Re: IP Masq troubles

[Rob Weir]

On Sat, Jan 04, 2003 at 12:29:50AM -0500, David P James wrote:
> I am getting quite frustrated at not being able to do something that I 
> once was able to do without any trouble... set up IP maquerading.
> 
> Here's the box: 3.0r1, Kernel 2.2.20 (gave up on trying to 
> compile/install a 2.4.x kernel). eth1 is the external, eth0 internal.

Have you heard about the kernel-image packages?  apt-get install
kernel-image-2.4.18-, where arch is something like 386, 686, k7 or
whatever.  They contain full kernel images, with most everything you
could want compiled as modules.  Install one, reboot into it and use
modconf to load the approprate modules and you should be all set.  Also,
there's a package called 'ipmasq' that'll handle most any sort of NAT
you could want.

-rob



msg22513/pgp0.pgp
Description: PGP signature

Re: IP Masq troubles

[David P James]

David P James was roused into action on 2003-01-04 00:29 and wrote:



Here's the box: 3.0r1, Kernel 2.2.20 (gave up on trying to 
compile/install a 2.4.x kernel). eth1 is the external, eth0 internal.




ISP
-->
- 24.x.y.z (external, by DHCP)
RH7.3 Gateway
-192.168.1.1 (internal)
-->hub-->
- 192.168.1.14 (external, by DHCP - eth1)
Debian 3.0r1 gateway-to-be
- 192.168.0.1 (internal - eth0)
-->hub-->
- 192.168.0.10 (eth0, by DHCP)
My Debian 3.0 machine


When this gets moved to my university city, it will look like:

ISP
-->
- 24.x.y.z (external, by DHCP - eth1)
Debian 3.0r1 gateway-to-be
- 192.168.0.1 (internal - eth0)
-->hub-->
- 192.168.0.10 (eth0, by DHCP)
My Debian 3.0 machine

So the fact that the gateway-to-be is behind another firewall shouldn't 
matter, right?

Right now, the gateway-to-be can connect to the internet. My box in this 
set up behind it can't, but it can connect to the gateway-to-be and get 
its IP from there through DHCP (eg I can ping 192.168.0.1 but not 
192.168.1.1 or 192.168.1.14 or anything else - the network is 
unreachable). I've installed the ipmasq package, which, the last time I 
did this a year and a half ago set up everything fine.

The relevant bits of interfaces are:

  auto eth1
  iface eth1 inet dhcp

  auto eth0
  iface eth0 inet static
  address 192.168.0.1
  network 192.168.0.0
  netmask 255.255.255.0
  broadcast 192.168.0.255


The problem, amazingly, was that the modules ipip and/or ip_gre weren't 
loaded into the kernel (I don't know which is the problem yet as both 
are now loaded and forwarding is working). Last time when I installed 
Debian 2.2 I loaded every ipv4 module there was in a shotgun type of 
approach. This time I didn't...


--
David P. James
Ottawa, Ontario
http://members.rogers.com/dpjames/

The bureaucratic mentality is the only constant in the universe.
-Dr. Leonard McCoy, Star Trek IV


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

IP Masq troubles

[David P James]

I am getting quite frustrated at not being able to do something that I 
once was able to do without any trouble... set up IP maquerading.

Here's the box: 3.0r1, Kernel 2.2.20 (gave up on trying to 
compile/install a 2.4.x kernel). eth1 is the external, eth0 internal.

I am trying to set this up at home behind an existing gateway so that 
when I return to my university city I shall have an operable 
gateway/firewall machine for the 5 of us students who share 
accomodations and internet.

Ok, so right now we have:

ISP
-->
- 24.x.y.z (external, by DHCP)
RH7.3 Gateway
-192.168.1.1 (internal)
-->hub-->
- 192.168.1.14 (external, by DHCP - eth1)
Debian 3.0r1 gateway-to-be
- 192.168.0.1 (internal - eth0)
-->hub-->
- 192.168.0.10 (eth0, by DHCP)
My Debian 3.0 machine


When this gets moved to my university city, it will look like:

ISP
-->
- 24.x.y.z (external, by DHCP - eth1)
Debian 3.0r1 gateway-to-be
- 192.168.0.1 (internal - eth0)
-->hub-->
- 192.168.0.10 (eth0, by DHCP)
My Debian 3.0 machine

So the fact that the gateway-to-be is behind another firewall shouldn't 
matter, right?

Right now, the gateway-to-be can connect to the internet. My box in this 
set up behind it can't, but it can connect to the gateway-to-be and get 
its IP from there through DHCP (eg I can ping 192.168.0.1 but not 
192.168.1.1 or 192.168.1.14 or anything else - the network is 
unreachable). I've installed the ipmasq package, which, the last time I 
did this a year and a half ago set up everything fine.

The relevant bits of interfaces are:

 auto eth1
 iface eth1 inet dhcp

 auto eth0
 iface eth0 inet static
 address 192.168.0.1
 network 192.168.0.0
 netmask 255.255.255.0
 broadcast 192.168.0.255

ifconfig shows both to be up (obviously, as I can get a .0.x IP from 
behind it).


I'm hoping that this problem will go away when I set it up without 
another firewall in front of it, but I'm not convinced this will happen 
as I see no good reason for it not to be working right now.

I can provide more gory details if needed. Thanks
--
David P. James
Ottawa, Ontario
http://members.rogers.com/dpjames/

The bureaucratic mentality is the only constant in the universe.
-Dr. Leonard McCoy, Star Trek IV


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

The IP MASQ MTU problem

[Mark Copper]

I've just had the pleasure of hunting this one down.  I've included the
option mtu 1492 in /etc/network/interfaces for my NIC and I seem to be
back in business (knock on woody!).  This per the IP-MASQ HOWTO, section
7.15 (I connect via PPPoE).

But I wish I understood this better.  Why would an MTU of 1500 suddenly
become a problem?  I had been doing fine for weeks.  Why would it be a
problem for one machine and not another?  My 2.2 kernel machine has no
problem.  The HOWTO says MTU for PPPoE is 1490 but ifconfig shows 1492; if
a difference of 10=1500-1490 is a problem, might 2 be?

Anyone out there willing to shed light/share experience? (I can't bring up
the MTU thread from the linux kernel list; is the link outdated?)

Thanks.

Mark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

IP Masq (problem w/dcc chat & send)

[louie miranda]

I have an internal LAN. Its on IP Masq using ipchains.
the problem is dcc chat & send. Well i can't send and do
dcc chat.

Now i've read on this url
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/irc-dcc.html

I've follow every step on its procedures, but still have no luck.


modprobe ip_masq_irc
"ports=6667,6668,6669,7000,1024,1025,1026,1027,1028,1029"

and try this, and still no luck.

If there's anyone out there who have success in this problem b4, pls do tell
me what did
u do?! to solve this problem.. :(


Thanks,
Louie...


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Problem with Quake 3 Arena! Linux IP masq to blame! Please help!

[Arcadio A. Sincero Jr.]

I seem to be having some difficulties with Quake 3 Arena and Linux IP
masquerading.  First, the technical details.  My Internet connection is a
Verizon PPPoE ADSL connection.  The IP masquerading box is a home built
100Mhz AMD K5 machine with 64MB of memory.  It is running Debian "woody"
using a stock 2.2.17 kernel.  I am using v3.0 of Roaring Penguin's PPPoE
client.  The only PPPoE option I am using that I think is relevant to this
discussion is that I have "TCP maximum segment size clamping" enabled (the
-m option to `pppoe') and it is set to "1412".  And I do have the
"ip_masq_quake.o module" loaded.

The box that I am playing Quake 3 Arena on is a Windows XP machine.  The
problem that I am experiencing is that I frequently get the "disconnected"
icon during game play.  It increases in frequency whenever I am in a room
with a lot of other players, however it doesn't come on at all if I am by
myself on the server.  I am fairly certain the problem is with the IP
masquerading box because when I hook up the WinXP machine directly to the
DSL modem and use WinXP's builtin PPPoE client, I don't get the disconnected
icon at all!

Does anybody have any clues as to what could be the problem here?  What
settings on the IP masq box should I investigate?  I am suspecting the "TCP
mss clamping" might have something to do with it.  Am I right to suspect
that?

Thanks in advance for any help with this.

