/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
P. Thomas Schoenemann <[EMAIL PROTECTED]> wrote:
>
> 4) From the local machine, I can ping the external (real) address of the
> masq server
That's good.
> I cannot get step 5 to work. I cannot get the local machine to ping any
> external machine (other than the masq servers external address).
There are a number of reasons why this might not work.
> According to the howto, step 4 proves that "masquerading is working (ICMP
> Masquerading specifically)."
That's right. Up until that point, all you know is that your IP routing
is correct. Your private LAN machine was able to route a packet to the
masq box, and it replied back. It doesn't mean that masq is working,
because masq only occurs when traffic actually leaves the external
interface. In this case, the packet didn't actually try to leave the
masq box, so it was not masqueraded.
> If the internet connection wasn't working, how does all the pinging
> work?
None of the pings tried to go to the Internet, until you tried step 5.
Those other steps would work whether you were connected to the Internet
or not. They are just testing routes, which need to be in place before
anything else can work.
> And how could the masq server be accessing (pinging and telneting)
> external machines?
The masq server does not need to *forward* any traffic in order to ping
an external host. It also does not have to *masq* its traffic in order
to do this. It can reach those hosts directly. So pinging from the
masq box to the outside world, does not test masquerade at all; it only
shows that your Internet connection is up, and working.
> If the simple rc.firewall ruleset wasn't used, how could the internal
> machine ping the masq server's external address?
It can do that because when the packet reaches the masq box, it
recognizes the destination address as one of its local interfaces, and
so it replies. No forwarding or masquerading needed.
> The same question goes for whether ICMP masquerading is compiled into
> the Linux kernel: how could I ping anything in the local network
> (e.g., step 4)?
ICMP is always available, but ICMP *masquerade* is not always available;
it is a kernel option that must be specifically enabled. As I
mentioned, masquerade doesn't get involved until a packet is actually
forwarding through the masq box and leaving it; so it doesn't become
important that you have ICMP masq enabled, until that point.
> I thought that step 4 proved that I had masquerading working?
Nope. Step 5 proves that. But unfortunately there are TWO main reasons
why that step might fail. One is that ICMP masq is not enabled in your
kernel. The other is that masq itself is not set up correctly.
The best way to tell the difference is to telnet to an IP address on the
outside, from your internal client (behind the masq box). This will
almost certainly work, if masq is set up correctly, but should fail in
the same way as the ping, if masq is not working.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Just about every computer on the market
sometimes known as David DeSimone || today runs Unix, except the Mac (and
http://www.dallas.net/~fox/ || nobody cares about it). -- Bill Joy '85
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
