaded ip_masq_ftp, ip_masq_irc, and ip_masq_raudio modules.

> I've configured the forwarding rules as follows:

>     /sbin/ipfwadm -F -p deny
>     /sbin/ipfwadm -F -a accept -m -S 192.168.1.0/24 -D 0.0.0.0/0

> The -I and -O rules are all set up to default accept.

> My routing table looks like:

> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 161.44.128.206  0.0.0.0         255.255.255.255 UH    0      0        0
> ppp0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        2
> eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        5
> lo
> 0.0.0.0         161.44.128.206  0.0.0.0         UG    0      0       27
> ppp0

> IP forwarding is enabled. I checked /proc/sys/net/ipv4/ip-forward to
> make
> sure it contained 1.

> The gate machine forwards _NO_ packets from the client machines. If I
> try to
> telnet to an outside address like 128.114.129.26, it will try a while,
> and
> then return unsuccessful.

> I've used tcpdump to try to find out whats going on. If I look for a
> packets with a specific host, like tcpdump -i eth0 host 128.114.129.26,
> and
> telnet to that address from my local net, all I see are some arp
> requests on
> the local net: arp who-has 128.114.129.26 tell 161.44.128.227. If I look
> on
> the ppp0 port, I see no packets with host address of 128.114.129.26.

> Does anyone out there have a clue as to what might be wrong here? Gate
> should be forwarding packets, but isn't.

I've just experience the same problems setting a similar network. I have
solved my problems and hopefully this will
work for you too.
As far as pinging a machine outside your local network, from what i have
read (anyone with more knowledge can correct this for me if
i get this wrong) is that ping uses a ICMP -protocol and thus will not
make it through the masq (see Dial-On-Demand mini-HOWTO).
As far as your ppp connection, make sure that the MTU on your network is
the same as the PPP0.
With my network eth0 has 1500 MTU. When I set the MTU to 1500 for the
PPP in the /etc/ppp/options file all the problems i had with telnet and
http were solved.

 
 
 

Trouble forwarding/routing packets - masquerade

Post by Duncan Dubic » Wed, 07 Jan 1998 04:00:00


Uhm... I may have missed this in your post... but did you setup the gateway
on your Win95 and Solaris machine??? Without a gateway these machines will
not be able to see anything other than the local net because they won't have
a default route...


> Hello,

> I have been trying to get a Linux box set up as a gateway to forward,
> masquerade and route packets from 2 client machines ( Pentium running
> Win95
> or Linux, and a SUN UltraSparc 1, Solaris 2.6). The local network
> machines
> can see each other, but cannot see outside the local net. The gateway
> linux
> box can see both the local net and the outside world.

 
 
 

Trouble forwarding/routing packets - masquerade

Post by Jonathan Crocket » Wed, 07 Jan 1998 04:00:00



> Uhm... I may have missed this in your post... but did you setup the gateway
> on your Win95 and Solaris machine??? Without a gateway these machines will
> not be able to see anything other than the local net because they won't have
> a default route...

Both Win95 and Solaris have the appropriate gateway set up and default
route is to the gateway.


> > Hello,

> > I have been trying to get a Linux box set up as a gateway to forward,
> > masquerade and route packets from 2 client machines ( Pentium running
> > Win95
> > or Linux, and a SUN UltraSparc 1, Solaris 2.6). The local network
> > machines
> > can see each other, but cannot see outside the local net. The gateway
> > linux
> > box can see both the local net and the outside world.

--
------------------------------------------------------------------------
Jonathan Crockett
Build Engineer
Global Alliance - Release Engineering
Cisco Systems, Inc.
------------------------------------------------------------------------
"Life moves pretty fast. If you don't stop and look around once in a
while
you could miss it."
 
 
 

Trouble forwarding/routing packets - masquerade

Post by Jonathan Crocket » Wed, 07 Jan 1998 04:00:00


[snip]

Quote:> I've just experience the same problems setting a similar network. I have
> solved my problems and hopefully this will
> work for you too.
> As far as pinging a machine outside your local network, from what i have
> read (anyone with more knowledge can correct this for me if
> i get this wrong) is that ping uses a ICMP -protocol and thus will not
> make it through the masq (see Dial-On-Demand mini-HOWTO).
> As far as your ppp connection, make sure that the MTU on your network is
> the same as the PPP0.
> With my network eth0 has 1500 MTU. When I set the MTU to 1500 for the
> PPP in the /etc/ppp/options file all the problems i had with telnet and
> http were solved.

I had already changed all the MTUs to 1500 on both ppp0 and eth0. I
still get the same problem. I'm still not getting anything through from
DNS queries, telnets, ftp, or ICMP.  

Thanks
-jc

------------------------------------------------------------------------
Jonathan Crockett
Build Engineer
Global Alliance - Release Engineering
Cisco Systems, Inc.
------------------------------------------------------------------------
"Life moves pretty fast. If you don't stop and look around once in a
while
you could miss it."