- Arcadio

Re: Reiser and IP Masq kernel2.4.12

[Vineet Kumar]

* Lance Hoffmeyer ([EMAIL PROTECTED]) [011020 14:38]:
> On Sat, Oct 20, 2001 at 07:03:04PM -0200, Michel Loos wrote:
> > On Sat, 20 Oct 2001, Lance Hoffmeyer wrote:
> > > Does anyone have IP Masq setup using a Reiser FS and kernel
> > > 2.4.12.  I setup IP Masq one night with kernel 2.4.12 when I had a
> > > ext2 FS on my router.  It worked fine.  The next day I reinstalled
> > > my system using Reiser FS.  I installed the same kernel.deb that I
> > > used the previous night and now I cannot MASQ my computers.  The
> > > network works.  I can ping router->workstation,
> > > router->outside,workstation->router, but I cannot ping
> > > workstation->outside.  If I cat /proc/sys/net/ipv4/ip_forward it
> > > returns 0 even though I set all of the iptable rules to forward.
> > You have to do a
> > cat 1> /proc/sys/net/ipv4/ip_forward
> > in order to activate the forwarding iptables just sets the rules
> Sorry, I did that too.  I just didn't mention it.

(I reordered these replies to put them in top-down order)

This doesn't add up. If you've put a 1 in ip_forward, catting it should
give you back a 1, not a 0. A clean way to make this happen every time
networking is enabled is to open up /etc/network/options and make sure
you have a line that says "ip_forward=yes" . Then /etc/init.d/networking
will do the cat for you every time it brings up the networking systems.

-- 
Vineet   http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'


pgpzwJkHk3Rdm.pgp
Description: PGP signature

Re: Reiser and IP Masq kernel2.4.12

[Lance Hoffmeyer]

Sorry, I did that too.  I just didn't mention it.

Lance

On Sat, Oct 20, 2001 at 07:03:04PM -0200, Michel Loos wrote:
> Date: Sat, 20 Oct 2001 19:03:04 -0200 (BRST)
> From: Michel Loos <[EMAIL PROTECTED]>
> To: Lance Hoffmeyer <[EMAIL PROTECTED]>
> cc: debian-user@lists.debian.org
> Subject: Re: Reiser and IP Masq kernel2.4.12
> In-Reply-To: <[EMAIL PROTECTED]>
> X-UIDL: 0ba24b5d7a193b8d28475b92eb8c899c
> 
> On Sat, 20 Oct 2001, Lance Hoffmeyer wrote:
> 
> > Does anyone have IP Masq setup using a Reiser FS and kernel 2.4.12.
> > I setup IP Masq one night with kernel 2.4.12 when I had a ext2 FS on my
> > router.  It worked fine.  The next day I reinstalled my system using Reiser
> > FS.  I installed the same kernel.deb that I used the previous night and now
> > I cannot MASQ my computers.  The network works.  
> > I can ping router->workstation, router->outside,workstation->router, but I
> > cannot ping workstation->outside.  If I cat /proc/sys/net/ipv4/ip_forward
> > it returns 0 even though I set all of the iptable rules to forward.
> 
> You have to do a
> cat 1> /proc/sys/net/ipv4/ip_forward
> in order to activate the forwarding iptables just sets the rules
> 
> Michel.
> 
> 
> > 
> > Lance
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
> > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> > 
> > 
> 
> Pr. Michel Loos |  Phone:  55 11 818 3810 p. 216
> Inst. de Quimica USP|  Fax:55 11 815 5579
> PO Box 26077 05599-970 S?o Paulo, S SP
> Brazil
> 
> 
> 

Re: Reiser and IP Masq kernel2.4.12

[Michel Loos]

On Sat, 20 Oct 2001, Lance Hoffmeyer wrote:

> Does anyone have IP Masq setup using a Reiser FS and kernel 2.4.12.
> I setup IP Masq one night with kernel 2.4.12 when I had a ext2 FS on my
> router.  It worked fine.  The next day I reinstalled my system using Reiser
> FS.  I installed the same kernel.deb that I used the previous night and now
> I cannot MASQ my computers.  The network works.  
> I can ping router->workstation, router->outside,workstation->router, but I
> cannot ping workstation->outside.  If I cat /proc/sys/net/ipv4/ip_forward
> it returns 0 even though I set all of the iptable rules to forward.

You have to do a
cat 1> /proc/sys/net/ipv4/ip_forward
in order to activate the forwarding iptables just sets the rules

Michel.


> 
> Lance
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 
> 

Pr. Michel Loos |  Phone:  55 11 818 3810 p. 216
Inst. de Quimica USP|  Fax:55 11 815 5579
PO Box 26077 05599-970 São Paulo, S SP
Brazil

Re: Reiser and IP Masq kernel2.4.12

[Dean Allen Provins]

Hello:

Don't you also have to do (as root):

echo "1" > /proc/sys/net/ipv4/ip_forward

Dean

On Sat, Oct 20, 2001 at 08:21:17AM -0500, Lance Hoffmeyer wrote:
> Does anyone have IP Masq setup using a Reiser FS and kernel 2.4.12.
> I setup IP Masq one night with kernel 2.4.12 when I had a ext2 FS on my
> router.  It worked fine.  The next day I reinstalled my system using Reiser
> FS.  I installed the same kernel.deb that I used the previous night and now
> I cannot MASQ my computers.  The network works.  
> I can ping router->workstation, router->outside,workstation->router, but I
> cannot ping workstation->outside.  If I cat /proc/sys/net/ipv4/ip_forward
> it returns 0 even though I set all of the iptable rules to forward.
> 
> Lance
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 
Dean Provins 
[EMAIL PROTECTED]
[EMAIL PROTECTED]

I support Linux as a stimulating and productive alternative to
other PC operating systems.

Reiser and IP Masq kernel2.4.12

[Lance Hoffmeyer]

Does anyone have IP Masq setup using a Reiser FS and kernel 2.4.12.
I setup IP Masq one night with kernel 2.4.12 when I had a ext2 FS on my
router.  It worked fine.  The next day I reinstalled my system using Reiser
FS.  I installed the same kernel.deb that I used the previous night and now
I cannot MASQ my computers.  The network works.  
I can ping router->workstation, router->outside,workstation->router, but I
cannot ping workstation->outside.  If I cat /proc/sys/net/ipv4/ip_forward
it returns 0 even though I set all of the iptable rules to forward.

Lance

Re: vmware & ip masq

[Tupshin Harper]

Whups...made a mistake.  You don't need an ifconfig command.  Just make sure
that your default gateway in the vmware os is set to the address of your
vmnet1 interface in linux.

Secondly, I would apply the remaining commands I mentioned before by hand to
make sure things work.

I put the commands as i wrote them in /etc/pcmcia/network since I'm using a
pcmcia(wireless card).  Not sure off the top of my head about the best place
to do it for a regular card, and I'm not positive if the ipforward=yes does
what you need(probably, just not sure).

-Tupshin

First of all, I would try applying all of these commands by hand and test to
see that it works.
- Original Message -
From: "Titus Barik" <[EMAIL PROTECTED]>
To: "Tupshin Harper" <[EMAIL PROTECTED]>
Cc: 
Sent: Saturday, August 25, 2001 6:33 PM
Subject: Re: vmware & ip masq


> On Sat, 25 Aug 2001, Tupshin Harper wrote:
>
> > I'm doing exactly this: debian 2.4.x custom kernel + vmware +
masquerading.
> >
> > Maker sure that the ipt_MASQUERADE module is loaded, and make sure the
> > iptables debian package is installed.
>
> Done.
>
> > Then add an IP address to your ethernet card that is on the same subnet
as
> > your vmware machine:
> > eg: ifconfig eth0 add 192.168.155.2
>
> Where would I add this? I assume it would be under /etc/network
> interfaces. Would I add a "up ifconfig ..." to my current auto eth0 or
> is there a better (or more correct) way?
>
> > enable ip_forwarding:
> > echo 1 > /proc/sys/net/ipv4/ip_forward
>
> Here I modified /etc/network/options and set ipforward=yes.
>
> > apply one iptables rule:
> > /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> Where would I put this line if I wanted it to work on reboot? Also under
> /etc/network/interfaces? Or elsewhere?
>
> I apologize if these are trivial questions. I am anxious to get this
> thing working!
>
> Thank you once again.
>
> Titus Barik ([EMAIL PROTECTED])
> AIM: TBarik  ICQ: 1604453
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>

Re: vmware & ip masq

[Titus Barik]

On Sat, 25 Aug 2001, Tupshin Harper wrote:

> I'm doing exactly this: debian 2.4.x custom kernel + vmware + masquerading.
> 
> Maker sure that the ipt_MASQUERADE module is loaded, and make sure the
> iptables debian package is installed.

Done.

> Then add an IP address to your ethernet card that is on the same subnet as
> your vmware machine:
> eg: ifconfig eth0 add 192.168.155.2

Where would I add this? I assume it would be under /etc/network
interfaces. Would I add a "up ifconfig ..." to my current auto eth0 or
is there a better (or more correct) way?

> enable ip_forwarding:
> echo 1 > /proc/sys/net/ipv4/ip_forward

Here I modified /etc/network/options and set ipforward=yes.

