iptables masquerading on Comcast @HOME

iptables masquerading on Comcast @HOME

Post by Jonathan Ha » Wed, 15 Aug 2001 04:37:48



I am having problems getting ip masquerading to work.  I followed the
ip masq howto from www.ipmasq.cjb.net and I can't get it to work
properly.  I am using the 2.4.8 kernel.  I used the rc.firewall script
that came with the howto and the only thing I changed in it was the
line:

IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

I changed eth0 to eth1 because that is the card my cable modem is
connected to.

On a masq'ed computer inside my network, I can ping the external
interface but I can't ping anything on the internet.

the howto guide said to make sure that ICMP masquerading was compiled
into the kernel.  but in the 2.4.x kernel's I've never seen ICMP
masquerading in the networking options.  So is it built in?

please respond if you can help me, because I am tired of using only a
http proxy with my cable modem.  If you think you can help(and want
to), but need more info about my network setup or whatever, then just
reply saying so and I'll tell you what I can.

--
Open Source Programs
http://change.to/opensource

 
 
 

iptables masquerading on Comcast @HOME

Post by Dean Thompso » Wed, 15 Aug 2001 19:08:49


Hi!,

Quote:> I am having problems getting ip masquerading to work.  I followed the
> ip masq howto from www.ipmasq.cjb.net and I can't get it to work
> properly.  I am using the 2.4.8 kernel.  I used the rc.firewall script
> that came with the howto and the only thing I changed in it was the
> line:

> IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

> I changed eth0 to eth1 because that is the card my cable modem is
> connected to.

> On a masq'ed computer inside my network, I can ping the external
> interface but I can't ping anything on the internet.

Make sure that you have turned on ip forwarding.  Take a look at the file
/etc/sysctl.conf and make sure that ip_forward = 1.  Additionally, you might
also want to add the line:  echo "1" > /proc/sys/net/ipv4/ip_forward

Quote:

> the howto guide said to make sure that ICMP masquerading was compiled
> into the kernel.  but in the 2.4.x kernel's I've never seen ICMP
> masquerading in the networking options.  So is it built in?

It should all be built in and you won't have to worry about it.

Quote:

> please respond if you can help me, because I am tired of using only a
> http proxy with my cable modem.  If you think you can help(and want
> to), but need more info about my network setup or whatever, then just
> reply saying so and I'll tell you what I can.


network is set to allow you to have direct access to the internet and that you
don't need to access their proxy server to access the outside world.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

iptables masquerading on Comcast @HOME

Post by Jonathan Ha » Wed, 15 Aug 2001 23:15:42



> Hi!,

> > I am having problems getting ip masquerading to work.  I followed the
> > ip masq howto from www.ipmasq.cjb.net and I can't get it to work
> > properly.  I am using the 2.4.8 kernel.  I used the rc.firewall script
> > that came with the howto and the only thing I changed in it was the
> > line:

> > IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

> > I changed eth0 to eth1 because that is the card my cable modem is
> > connected to.

> > On a masq'ed computer inside my network, I can ping the external
> > interface but I can't ping anything on the internet.

> Make sure that you have turned on ip forwarding.  Take a look at the file
> /etc/sysctl.conf and make sure that ip_forward = 1.  Additionally, you might
> also want to add the line:  echo "1" > /proc/sys/net/ipv4/ip_forward

I didn't have a /etc/sysctl.conf file on my computer but I made one
and ran "/sbin/sysctl -p", but I don't know if that is the correct
command to use.  Also the rc.firewall script already has the line that
echos 1 into /proc/sys/net/ipv4/ip_foward.  I do know that the value
of /proc/sys/net/ipv4/ip_foward is set to one after the rc.firewall
script is run.

But even though ip fowarding is on, I still can't ping anything on the
internet.
Is there something else I have to do with the rc.firewall script?  

- Show quoted text -

> > the howto guide said to make sure that ICMP masquerading was compiled
> > into the kernel.  but in the 2.4.x kernel's I've never seen ICMP
> > masquerading in the networking options.  So is it built in?