 
 
 

Trouble forwarding/routing packets - masquerade

Post by Sean M. Alli » Wed, 07 Jan 1998 04:00:00


When I set up my linux box(RH 5.0), the file I had to edit for ip
forwarding was /etc/sysconfig/network.  I changed forward_ipv4 value
from false to true.

Sean

> -----Original Message-----

> Posted At: Monday, January 05, 1998 1:27 PM
> Posted To: networking
> Conversation:      Trouble forwarding/routing packets - masquerade
> Subject:   Trouble forwarding/routing packets - masquerade

> Hello,

> I have been trying to get a Linux box set up as a gateway to forward,
> masquerade and route packets from 2 client machines ( Pentium running
> Win95
> or Linux, and a SUN UltraSparc 1, Solaris 2.6). The local network
> machines
> can see each other, but cannot see outside the local net. The gateway
> linux
> box can see both the local net and the outside world.

> The gateway machine (gate) is running RedHat 4.2. I recompiled the
> kernel
> (2.0.30) with support for masquerading, forwarding, firewalls, etc as
> documented in the various HOWTOs and FAQs. Here are my IP assignments:

>   161.44.128.227 - ppp0 interface on gateway Linux (linked to .206)
>   192.168.1.1    - eth0 interface on gateway Linux
>   192.168.1.10   - ethernet interface on Pentium Win95/Linux
>   192.168.1.144  - ethernet interface le0 on UltraSPARC Solaris 2.6

> I've loaded ip_masq_ftp, ip_masq_irc, and ip_masq_raudio modules.

> I've configured the forwarding rules as follows:

>     /sbin/ipfwadm -F -p deny
>     /sbin/ipfwadm -F -a accept -m -S 192.168.1.0/24 -D 0.0.0.0/0

> The -I and -O rules are all set up to default accept.

> My routing table looks like:

> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref
> Use
> Iface
> 161.44.128.206  0.0.0.0         255.255.255.255 UH    0      0
> 0
> ppp0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0
> 2
> eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0
> 5
> lo
> 0.0.0.0         161.44.128.206  0.0.0.0         UG    0      0
> 27
> ppp0

> IP forwarding is enabled. I checked /proc/sys/net/ipv4/ip-forward to
> make
> sure it contained 1.

> The gate machine forwards _NO_ packets from the client machines. If I
> try to
> telnet to an outside address like 128.114.129.26, it will try a while,
> and
> then return unsuccessful.

> I've used tcpdump to try to find out whats going on. If I look for a
> packets with a specific host, like tcpdump -i eth0 host
> 128.114.129.26,
> and
> telnet to that address from my local net, all I see are some arp
> requests on
> the local net: arp who-has 128.114.129.26 tell 161.44.128.227. If I
> look
> on
> the ppp0 port, I see no packets with host address of 128.114.129.26.

> Does anyone out there have a clue as to what might be wrong here? Gate
> should be forwarding packets, but isn't.

> Any insights would be greatly appreciated. I'll be eagerly watching
> this
> newsgroup.

> Thanks

> -Jonathan


> ----------------------------------------------------------------------
> --
> Jonathan Crockett
> Build Engineer
> Global Alliances
> Cisco Systems, Inc.
> ----------------------------------------------------------------------
> --
> "Life moves pretty fast. If you don't stop and look around once in a
> while
> you could miss it."

 
 
 

Trouble forwarding/routing packets - masquerade

Post by Martin J. Man » Thu, 08 Jan 1998 04:00:00



Quote:> As far as your ppp connection, make sure that the MTU on your network is
> the same as the PPP0.
> With my network eth0 has 1500 MTU. When I set the MTU to 1500 for the
> PPP in the /etc/ppp/options file all the problems i had with telnet and
> http were solved.

This may band-aid the problem, but the correct fix for this problme is
to select the "always reassemble packets" option when you build the
kernel for the masquerading machine.  packet fragments after the first
one do not contain the information needed to make masquerading work;
the only place fragments can be reassembled correctly is ont he
masquerading machine.

I don't know if this has any bearing on the original question.

 
 
 

Trouble forwarding/routing packets - masquerade

Post by Graham » Sat, 10 Jan 1998 04:00:00



> I have been trying to get a Linux box set up as a gateway to forward,
> masquerade and route packets from 2 client machines ( Pentium running
> Win95
> or Linux, and a SUN UltraSparc 1, Solaris 2.6).

[snip]

Quote:> I've used tcpdump to try to find out whats going on. If I look for a
> packets with a specific host, like tcpdump -i eth0 host 128.114.129.26,
> and telnet to that address from my local net, all I see are some arp
> requests on
> the local net: arp who-has 128.114.129.26 tell 161.44.128.227. If I look
> on
> the ppp0 port, I see no packets with host address of 128.114.129.26.