> apply one iptables rule:
> /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Where would I put this line if I wanted it to work on reboot? Also under
/etc/network/interfaces? Or elsewhere?

I apologize if these are trivial questions. I am anxious to get this
thing working!

Thank you once again.

Titus Barik ([EMAIL PROTECTED])
AIM: TBarik  ICQ: 1604453

Re: vmware & ip masq

[Tupshin Harper]

I'm doing exactly this: debian 2.4.x custom kernel + vmware + masquerading.

Maker sure that the ipt_MASQUERADE module is loaded, and make sure the
iptables debian package is installed.

Then add an IP address to your ethernet card that is on the same subnet as
your vmware machine:
eg: ifconfig eth0 add 192.168.155.2

Set your vmware OS'es default gateway to be that address (easier if you
disable dhcp in your guest and just hard code the configuration).

enable ip_forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward

apply one iptables rule:
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

-Tupshin

- Original Message -
From: "Titus Barik" <[EMAIL PROTECTED]>
To: 
Sent: Saturday, August 25, 2001 2:54 PM
Subject: vmware & ip masq


> Huzza! It's me again.
>
> I'm running Woody with a 2.4.6 custom kernel. Here's what I'm trying to
> do. I have a VMWare host-only network running Windows 98 SE. The virtual
> machine's IP is 192.168.155.128. The host machine is 128.61.40.17, and
> is accessed through VMWare Win98 session as 192.168.155.1.
>
> Because of the way our University is setup, we can only have one IP per
> port. As such, I need to do some routing to get the 192.168.155.* VMs to
> access the outside world (instead of just the host).

> One solution that has worked is to use Squid proxy for HTTP. But I would
> much rather use IP Masquerading, except I'm not sure how.
>
> I'm pretty much a Debian newbie, and I know I've asked a lot from the
> list, but I'd really appreciate it if someone could tell me how to get
> this setup going (i.e., what kernel options do I need? how do I setup
> iptables?, etc.).
>
> If there is a relatively newbie friendly document that one could refer
> me to, that would work as well.
>
> Thanks in advance!
>
> Titus Barik ([EMAIL PROTECTED])
> AIM: TBarik  ICQ: 1604453
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>

Re: vmware & ip masq

[Tupshin Harper]

I'm doing exactly this: debian 2.4.x custom kernel + vmware + masquerading.

Maker sure that the ipt_MASQUERADE module is loaded, and make sure the
iptables debian package is installed.

Then add an IP address to your ethernet card that is on the same subnet as
your vmware machine:
eg: ifconfig eth0 add 192.168.155.2

Set your vmware OS'es default gateway to be that address (easier if you
disable dhcp in your guest and just hard code the configuration).

enable ip_forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward

apply one iptables rule:
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

-Tupshin

- Original Message -
From: "Titus Barik" <[EMAIL PROTECTED]>
To: 
Sent: Saturday, August 25, 2001 2:54 PM
Subject: vmware & ip masq


> Huzza! It's me again.
>
> I'm running Woody with a 2.4.6 custom kernel. Here's what I'm trying to
> do. I have a VMWare host-only network running Windows 98 SE. The virtual
> machine's IP is 192.168.155.128. The host machine is 128.61.40.17, and
> is accessed through VMWare Win98 session as 192.168.155.1.
>
> Because of the way our University is setup, we can only have one IP per
> port. As such, I need to do some routing to get the 192.168.155.* VMs to
> access the outside world (instead of just the host).

> One solution that has worked is to use Squid proxy for HTTP. But I would
> much rather use IP Masquerading, except I'm not sure how.
>
> I'm pretty much a Debian newbie, and I know I've asked a lot from the
> list, but I'd really appreciate it if someone could tell me how to get
> this setup going (i.e., what kernel options do I need? how do I setup
> iptables?, etc.).
>
> If there is a relatively newbie friendly document that one could refer
> me to, that would work as well.
>
> Thanks in advance!
>
> Titus Barik ([EMAIL PROTECTED])
> AIM: TBarik  ICQ: 1604453
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>

vmware & ip masq

[Titus Barik]

Huzza! It's me again.

I'm running Woody with a 2.4.6 custom kernel. Here's what I'm trying to
do. I have a VMWare host-only network running Windows 98 SE. The virtual
machine's IP is 192.168.155.128. The host machine is 128.61.40.17, and
is accessed through VMWare Win98 session as 192.168.155.1.

Because of the way our University is setup, we can only have one IP per
port. As such, I need to do some routing to get the 192.168.155.* VMs to
access the outside world (instead of just the host).

One solution that has worked is to use Squid proxy for HTTP. But I would
much rather use IP Masquerading, except I'm not sure how.

I'm pretty much a Debian newbie, and I know I've asked a lot from the
list, but I'd really appreciate it if someone could tell me how to get
this setup going (i.e., what kernel options do I need? how do I setup
iptables?, etc.).

If there is a relatively newbie friendly document that one could refer
me to, that would work as well.

Thanks in advance!

Titus Barik ([EMAIL PROTECTED])
AIM: TBarik  ICQ: 1604453

IP Masq. problem solved

[Ed Lawson]

Turned out ppp was set with an MTU and MRU of 576.
Apparently that causes the problem I encountered.
It is documented in the IP Masq. HOWTO.
Setting them to 1500 solved the problem.
It was the last gotcha to solve.

Ed Lawson

Re: ip masq

[Paul Wright]

Hi Derya,

> Hi all there,
> 
> I'm working at a school and we have a debian server. We use ip masq for =
> more than one hundred Windows NT . Last week i get an empty PC and =
> installed debian to it. Now i have a problem. I want to find a way to =
> connect to my second debian from my home but it doesnt have an IP of its =
> own its under the main server. So can i do something to say to the main =
> server that whenever a "x.ourdomain.com " request comes it has to go to =
> that machine? Sorry for my terrible techn eng. but this is all i know... =
> :(
> 
> Thanks in advance
> 

There's quite a bit involved in IP masq setup.  I'd recommend reading the 
IP-Masqerade-HOWTO, which should be found in:

http://localhost/doc/HOWTO/en-html/IP-Masquerade-HOWTO.html

If it's not there you can find it at:

http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html

You may want to see:

http://localhost/doc/HOWTO/en-html/Firewall-HOWTO.html


I hope this helps.

-ptw


-- 
Paul T. Wright <[EMAIL PROTECTED]>
-currently seeking employment-

Re: IP Masq IP addresses but no Telnet or Domain Names

[will trillich]

On Thu, Jun 07, 2001 at 09:35:00PM -0700, Stephen Handley wrote:
> Hi there,
> 
> I'm trying to get IP Masq up and running and am very close. I can ping IP
> numbers from my Masqd machine but have not telnet capability. Futhermore I
> can't see domain names from my debain machine or the masq'd machine. 
> 
> Any ideas.

my main ideas would be

apt-get install ipmasq

and sit back and relax. usually works wonders for me.
(you need /etc/network/interfaces to be set up to properly
reflect your network connections/setup; see "man interfaces" for
the full scoop.)

> One thing I've noticed is that I currently have no rc.firewall file. But
> from what I remember the last time I did this, Debian had the equivalent in
> a different file .. am I remembering correctly?


-- 
DEBIAN NEWBIE TIP #7 from Will Trillich <[EMAIL PROTECTED]> 
:
Wondering what COMMANDS you have at your disposal? Try pressing
the TAB key at the command line. For example, "apt" will
show you all the commands that start with "apt". (This is called
"completion" if you want to look it up in your shell's manpage.)
(Different implementions have the  completion set up
differently -- you may need to press  twice.)

Also see http://newbieDoc.sourceForge.net/ ...