> It should all be built in and you won't have to worry about it.

> > please respond if you can help me, because I am tired of using only a
> > http proxy with my cable modem.  If you think you can help(and want
> > to), but need more info about my network setup or whatever, then just
> > reply saying so and I'll tell you what I can.


> network is set to allow you to have direct access to the internet and that you
> don't need to access their proxy server to access the outside world.

The proxy server I was refering to is my computer that has the cable
modem, I have a proxy server program on it so the other computers on
my lan can get on the internet.

- Show quoted text -

> See ya

> Dean Thompson

> --
> +____________________________+____________________________________________+

> | Bach. Computing (Hons)     | ICQ     - 45191180                         |
> | PhD Student                | Office  - <Off-Campus>                     |
> | School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
> | MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
> | Melbourne, Australia       |                                            |
> +----------------------------+--------------------------------------------+

 
 
 

iptables masquerading on Comcast @HOME

Post by Dean Thompso » Thu, 16 Aug 2001 00:30:02


Hi!,

Quote:> But even though ip fowarding is on, I still can't ping anything on the
> internet. Is there something else I have to do with the rc.firewall script?

Okay, can you remember whether or not you installed a firewall when the system
was being installed.  What does the output of /sbin/iptables -L -t nat look
like and what does the output of /sbin/iptables -L look like and the output of
/sbin/ifconfig ?

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

iptables masquerading on Comcast @HOME

Post by Jonathan Ha » Thu, 16 Aug 2001 05:40:11



> Hi!,

> > But even though ip fowarding is on, I still can't ping anything on the
> > internet. Is there something else I have to do with the rc.firewall script?

> Okay, can you remember whether or not you installed a firewall when the system
> was being installed.  What does the output of /sbin/iptables -L -t nat look
> like and what does the output of /sbin/iptables -L look like and the output of
> /sbin/ifconfig ?

I did a full of install TurboLinux Server 6.0(LITE), and it came with
ipchains, but I removed it and put iptables on when I upgraded to the
2.4.7 kernel.  I've patched the kernel to 2.4.8 and that's what it's
runing now.

Ok, here's /sbin/ifconfig

eth0      Link encap:Ethernet  HWaddr 00:01:02:CC:7D:2F
          inet addr:192.168.205.27  Bcast:192.168.205.255
Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:171182 errors:0 dropped:0 overruns:0 frame:0
          TX packets:157844 errors:0 dropped:0 overruns:0 carrier:0
          collisions:10615 txqueuelen:100
          Interrupt:9 Base address:0xb800

eth1      Link encap:Ethernet  HWaddr 00:30:84:31:9F:0F
          inet addr:24.36.34.43  Bcast:24.36.43.255
Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:430011 errors:0 dropped:0 overruns:0 frame:0
          TX packets:165239 errors:0 dropped:0 overruns:0 carrier:0
          collisions:3405 txqueuelen:100
          Interrupt:12 Base address:0xb400

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:264 errors:0 dropped:0 overruns:0 frame:0
          TX packets:264 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

here's /usr/local/sbin/iptables -L -t nat

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

and here's /usr/local/sbin/iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

and if it helps, here's netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window
irtt Iface
24.36.34.43     0.0.0.0         255.255.255.255 UH       40 0        
0 eth1
192.168.205.27  0.0.0.0         255.255.255.255 UH       40 0        
0 eth0
24.36.34.0      0.0.0.0         255.255.255.0   U        40 0        
0 eth1
192.168.205.0   0.0.0.0         255.255.255.0   U        40 0        
0 eth0
0.0.0.0         24.36.34.43     0.0.0.0         UG       40 0        
0 eth1

when I set up one of the computers on the internal network, I set the
gateway as 192.168.205.27, which is the internal address of the masq
server.  Is there any other settings that I need to set that are not
covered in the howto?