This has confused me (though its probably my lack of understanding
that's caused it). I thought the address resolution protocol (arp) was
supposed to get the layer 2 MAC address for a given ip address, by
broadcasting an arp request to across a subnet.

In the example above, aren't you trying to telnet from a machine on your
local net, through the linux box, and out to the wider world? If this is
the case, why are you seeing arp packets?

If the gateways and default routes are configured correctly, the linux
box should just send the packet out over the default route (ppp
interface), shouldn't it?

I'm no expert, but this smacks of routing problems to me.

I know that's no real help, but I thought it worth mentioning. If its
total cobblers, apologies for any confusion it may cause!

Graham

 
 
 

Trouble forwarding/routing packets - masquerade

Post by Jonathan Crocket » Sat, 10 Jan 1998 04:00:00



>[snip]
> This has confused me (though its probably my lack of understanding
> that's caused it). I thought the address resolution protocol (arp) was
> supposed to get the layer 2 MAC address for a given ip address, by
> broadcasting an arp request to across a subnet.

Correct.

Quote:> In the example above, aren't you trying to telnet from a machine on your
> local net, through the linux box, and out to the wider world? If this is
> the case, why are you seeing arp packets?

Yes, which is what has been confusing me.

My Win95 is now working. I was testing mostly with a UltraSPARC/Solaris
2.6 connected to the gateway. I tried Win95 last night and it worked.

Perhaps my configuration on my Solaris 2.6 box is incorrect. I'm not as
familiar with Solaris as I am with Linux. I have the gateway specified
in the defaultrouter file in /etc. This worked on a different Solaris
box at work. Perhaps there is some other location to specify the gateway
for a Solaris that I'm not aware of?

I'll check my Solaris set up again tonight and try removing the
/etc/defaultrouter file to see what happens.

Thanks for all the suggestions everyone. :) It's appreciated.

Quote:> If the gateways and default routes are configured correctly, the linux
> box should just send the packet out over the default route (ppp
> interface), shouldn't it?

> I'm no expert, but this smacks of routing problems to me.

> I know that's no real help, but I thought it worth mentioning. If its
> total cobblers, apologies for any confusion it may cause!

> Graham

7
--
------------------------------------------------------------------------
Jonathan Crockett
Build Engineer
Global Alliance - Release Engineering
Cisco Systems, Inc.
------------------------------------------------------------------------
"Life moves pretty fast. If you don't stop and look around once in a
while
you could miss it."
 
 
 

Trouble forwarding/routing packets - masquerade

Post by Jonathan Crocket » Sun, 11 Jan 1998 04:00:00


[snip]

Hip hip hooray!!! My home network is now fully functional. I think
setting the MTUs to all match fixed one problem, and allowed my Win95
machine to successfully see the internet. My Solaris 2.6 UltaSPARC was
little more tricky. It still wouldn't work and I finally found out why.
For one, I had the wrong IP selected as the gateway, I had my gateway's
outgoing ppp0 IP instead of the local eth0 specified. That fixed the
incorrect arps I was seeing, however DNS still was failing. I finally
discovered that DNS hadn't been turned on in nsswitch.conf. Duh. So now
I am finally happy. I have a 486 Linux box working as a masquerading
gateway and print server for my Win95/Linux Pentium and my UltraSPARC.
And its all working! Awesome dudes. Thanks to everyone who read my posts
and especially those that replied with suggestions. I love the net ;-)

------------------------------------------------------------------------
 Jonathan Crockett
 Build Engineer
 Global Alliance - Release Engineering
 Cisco Systems, Inc.
------------------------------------------------------------------------
 "Life moves pretty fast. If you don't stop and look around once in a
 while you could miss it."

 
 
 

1. X Windows packet forwarding when using IP Masquerading

I have a number of client machines that are all connected to the
internet via a dial up connection on my linux box. This machine is
running IP Masquerading and seems to work very well. However, I need the
client machines to be able to connect to remote machines running X based
software, so I need a program to forward on the packets to each client.

I have got a copy of xforward written by someone at DEC, though it seems
that this requires motif in order to compile. I do not have motif.

Are there any other pieces of software, similar to DEC's xforward that
do not require you to have motif libraries in order to compile them.
Alternatively can I get a precompiled version for the Intel x86 platform
?

Thanks in advance for any help

Steve

2. AutoFS question

3. ipfwadm won't forward masqueraded packets thru I/O rules

4. kpppload Floating point exception

5. IP Forwarding problem fixed, but why did SSH and ICMP packets never need to MASQUERADE?

6. FTPD brain cracker

7. masquerading/forwarding - routing problem?

8. Help: Name this cable

9. Route IP masqueraded packets according to their source IP?

10. Masquerading Trouble...firewall and forwarding work great. (help)

11. Shut Up and Route the Packet (also IP Masquerading)

12. Making a Routing Workstation forward IP packets

13. ip packet forwarding/routing in linux