Re: ip masq

[will trillich]

On Fri, Jun 08, 2001 at 01:25:43PM +0300, Derya PALANCI wrote:
> Hi all there,
> 
> I'm working at a school and we have a debian server. We use ip
> masq for more than one hundred Windows NT . Last week i get an
> empty PC and installed debian to it. Now i have a problem. I
> want to find a way to connect to my second debian from my home
> but it doesnt have an IP of its own its under the main server.
> So can i do something to say to the main server that whenever
> a "x.ourdomain.com " request comes it has to go to that
> machine? Sorry for my terrible techn eng. but this is all i
> know... :(

there may be other ways -- but the way i do that is to set up
PORT FORWARDING:

where the main contact/server is

http://xyz.somesite.tld:80/== 1.2.3.4

and a behind-the scenes localnet addres you're trying to reach
from outside might be 192.168.12.34:

http://xyz.somesite.tld:12345/ -> 192.168.12.34:

this will have your server at 1.2.3.4, which doubles as, say,
192.168.1.1 on your internal lan, forward any request that comes
in on port 12345 (via the 1.2.3.4 interface) to machine
192.168.12.34 port  --

For 2.2x kernels, replace 'ipportfw' and 'ipautofw'
with 'ipmasqadm portfw' and 'ipmasqadm autofw'

# ipportfw -A -t ext.ern.al.ip/port -R se.rv.er.ip/port
where -t is tcp, or replace it with -u for udp

# ipautofw -A -r proto low high -h se.rv.er.ip
where proto is tcp or udp, low is the first port, and high is
the last port (ipautofw is good for a contiguous group of ports)

...as gleaned from http://lrp.c0wz.com/dox/portfw.txt

so, for my potato on 2.2 i'd use

apt-get install netbase   # probably have this already
ipmasqadm portfw -a -P tcp -L 1.2.3.4 12345 -R 192.168.12.34 

to learn more, try

ipmasqadm portfw -h


-- 
DEBIAN NEWBIE TIP #12 from Will Trillich <[EMAIL PROTECTED]> 
:
Where is the DOCUMENTATION? It's all over the place... and there's
lots of it. Much was written for non-debian distributions, and
much was written long, long ago. But try these anyhow: on your
own system, try "man" and "info" and "apropos", and also look
under /usr/share/doc/* ... Online, there's linuxdoc.org,
debianhelp.org, and debian.org/doc/ of course.  Also try
http://newbiedoc.sourceforge.net/general/index-deb-help-sys.html

Also see http://newbieDoc.sourceForge.net/ ...

ip masq

[Derya PALANCI]

Hi all there,
 
I'm working at a school and we have a debian 
server. We use ip masq for more than one hundred Windows NT . Last week i get an 
empty PC and installed debian to it. Now i have a problem. I want to find a way 
to connect to my second debian from my home but it doesnt have an IP of its own 
its under the main server. So can i do something to say to the main server that 
whenever a "x.ourdomain.com " request comes it has to go to that machine? Sorry 
for my terrible techn eng. but this is all i know... :(
 
Thanks in advance

Re: IP Masq IP addresses but no Telnet or Domain Names

[Nicholas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

TELNET :
- - Masquerade connection from internal network to Port 23
- - Allow connection out TO port 23
- - Allow connection in FROM port 23

DNS :
- - Masquerade connection from internal connection to your DNS Server port 53
- - Allow connection out TO DNS Server Port 53
- - Allow Connection in FROM DNS Server Port 53

YMAMV tho'


On Friday 08 June 2001 04:35, Stephen Handley wrote:
> Hi there,
>
> I'm trying to get IP Masq up and running and am very close. I can ping IP
> numbers from my Masqd machine but have not telnet capability. Futhermore I
> can't see domain names from my debain machine or the masq'd machine.
>
> Any ideas.
>
> One thing I've noticed is that I currently have no rc.firewall file. But
> from what I remember the last time I did this, Debian had the equivalent in
> a different file .. am I remembering correctly?
>
> Thanks for your help
>
> Cheers
> Stephen
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7IMicvc9gDaFvf/8RAlQ+AJ9U6N+fyLNR/1zZxwXiOjjuSsVy2gCgpWvO
FWyTjHdAt9d5ElBcE9cyyFg=
=b7T1
-END PGP SIGNATURE-

IP Masq IP addresses but no Telnet or Domain Names

[Stephen Handley]

Hi there,

I'm trying to get IP Masq up and running and am very close. I can ping IP
numbers from my Masqd machine but have not telnet capability. Futhermore I
can't see domain names from my debain machine or the masq'd machine. 

Any ideas.

One thing I've noticed is that I currently have no rc.firewall file. But
from what I remember the last time I did this, Debian had the equivalent in
a different file .. am I remembering correctly?

Thanks for your help

Cheers
Stephen

Re: IP masq, forward ?

[Osamu Aoki]

install ipmasq package

 # apt-get install ipmasq

 Then

 # ipmasq -v

 Checkout my iwishlist bug report #87499 to get the firewall stronger.
 
On Fri, Mar 23, 2001 at 03:00:56AM +0100, Szfelix wrote:
> I am a new debian user.
> 
> I have 2 eth in system, and I want to use as gateway for local net.
> 

-- 
~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ 
+  Osamu Aoki <[EMAIL PROTECTED]>, GnuPG-key: 1024D/D5DE453D  +
+   Fingerprint: 814E BD64 3288 40E7 E88E  3D92 C3F8 EA94 D5DE 453D   +
+   http://www.aokiconsulting.com/debian/ for FAQ  Cupertino, CA USA  +

Re: IP masq, forward ?

[Steve Witt]

On Fri, 23 Mar 2001, Szfelix wrote:

> I change the WIN2000 server.
> The local terminals can ping the output eth card but I can't go out on the
> internet.
> >From gateway  I can go out.
> So simply what and where I must write to resolve this problem.
>
> and, where i can find a documentation, step by step to understand the linux
> platform.
> I pograming in DOS,WINDOWS since 1990 , so imagine what is in my mind...  :)
>
> I try MAN but I want to understand, to feel the LINUX system.
>
> Thanx
>Felix
>

It looks like you've got both of your Ethernet interfaces up and working
and IP forwarding working in the kernel. Did you compile in the IP
Masquerade modules into the kernel? That or the configuration of ip_chains
might be in error. In any case there is a great HOWTO on this, the 'Linux
IP Masquerade HOWTO', which can be gotten from several HOWTO locations, I
use . I've been
able to install several IP Masquerading routers based on this.

IP masq, forward ?

[Szfelix]

I am a new debian user.

I have 2 eth in system, and I want to use as gateway for local net.

in the etc/network/interfaces
--
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface
iface lo inet loopback

# The first network card - this entry was created during the Debian
installation
# (network, broadcast and gateway are optional)
 iface eth1 inet static
address 192.168.0.1
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
#gateway 195.38.101.206

 iface eth0 inet static
   address 195.38.101.206
   netmask 255.255.254.0
   network 195.38.100.0
   broadcast 195.38.100.255
   gateway 195.38.100.1
   route add -net 195.38.101.206 netmask 255.255.254.0 dev eth0
   route add default gw 195.38.100.1 metric 1 dev eth0
--
etc/options
-
ip_forward=yes
spoofprotect=yes
syncookies=no



I change the WIN2000 server.
The local terminals can ping the output eth card but I can't go out on the
internet.
>From gateway  I can go out.
So simply what and where I must write to resolve this problem.

and, where i can find a documentation, step by step to understand the linux
platform.
I pograming in DOS,WINDOWS since 1990 , so imagine what is in my mind...  :)

I try MAN but I want to understand, to feel the LINUX system.

Thanx
   Felix

Re: IP masq

[David Wright]

Quoting Gabor Gludovatz ([EMAIL PROTECTED]):
> On Mon, 29 Jan 2001, A+B Frank wrote:
> 
> > > I connect to the Internet from a masqueraded LAN through a masquerading
> > > gateway/proxy server. My problem is that, if I am logged in to somewhere
> > > outside our network with ssh or telnet, after a little while of inactivity
> > > the gateway resets the connection and I have to reconnect.
> > > 
> > > The proxy server is a Deb 2.1 with kernel 2.0.38. What should I set in its
> > > kernel if I want to keep the connection even if it's idle?
> > > 
> > > (it's all the same, wherever I connect to, I get disconnected, so it's
> > > not a logoutd thing.)
> > 
> > Hi,
> > it seems to me like a time out for idle lines. Search in th
> > configuration 
> > files of ppp/ippp for a parameter "huptimeout" or so.
> 
> there is no (i)ppp installed to that machine. it connects with 10baseT
> ethernet to a micro device, and we are connected (masquaraded) through it. 

You might try something like
echo 120 > /proc/sys/net/ipv4/tcp_keepalive_time
to change the tcp timeout from 2hours to 2mins.

Cheers,

-- 
Email:  [EMAIL PROTECTED]   Tel: +44 1908 653 739  Fax: +44 1908 655 151
Snail:  David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA
Disclaimer:   These addresses are only for reaching me, and do not signify
official stationery. Views expressed here are either my own or plagiarised.

Re: IP masq

[brian moore]

On Mon, Jan 29, 2001 at 06:45:12PM +0100, A+B Frank wrote:
> Gabor Gludovatz wrote:
> > 
> > Hi,
> > 
> > I connect to the Internet from a masqueraded LAN through a masquerading
> > gateway/proxy server. My problem is that, if I am logged in to somewhere
> > outside our network with ssh or telnet, after a little while of inactivity
> > the gateway resets the connection and I have to reconnect.
> > 
> > The proxy server is a Deb 2.1 with kernel 2.0.38. What should I set in its
> > kernel if I want to keep the connection even if it's idle?
> > 
> > (it's all the same, wherever I connect to, I get disconnected, so it's
> > not a logoutd thing.)
> 
> Hi,
> it seems to me like a time out for idle lines. Search in th
> configuration 
> files of ppp/ippp for a parameter "huptimeout" or so.