> See ya

> Dean Thompson

> --
> +____________________________+____________________________________________+

> | Bach. Computing (Hons)     | ICQ     - 45191180                         |
> | PhD Student                | Office  - <Off-Campus>                     |
> | School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
> | MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
> | Melbourne, Australia       |                                            |
> +----------------------------+--------------------------------------------+

 
 
 

iptables masquerading on Comcast @HOME

Post by Dean Thompso » Thu, 16 Aug 2001 17:59:30


Hi!,

Quote:

> I did a full of install TurboLinux Server 6.0(LITE), and it came with
> ipchains, but I removed it and put iptables on when I upgraded to the
> 2.4.7 kernel.  I've patched the kernel to 2.4.8 and that's what it's
> runing now.

> Ok, here's /sbin/ifconfig

> eth0      Link encap:Ethernet  HWaddr 00:01:02:CC:7D:2F
>           inet addr:192.168.205.27  Bcast:192.168.205.255
>                                                     Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:171182 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:157844 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:10615 txqueuelen:100
>           Interrupt:9 Base address:0xb800

> eth1      Link encap:Ethernet  HWaddr 00:30:84:31:9F:0F
>           inet addr:24.36.34.43  Bcast:24.36.43.255
>                                                     Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:430011 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:165239 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:3405 txqueuelen:100
>           Interrupt:12 Base address:0xb400

> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:264 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:264 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0

> here's /usr/local/sbin/iptables -L -t nat

> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination

> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  anywhere             anywhere

> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination

> and here's /usr/local/sbin/iptables -L

> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination

> Chain FORWARD (policy DROP)
> target     prot opt source               destination

> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination

> and if it helps, here's netstat -rn
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window
> irtt Iface
> 24.36.34.43     0.0.0.0         255.255.255.255 UH       40 0
> 0 eth1
> 192.168.205.27  0.0.0.0         255.255.255.255 UH       40 0
> 0 eth0
> 24.36.34.0      0.0.0.0         255.255.255.0   U        40 0
> 0 eth1
> 192.168.205.0   0.0.0.0         255.255.255.0   U        40 0
> 0 eth0
> 0.0.0.0         24.36.34.43     0.0.0.0         UG       40 0
> 0 eth1

> when I set up one of the computers on the internal network, I set the
> gateway as 192.168.205.27, which is the internal address of the masq
> server.  Is there any other settings that I need to set that are not
> covered in the howto?

Looks okay, but three things I would check are:

   * Is IRQ 9 actually free on your system or is it being used by another
      device.  Something about IRQ 9 jogs in my memory as being allocated
      for something else although I could be wrong
   * Does Turbo Linux have something like /etc/sysctl.conf for IP forwarding
      or do you need to do a: echo "1" > /proc/sys/net/ipv4/ip_forward
   * When you specified the iptables command for the MASQUERADE did you
      specify the interface which has the outbound connection on it ?

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

iptables masquerading on Comcast @HOME

Post by Jonathan Ha » Fri, 17 Aug 2001 00:08:53



> Hi!,

> > I did a full of install TurboLinux Server 6.0(LITE), and it came with
> > ipchains, but I removed it and put iptables on when I upgraded to the
> > 2.4.7 kernel.  I've patched the kernel to 2.4.8 and that's what it's
> > runing now.

> > when I set up one of the computers on the internal network, I set the
> > gateway as 192.168.205.27, which is the internal address of the masq
> > server.  Is there any other settings that I need to set that are not
> > covered in the howto?

> Looks okay, but three things I would check are:

>    * Is IRQ 9 actually free on your system or is it being used by another
>       device.  Something about IRQ 9 jogs in my memory as being allocated
>       for something else although I could be wrong

cat /proc/interrupts

           CPU0
  0:    6642053          XT-PIC  timer
  1:        819          XT-PIC  keyboard
  2:          0          XT-PIC  cascade
  9:     414447          XT-PIC  eth0
 10:      45013          XT-PIC  ide2
 12:     619911          XT-PIC  eth1
 15:          7          XT-PIC  ide1
NMI:          0
LOC:          0
ERR:          0
MIS:          0  

looks like irq 9 is only being used by eth0 (the card that connects to
the lan).