Close, but the key isn't pppd, but ipmasq.

See the '-s' option to ipfwadm (or -S for ipchains).  From the Debian
'ipmasq' package:

[durin:/etc/ipmasq/rules] 133 % cat Z92timeouts.def 
# You should not edit this file.  Instead, create a file with the same
# name as this one, but with a .rul extension instead of .def.  The
# .rul file will override this one.
#
# However, any changes you make to this file will be preserved.

# Set masqerading timeouts:
#   2 hrs for TCP
#   10 sec for TCP after FIN has been sent
#   160 sec for UDP (important for ICQ users)
case $MASQMETHOD in
ipfwadm)
$IPFWADM -M -s 7200 10 160
;;
ipchains)
$IPCHAINS -M -S 7200 10 160
;;
esac


-- 
CueCat decoder .signature by Larry Wall:
#!/usr/bin/perl -n
printf "Serial: %s Type: %s Code: %s\n", map { tr/a-zA-Z0-9+-/ -_/; $_ = unpack
'u', chr(32 + length()*3/4) . $_; s/\0+$//; $_ ^= "C" x length; } /\.([^.]+)/g; 

Re: IP masq

[Gabor Gludovatz]

On Mon, 29 Jan 2001, A+B Frank wrote:

> > I connect to the Internet from a masqueraded LAN through a masquerading
> > gateway/proxy server. My problem is that, if I am logged in to somewhere
> > outside our network with ssh or telnet, after a little while of inactivity
> > the gateway resets the connection and I have to reconnect.
> > 
> > The proxy server is a Deb 2.1 with kernel 2.0.38. What should I set in its
> > kernel if I want to keep the connection even if it's idle?
> > 
> > (it's all the same, wherever I connect to, I get disconnected, so it's
> > not a logoutd thing.)
> 
> Hi,
> it seems to me like a time out for idle lines. Search in th
> configuration 
> files of ppp/ippp for a parameter "huptimeout" or so.

there is no (i)ppp installed to that machine. it connects with 10baseT
ethernet to a micro device, and we are connected (masquaraded) through it. 

-- 
 Gabor Gludovatz <[EMAIL PROTECTED]> http://www.sopron.hu/~ggabor/

Re: IP masq

[A+B Frank]

Gabor Gludovatz wrote:
> 
> Hi,
> 
> I connect to the Internet from a masqueraded LAN through a masquerading
> gateway/proxy server. My problem is that, if I am logged in to somewhere
> outside our network with ssh or telnet, after a little while of inactivity
> the gateway resets the connection and I have to reconnect.
> 
> The proxy server is a Deb 2.1 with kernel 2.0.38. What should I set in its
> kernel if I want to keep the connection even if it's idle?
> 
> (it's all the same, wherever I connect to, I get disconnected, so it's
> not a logoutd thing.)
> 
> --
>  Gabor Gludovatz <[EMAIL PROTECTED]> http://www.sopron.hu/~ggabor/

Hi,
it seems to me like a time out for idle lines. Search in th
configuration 
files of ppp/ippp for a parameter "huptimeout" or so.

Greetings
Albrecht

IP masq

[Gabor Gludovatz]

Hi,

I connect to the Internet from a masqueraded LAN through a masquerading
gateway/proxy server. My problem is that, if I am logged in to somewhere
outside our network with ssh or telnet, after a little while of inactivity
the gateway resets the connection and I have to reconnect.

The proxy server is a Deb 2.1 with kernel 2.0.38. What should I set in its
kernel if I want to keep the connection even if it's idle?

(it's all the same, wherever I connect to, I get disconnected, so it's
not a logoutd thing.)

-- 
 Gabor Gludovatz <[EMAIL PROTECTED]> http://www.sopron.hu/~ggabor/

Re: can't ftp through IP Masq

[Sven Burgener]

Hi John

On Tue, Aug 15, 2000 at 02:48:12PM -0500, John Reinke wrote:
> I only had one ipchains rule to turn it on, and added another to prevent
> timeout on secondary ftp connections, but I don't really understand it all
> yet. I might try the script below, though. What do you name it, and where
> do you put it so it gets read?

As the tags show, its a snippet of a larger script with more rules for
allowing other services thru the box. I have set things up this way:

# ls -l /etc/init.d/fire.sh
-rwxr-xr-x1 root root 1321 Aug 10 19:51 /etc/init.d/fire.sh

/etc/init.d/fire.sh calls the following scripts according to $1 it is
passed. ("start" or "stop"...)

# ls -l /etc/ppp/firewall*.sh
-rwxr-xr--1 root root  278 Aug  9 21:50 /etc/ppp/firewall_off.sh
-rwxr-xr--1 root root 5224 Aug 15 21:25 /etc/ppp/firewall_on.sh

The snippet I posted was from firewall_on.sh.

I ran update-rc.d for creating appropriate SysV links.

# zless /etc/init.d/README /usr/doc/sysvinit/README.runlevels.gz
for more infos.

> (Nice footer, BTW.)

:)

Sven
-- 
I can't be wrong, my modem's got error-correction.

Re: can't ftp through IP Masq

[John Reinke]

I only had one ipchains rule to turn it on, and added another to prevent
timeout on secondary ftp connections, but I don't really understand it all
yet. I might try the script below, though. What do you name it, and where
do you put it so it gets read?

(Nice footer, BTW.)

John

On Tue, 15 Aug 2000, Sven Burgener wrote:

> For passive FTP, I use the following ipchains ruleset snippet:
> 
> 
> #!/bin/sh
> 
> # Definitions
> ipchains="$(which ipchains)"
> 
> # Enable IP forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> # Default policies for all chains
> ${ipchains} -P input DENY
> ${ipchains} -P forward DENY
> ${ipchains} -P output DENY
> 
> # Flush rules
> ${ipchains} --flush input
> ${ipchains} --flush forward
> ${ipchains} --flush output
> 
> # Allow returning ftp packets to enter
> # Passive FTP is the policy
> ${ipchains} -A input -p tcp -s 0.0.0.0/0 21 -i ppp0 -j ACCEPT ! -y
> ${ipchains} -A input -p tcp -s 0.0.0.0/0 --sport 1024:65535 \
>   --dport 1024:65535 -i ppp0 -j ACCEPT ! -y
> 
> # Allow leaving ftp packets to leave
> # Passive ftp transfers require this (passive FTP is the policy)
> ${ipchains} -A output -p tcp -d 0.0.0.0/0 21 -i ppp0 -j ACCEPT
> ${ipchains} -A output -p tcp -d 0.0.0.0/0 1024:65535 -i ppp0 -j ACCEPT
> 
> 
> Is this the correct way of doing this? Anything better? It works, that's
> for sure.
> 
> Suggestions welcomed. :)
> 
> HTH
> Sven
> -- 
> "[Microsoft] ... guarantees 99.8% NT uptime for certain hard-/software.
> That's exactly the 3 minutes daily that my NT server needs to reboot."
> -- ZDnet editorial
> 

Re: can't ftp through IP Masq

[Sven Burgener]

On Tue, Aug 15, 2000 at 08:08:15AM -0700, Stan Kaufman wrote:
> This has been discussed recently on the firewalls listserv. Check out 
> http://geocrawler.com/lists/3/Security/90/0/ for a searchable archive;
> think you'll find some answers there. (I personally am still trying to
> figure this out myself, or I'd chime in with the answer myself ;-)

For passive FTP, I use the following ipchains ruleset snippet:


#!/bin/sh

# Definitions
ipchains="$(which ipchains)"

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Default policies for all chains
${ipchains} -P input DENY
${ipchains} -P forward DENY
${ipchains} -P output DENY

# Flush rules
${ipchains} --flush input
${ipchains} --flush forward
${ipchains} --flush output

# Allow returning ftp packets to enter
# Passive FTP is the policy
${ipchains} -A input -p tcp -s 0.0.0.0/0 21 -i ppp0 -j ACCEPT ! -y
${ipchains} -A input -p tcp -s 0.0.0.0/0 --sport 1024:65535 \
--dport 1024:65535 -i ppp0 -j ACCEPT ! -y

# Allow leaving ftp packets to leave
# Passive ftp transfers require this (passive FTP is the policy)
${ipchains} -A output -p tcp -d 0.0.0.0/0 21 -i ppp0 -j ACCEPT
${ipchains} -A output -p tcp -d 0.0.0.0/0 1024:65535 -i ppp0 -j ACCEPT


Is this the correct way of doing this? Anything better? It works, that's
for sure.

Suggestions welcomed. :)

HTH
Sven
-- 
"[Microsoft] ... guarantees 99.8% NT uptime for certain hard-/software.
That's exactly the 3 minutes daily that my NT server needs to reboot."
-- ZDnet editorial

Re: can't ftp through IP Masq -> IP Masq in kernel

[John Reinke]

I'm not sure about the compile problems, but there are some items you'll
need to include in the kernel that you don't have selected below. Look at
this howto, and it goes through all the items you'll want to enable while
configuring the kernel.

http://www.e-infomax.com/ipmasq/howto/ipmasq-HOWTO-1.90c.html

It is a link from this helpful site:
http://ipmasq.cjb.net/

Good luck!

On Tue, 15 Aug 2000, Rick Macdonald wrote:

> On Tue, 15 Aug 2000, John Reinke wrote:
> 
> > I used 2.2.17pre6, and it handled compiling the modules for
> > CONFIG_IP_MASQUERADE_MOD. Also, it sounds like there have been some
> > security patches and things, so it is recommended to at least use 2.2.16 or
> > newer. IP Masq howto I read (URL was in a previous message), strongly
> > suggested 2.2.16 or newer as well.
> 
> My compile just finished for 2.2.17pre6, and it still didn't compile
> ip_masq_ftp:
> 
> ld -m elf_i386  -r -o ipv4.o  ip_masq.o ip_masq_app.o  ip_masq_mod.o
> utils.o route.o proc.o timer.o protocol.o ip_input.o ip_fragment.o
> ip_forward.o ip_options.o ip_output.o ip_sockglue.o tcp.o tcp_input.o
> tcp_output.o tcp_timer.o tcp_ipv4.o raw.o udp.o arp.o icmp.o devinet.o
> af_inet.o igmp.o sysctl_net_ipv4.o fib_frontend.o fib_semantics.o
> fib_hash.o ip_fw.o
> make[4]: Leaving directory `/usr/src/kernel-source-2.2.17/net/ipv4'
> 
> What am I missing? I build the kernel with:
> make-kpkg --revision=custom.1.0 kernel_image
> 
> Here is the net sections of my .config file:
> 
> #
> # Networking options
> #
> CONFIG_PACKET=y
> CONFIG_NETLINK=y
> # CONFIG_RTNETLINK is not set
> # CONFIG_NETLINK_DEV is not set
> CONFIG_FIREWALL=y
> # CONFIG_FILTER is not set
> CONFIG_UNIX=y
> CONFIG_INET=y
> # CONFIG_IP_MULTICAST is not set
> # CONFIG_IP_ADVANCED_ROUTER is not set
> # CONFIG_IP_PNP is not set
> CONFIG_IP_FIREWALL=y
> # CONFIG_IP_FIREWALL_NETLINK is not set
> # CONFIG_IP_TRANSPARENT_PROXY is not set
> CONFIG_IP_MASQUERADE=y
> 
> #
> # Protocol-specific masquerading support will be built as modules.
> #
> CONFIG_IP_MASQUERADE_ICMP=y
> 
> #
> # Protocol-specific masquerading support will be built as modules.
> #
> CONFIG_IP_MASQUERADE_MOD=y
> # CONFIG_IP_MASQUERADE_IPAUTOFW is not set
> # CONFIG_IP_MASQUERADE_IPPORTFW is not set
> # CONFIG_IP_MASQUERADE_MFW is not set
> # CONFIG_IP_ROUTER is not set
> # CONFIG_NET_IPIP is not set
> # CONFIG_NET_IPGRE is not set
> # CONFIG_IP_ALIAS is not set
> # CONFIG_SYN_COOKIES is not set
> 
> #
> # (it is safe to leave these untouched)
> #
> # CONFIG_INET_RARP is not set
> # CONFIG_SKB_LARGE is not set
> # CONFIG_IPV6 is not set
> 
> #
> #  
> #
> # CONFIG_IPX is not set
> # CONFIG_ATALK is not set
> # CONFIG_X25 is not set
> # CONFIG_LAPB is not set
> # CONFIG_BRIDGE is not set
> # CONFIG_LLC is not set
> # CONFIG_ECONET is not set
> # CONFIG_WAN_ROUTER is not set
> # CONFIG_NET_FASTROUTE is not set
> # CONFIG_NET_HW_FLOWCONTROL is not set
> # CONFIG_CPU_IS_SLOW is not set
> 
> ...RickM...
> 

Re: can't ftp through IP Masq

[Rick Macdonald]

On Tue, 15 Aug 2000, John Reinke wrote:

> I used 2.2.17pre6, and it handled compiling the modules for
> CONFIG_IP_MASQUERADE_MOD. Also, it sounds like there have been some
> security patches and things, so it is recommended to at least use 2.2.16 or
> newer. IP Masq howto I read (URL was in a previous message), strongly
> suggested 2.2.16 or newer as well.

My compile just finished for 2.2.17pre6, and it still didn't compile
ip_masq_ftp:

ld -m elf_i386  -r -o ipv4.o  ip_masq.o ip_masq_app.o  ip_masq_mod.o
utils.o route.o proc.o timer.o protocol.o ip_input.o ip_fragment.o
ip_forward.o ip_options.o ip_output.o ip_sockglue.o tcp.o tcp_input.o
tcp_output.o tcp_timer.o tcp_ipv4.o raw.o udp.o arp.o icmp.o devinet.o
af_inet.o igmp.o sysctl_net_ipv4.o fib_frontend.o fib_semantics.o
fib_hash.o ip_fw.o
make[4]: Leaving directory `/usr/src/kernel-source-2.2.17/net/ipv4'

What am I missing? I build the kernel with:
make-kpkg --revision=custom.1.0 kernel_image

Here is the net sections of my .config file:

#
# Networking options
#
CONFIG_PACKET=y
CONFIG_NETLINK=y
# CONFIG_RTNETLINK is not set
# CONFIG_NETLINK_DEV is not set
CONFIG_FIREWALL=y
# CONFIG_FILTER is not set
CONFIG_UNIX=y
CONFIG_INET=y
# CONFIG_IP_MULTICAST is not set
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
CONFIG_IP_FIREWALL=y
# CONFIG_IP_FIREWALL_NETLINK is not set
# CONFIG_IP_TRANSPARENT_PROXY is not set
CONFIG_IP_MASQUERADE=y

#
# Protocol-specific masquerading support will be built as modules.
#
CONFIG_IP_MASQUERADE_ICMP=y

#
# Protocol-specific masquerading support will be built as modules.
#
CONFIG_IP_MASQUERADE_MOD=y
# CONFIG_IP_MASQUERADE_IPAUTOFW is not set
# CONFIG_IP_MASQUERADE_IPPORTFW is not set
# CONFIG_IP_MASQUERADE_MFW is not set
# CONFIG_IP_ROUTER is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_ALIAS is not set
# CONFIG_SYN_COOKIES is not set

#
# (it is safe to leave these untouched)
#
# CONFIG_INET_RARP is not set
# CONFIG_SKB_LARGE is not set
# CONFIG_IPV6 is not set

#
#  
#
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_BRIDGE is not set
# CONFIG_LLC is not set
# CONFIG_ECONET is not set
# CONFIG_WAN_ROUTER is not set
# CONFIG_NET_FASTROUTE is not set
# CONFIG_NET_HW_FLOWCONTROL is not set
# CONFIG_CPU_IS_SLOW is not set

...RickM...

Re: can't ftp through IP Masq

[John Reinke]

I used 2.2.17pre6, and it handled compiling the modules for
CONFIG_IP_MASQUERADE_MOD. Also, it sounds like there have been some
security patches and things, so it is recommended to at least use 2.2.16 or
newer. IP Masq howto I read (URL was in a previous message), strongly
suggested 2.2.16 or newer as well.

John

>On Tue, 15 Aug 2000, Stan Kaufman wrote:
>
>> John Reinke wrote:
>> >
>> > Here's what my problem is (for those just joining): I have IP Masqing set
>> > up on a potato system, and everything works through it except ftp. The ftp
>> > clients on machines on the private network connect to external sites, but
>> > never are able to get a listing of the files or even retrieve files from
>> > those systems.
>> >
>> > John
>>
>> Sounds like you're running into the problems of establishing the proper
>> ipchains ruleset for active vs passive ftp through your firewall, and
>> this probably isn't an issue with ipmasq per se.
>
>I have the same problem, and just now discovered that I didn't config my
>2.2.14 kernel with CONFIG_IP_MASQUERADE_MOD.
>
>So, I just set this flag and re-compiled the kernel, only to find that
>ip_masq_app.c was still not compiled because, I think, this in file
>net/ipv4/.depend:
>
>   $(wildcard /usr/src/linux/include/config/ip/masq/debug.h)
>ip_masq_ftp.o: \
>
>That debug.h file doesn't exist.
>
>I've just installed and am about to build the potato
>kernel-source-2.2.17_2.2.17pre6-1.deb package.
>
>Anybody have any comments about this?
>
>...RickM...