Quote:>    * Does Turbo Linux have something like /etc/sysctl.conf for IP forwarding
>       or do you need to do a: echo "1" > /proc/sys/net/ipv4/ip_forward

this line is in the rc.firewall script

echo "1" > /proc/sys/net/ipv4/ip_forward

and turbolinux comes with a program called turbonetcfg which helps
with configuring network settings.  I also turned on ip fowarding in
there too.

Quote:>    * When you specified the iptables command for the MASQUERADE did you
>       specify the interface which has the outbound connection on it ?

this line is in the rc.firewall script

$IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE

do I need to specify eth0 as an inbound connection?  if so how would I
do that?

- Show quoted text -

> See ya

> Dean Thompson

> --
> +____________________________+____________________________________________+

> | Bach. Computing (Hons)     | ICQ     - 45191180                         |
> | PhD Student                | Office  - <Off-Campus>                     |
> | School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
> | MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
> | Melbourne, Australia       |                                            |
> +----------------------------+--------------------------------------------+

 
 
 

iptables masquerading on Comcast @HOME

Post by Dean Thompso » Fri, 17 Aug 2001 20:27:24


Hi!,

Quote:> cat /proc/interrupts

>            CPU0
>   0:    6642053          XT-PIC  timer
>   1:        819          XT-PIC  keyboard
>   2:          0          XT-PIC  cascade
>   9:     414447          XT-PIC  eth0
>  10:      45013          XT-PIC  ide2
>  12:     619911          XT-PIC  eth1
>  15:          7          XT-PIC  ide1
> NMI:          0
> LOC:          0
> ERR:          0
> MIS:          0

> looks like irq 9 is only being used by eth0 (the card that connects to
> the lan).

Yes, it looks like it is free, but keep in mind that the list doesn't show
where your serial ports and printer ports fit into the picture, and I am sure
that they are there.  Still IRQ 9 looks like it might be okay.

Quote:

>> * Does Turbo Linux have something like /etc/sysctl.conf for IP forwarding
>>    or do you need to do a: echo "1" > /proc/sys/net/ipv4/ip_forward

> this line is in the rc.firewall script

> echo "1" > /proc/sys/net/ipv4/ip_forward

> and turbolinux comes with a program called turbonetcfg which helps
> with configuring network settings.  I also turned on ip fowarding in
> there too.

Sounds like an idea.

Quote:

> >    * When you specified the iptables command for the MASQUERADE did you
> >       specify the interface which has the outbound connection on it ?

> this line is in the rc.firewall script

> $IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE

> do I need to specify eth0 as an inbound connection?  if so how would I
> do that?

No, basically the above command should be saying that eth1 is your ethernet
device which is connected to the external network.  I presume eth1 is
connected to your outside network.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

1. Intel EtherExpress Pro/10+ + Comcast@Home under Linux


Intel EtherExpress Pro/10+ ISA ethernet card.  I have read all the HOWTOs
and looked for any info, but I can't get it setup to work right.  If anyone
has this same configuration, could you please give me a step-by-step way to
get it working right.  Thanks.

David Fagan

2. Updating software on a large number of systems easily

3. Comcast @Home Service with Linux

4. xdbx

5. Drive Comcast@Home's EN1046 10/100 USB network adapter by Linux 6.2

6. Visio Templates!!

7. HELP Please, tried RH6.2&6.1,Comcast@home in NJ,Static IP

8. CHAT wont dial modem

9. Comcast @home connection with Redhat 7.2

10. MD Comcast @ home with Linux

11. Got DHCP working w/Comcast@Home??

12. Transition from @Home to Comcast quandry...

13. RedHat 5.1 and DHCP with ComCast @Home