Re: can't ftp through IP Masq

[Rick Macdonald]

On Tue, 15 Aug 2000, Stan Kaufman wrote:

> John Reinke wrote:
> > 
> > Here's what my problem is (for those just joining): I have IP Masqing set
> > up on a potato system, and everything works through it except ftp. The ftp
> > clients on machines on the private network connect to external sites, but
> > never are able to get a listing of the files or even retrieve files from
> > those systems.
> > 
> > John
> 
> Sounds like you're running into the problems of establishing the proper
> ipchains ruleset for active vs passive ftp through your firewall, and
> this probably isn't an issue with ipmasq per se.

I have the same problem, and just now discovered that I didn't config my
2.2.14 kernel with CONFIG_IP_MASQUERADE_MOD.

So, I just set this flag and re-compiled the kernel, only to find that
ip_masq_app.c was still not compiled because, I think, this in file
net/ipv4/.depend:

   $(wildcard /usr/src/linux/include/config/ip/masq/debug.h)
ip_masq_ftp.o: \

That debug.h file doesn't exist.

I've just installed and am about to build the potato
kernel-source-2.2.17_2.2.17pre6-1.deb package.

Anybody have any comments about this?

...RickM...

Re: can't ftp through IP Masq

[John Reinke]

Okay, it looks like things work now. I had a two-fold problem. I'll need to
know where to put things so this is all done automatically when I boot,
however.

The first part is that the modules weren't loading. Jason's suggestion
fixed that. If I list them in /etc/modules, will they get loaded
automatically? Or, do I need to put the following line somewhere?

> for i in /lib/modules/`uname -r`/ipv4/ip_masq_*; do insmod $i;done

The second part is that I needed to increase the timeout values for
ipchains. Where should I put the following line, so it is executed
automatically?

/sbin/ipchains -M -S 7200 10 160

I've put another ipchains statement within the /etc/init.d/networking file,
but is there a better place to put it with the potato network setup?

Thanks for the help,
John

>On Tue, Aug 15, 2000 at 03:37:30AM -0500, John Reinke wrote
>So, just to check... if you go
># lsmod
>
>does it list ip_masq_ftp?
>
>John P.

Here's the output:

[EMAIL PROTECTED]:~$ /sbin/lsmod
Module  Size  Used by
ip_masq_vdolive 1368   0 (unused)
ip_masq_user2516   0 (unused)
ip_masq_raudio  2936   0 (unused)
ip_masq_quake   1332   0 (unused)
ip_masq_irc 1560   0 (unused)
ip_masq_ftp 2456   0
ip_masq_cuseeme 1144   0 (unused)

Re: can't ftp through IP Masq

[Stan Kaufman]

John Reinke wrote:
> 
> Here's what my problem is (for those just joining): I have IP Masqing set
> up on a potato system, and everything works through it except ftp. The ftp
> clients on machines on the private network connect to external sites, but
> never are able to get a listing of the files or even retrieve files from
> those systems.
> 
> John

Sounds like you're running into the problems of establishing the proper
ipchains ruleset for active vs passive ftp through your firewall, and
this probably isn't an issue with ipmasq per se.

This has been discussed recently on the firewalls listserv. Check out 
http://geocrawler.com/lists/3/Security/90/0/ for a searchable archive;
think you'll find some answers there. (I personally am still trying to
figure this out myself, or I'd chime in with the answer myself ;-)

Stan

Re: can't ftp through IP Masq

[John Pearson]

On Tue, Aug 15, 2000 at 03:37:30AM -0500, John Reinke wrote
> I did some research, and the ip_masq_ftp.o module is automatically compiled
> when CONFIG_IP_MASQUERADE_MOD is selected during kernel config. I already
> have it selected, and the file is in my modules directory. And like I
> mentioned previously, I've tried changing the passive settings on the ftp
> clients.
> 
> I re-read the IP Masq howto at http://ipmasq.cjb.net and I had included
> everything I needed to have in the kernel. I had compiled everything into
> the kernel, with nothing compiled as modules - that shouldn't hurt, should
> it?
> 
> There were a few items that I don't have which were shown at that web site.
> They put a lot of settings in the /etc/rc.d/rc.firewall file on a RedHat
> system. Where would I put that in my potato system, in case some of those
> settings help?
> 
> Here's what my problem is (for those just joining): I have IP Masqing set
> up on a potato system, and everything works through it except ftp. The ftp
> clients on machines on the private network connect to external sites, but
> never are able to get a listing of the files or even retrieve files from
> those systems.
> 

So, just to check... if you go
# lsmod

does it list ip_masq_ftp?


John P.
-- 
[EMAIL PROTECTED]
[EMAIL PROTECTED]
http://www.mdt.net.au/~john Debian Linux admin & support:technical services

Re: can't ftp through IP Masq

[John Reinke]

This doesn't seem to help, either. The ftp clients still just sit there,
trying to get the list of files...

thanks,
John

>The modules should be compiled automatically if you have elected to do
>Masqing
>in the kernel config.
>
>Just do an insmod and you should be okay:
>
>for i in /lib/modules/`uname -r`/ipv4/ip_masq_*; do insmod $i;done
>
>Cheers,
>Jason.

Re: can't ftp through IP Masq

[John Reinke]

I did some research, and the ip_masq_ftp.o module is automatically compiled
when CONFIG_IP_MASQUERADE_MOD is selected during kernel config. I already
have it selected, and the file is in my modules directory. And like I
mentioned previously, I've tried changing the passive settings on the ftp
clients.

I re-read the IP Masq howto at http://ipmasq.cjb.net and I had included
everything I needed to have in the kernel. I had compiled everything into
the kernel, with nothing compiled as modules - that shouldn't hurt, should
it?

There were a few items that I don't have which were shown at that web site.
They put a lot of settings in the /etc/rc.d/rc.firewall file on a RedHat
system. Where would I put that in my potato system, in case some of those
settings help?

Here's what my problem is (for those just joining): I have IP Masqing set
up on a potato system, and everything works through it except ftp. The ftp
clients on machines on the private network connect to external sites, but
never are able to get a listing of the files or even retrieve files from
those systems.

John

>At 19:28 2000/08/14 -0500, you wrote:
>>I am not able to ftp from my private network, through IP Masqerading. I
>>now have Debian 2.2, and I had Debian 2.1 before. As far as I can tell, I
>>have set up IP Masq the same way as I did before.
>
>You need the ip_masq_ftp.o module installed, OR you need to set your FTP
>client up to PASV mode.
>I've got the same issue, I just haven't gotten the module yet.  PASV works
>fine.
>
>HTH!
>Adam
>Toronto, Ontario, Canada

Re: can't ftp through IP Masq

[Jason Quigley]

The modules should be compiled automatically if you have elected to do Masqing 
in the kernel config.


Just do an insmod and you should be okay:

for i in /lib/modules/`uname -r`/ipv4/ip_masq_*; do insmod $i;done

Cheers,
Jason.

--On Monday, August 14, 2000 21:34 -0500 John Reinke <[EMAIL PROTECTED]> wrote:


I've got IP Masq compiled into the kernel, but I don't remember a selection
for that in the kernel config. What was that?

Also, I've tried both passive and non-passive in the clients (both mac and
windows).


At 19:28 2000/08/14 -0500, you wrote:

I am not able to ftp from my private network, through IP Masqerading. I
now have Debian 2.2, and I had Debian 2.1 before. As far as I can tell, I
have set up IP Masq the same way as I did before.


You need the ip_masq_ftp.o module installed, OR you need to set your FTP
client up to PASV mode.
I've got the same issue, I just haven't gotten the module yet.  PASV works
fine.

HTH!
Adam
Toronto, Ontario, Canada





--
Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] <
/dev/null

Re: can't ftp through IP Masq

[John Reinke]

I've got IP Masq compiled into the kernel, but I don't remember a selection
for that in the kernel config. What was that?

Also, I've tried both passive and non-passive in the clients (both mac and
windows).

>At 19:28 2000/08/14 -0500, you wrote:
>>I am not able to ftp from my private network, through IP Masqerading. I
>>now have Debian 2.2, and I had Debian 2.1 before. As far as I can tell, I
>>have set up IP Masq the same way as I did before.
>
>You need the ip_masq_ftp.o module installed, OR you need to set your FTP
>client up to PASV mode.
>I've got the same issue, I just haven't gotten the module yet.  PASV works
>fine.
>
>HTH!
>Adam
>Toronto, Ontario, Canada

Re: can't ftp through IP Masq

[Adam Scriven]

At 19:28 2000/08/14 -0500, you wrote:
I am not able to ftp from my private network, through IP Masqerading. I 
now have Debian 2.2, and I had Debian 2.1 before. As far as I can tell, I 
have set up IP Masq the same way as I did before.


You need the ip_masq_ftp.o module installed, OR you need to set your FTP 
client up to PASV mode.
I've got the same issue, I just haven't gotten the module yet.  PASV works 
fine.


HTH!
Adam
Toronto, Ontario, Canada

can't ftp through IP Masq

[John Reinke]

I am not able to ftp from my private network, through IP Masqerading. I now
have Debian 2.2, and I had Debian 2.1 before. As far as I can tell, I have
set up IP Masq the same way as I did before.

Before, I could use ftp clients on any machine in my local network to
access anything outside my network. I can still connect to the same
machines, but now I can't get the file list from the remote ftp server or
change directories. It just sits there trying, but never gets the list.
Changing the passive setting for the ftp clients doesn't help. Also,
sometimes when it is not passive, I get a "port error" message from the
server.

I don't really understand how to set up IP Masq, so someone had given me an
ipchains command, and it seems to still work for the most part. All other
TCP/IP applications I use seem to be fine through the IP Masq. When going
from slink to potato, I took that ipchains command from my
/etc/init.d/network file and put it into the /etc/init.d/networking file,
right after ifup -a, and that worked.

The command is:
/sbin/ipchains -A forward -s 172.16.1.0/24 -j MASQ

172.16.1.0 is my local network. I can ftp from my Linux box, just not from
any machine on the private network.

Thanks,
John

Re: Potato IP Masq

[alan]

Hi John,

  Sorry - I must of misread your earlier post the ipmasq rules are in 
/etc/ipmasq/rules/. This directory the ruleset broken down into 
individual files (by rule type) to help with the maintenance and 
management of your firewalling rules (rather than one big script 
where evrythings chucked together). A definite improvement I think.

By default there should be a whole lot of .def files which give you 
an idea of how they work before tailoring them for your own 
requirements (by creating .rul files which will replace the .def's if 
they exist). 

Note: the order in which the rule files are invoked is controlled by 
the file prefix (i.e. A00.. is implemented before Z99...). I remember 
going through some document when I changed over - I will email a link 
when I dig it up ... ITMT - The references below may be of use also 
... 

HTH
Alan

*** from the IPMASQ HOWTO

The Linux IP Masquerade Resource is a website dedicated to Linux IP
Masquerade information also maintained by David Ranch and Ambrose Au.
It has the latest information related to IP Masquerade and may have
information that is not being included in the HOWTO. 

You may find the Linux IP Masquerade Resource at the following
locations: 

http://ipmasq.cjb.net/, Primary Site, redirected to
http://ipmasq.cjb.net/ 

http://ipmasq2.cjb.net/, Secondary Site, redirected to
http://www.geocities.com/SiliconValley/Heights/2288/ 

> Date:  Sun, 13 Aug 2000 01:13:44 -0500 (CDT)
> From:  John Reinke <[EMAIL PROTECTED]>
> To:debian-user@lists.debian.org
> Subject:   Re: Potato IP Masq

> I've read the man pages, and they say nothing about ipchains or
> ip_forwarding. Or, do those commands now belong in /etc/network/interfaces?
> 
> 
> On Sun, 13 Aug 2000, Alan McNatty wrote:
> 
> > check out /etc/netgwork/interfaces (man interfaces, if-up, and if-down)
> > HTH
> > 
> > - Original Message - 
> > From: John Reinke <[EMAIL PROTECTED]>
> > 
> > > Along with setting up my network doing it the "Potato Way", I'm not sure
> > > where to put the ipchains and /proc/sys/net/ipv4/ip_forward commands that
> > > I used in /etc/init.d/network for Slink. I didn't see this in the
> > > documentation.
> > > 
> > > It looks like the ip_forward can be set in /etc/network/options, but where
> > > does the rest go?
> 
> 
> 
> -- 
> Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
> 
> 
Alan McNatty ([EMAIL PROTECTED])
Catalyst IT Limited
http://www.catalyst.net.nz
Level 22 Morrison Kent House, 105 The Terrace
PO Box 10-225
Wellington, New Zealand
Ph 64 4 4992267 Fx 64 4 4995596

Re: Potato IP Masq

[John Reinke]

I've read the man pages, and they say nothing about ipchains or
ip_forwarding. Or, do those commands now belong in /etc/network/interfaces?


On Sun, 13 Aug 2000, Alan McNatty wrote:

> check out /etc/netgwork/interfaces (man interfaces, if-up, and if-down)
> HTH
> 
> - Original Message - 
> From: John Reinke <[EMAIL PROTECTED]>
> 
> > Along with setting up my network doing it the "Potato Way", I'm not sure
> > where to put the ipchains and /proc/sys/net/ipv4/ip_forward commands that
> > I used in /etc/init.d/network for Slink. I didn't see this in the
> > documentation.
> > 
> > It looks like the ip_forward can be set in /etc/network/options, but where
> > does the rest go?

Potato IP Masq

[John Reinke]

Along with setting up my network doing it the "Potato Way", I'm not sure
where to put the ipchains and /proc/sys/net/ipv4/ip_forward commands that
I used in /etc/init.d/network for Slink. I didn't see this in the
documentation.

It looks like the ip_forward can be set in /etc/network/options, but where
does the rest go?

John

Re: ip masq with 2.3.x kernels?

[Pollywog]

On 05-Aug-2000 Alberto wrote:
> 
> ipchains will be support on 2.4 and 2.3 series (with is going to 2.4) 
> anyway netfilter like be the future.
> 
> Just take a look at: http://netfilter.kernelnotes.org/

I used the ipchains kernel module with the 2.3 series, while I got iptables
working.  I compiled ipchains and iptables as modules so I could switch easily
from ipchains to iptables.

--
Andrew

Re: ip masq with 2.3.x kernels?

[Alberto]

ipchains will be support on 2.4 and 2.3 series (with is going to 2.4) 
anyway netfilter like be the future.


Just take a look at: http://netfilter.kernelnotes.org/


At 15:44 04/08/00 +, Joseph de los Santos wrote:

Hello,

   I am looking for some documentation on how to compile kernels 2.3.x 
with ip

masq support. The current HOWTO  doesn't  cover those kernels yet.


Thanks for any advice.


--
Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < 
/dev/null

Re: ip masq with 2.3.x kernels?

[Phil Brutsche]

A long time ago, in a galaxy far, far way, someone said...

> Hello,
> 
>I am looking for some documentation on how to compile kernels 2.3.x
> with ip masq support. The current HOWTO doesn't cover those kernels
> yet.

http://netfilter.kernelnotes.org/unreliable-guides/index.html

I also have these rules that I use on my firewall.  $IPT is the iptables
executable (/usr/local/bin/iptables).  $PUBIP is my public IP number;
$OUTSIDE_IFACE is the interface $PUBIP is assigned to (eth1).

This is the definition in /etc/networks:

localnet 192.168.0.0

Here are the rules.  Note the third stanza: this is how I got squid
working as a transparent proxy (along with some http_accel_* lines in
squid.conf).  The second and fourth stanzas redirect Microsoft's
accursed DirectPlay technology to work behind the firewall.

$IPT -P INPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t nat -A POSTROUTING -o $OUTSIDE_IFACE -j MASQUERADE
$IPT -P FORWARD ACCEPT
$IPT -A INPUT -s localnet/16 -j ACCEPT

# allowed incoming ports
# for some games
$IPT -A INPUT -p tcp --dport 47624 -j ACCEPT
$IPT -A INPUT -p tcp --dport 2300:2400 -j ACCEPT
$IPT -A INPUT -p udp --dport 47624 -j ACCEPT
$IPT -A INPUT -p udp --dport 2300:2400 -j ACCEPT
$IPT -A INPUT -p tcp --dport 9110 -j ACCEPT
$IPT -A INPUT -p tcp --dport 9113 -j ACCEPT
# for incoming ssh
$IPT -A INPUT -p tcp --dport ssh -j ACCEPT
# for web going to giedi
$IPT -A INPUT -p tcp -d $PUBIP --dport www -j ACCEPT
$IPT -t nat -A PREROUTING -d $PUBIP -p tcp --dport www \
-j DNAT --to-destination 192.168.0.2

# for the squid web cache
$IPT -A INPUT -p tcp -d 127.0.0.1 --dport www -j ACCEPT
$IPT -A INPUT -p tcp -d 192.168.0.3 --dport www -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp --dport www \
-j DNAT --to-destination 192.168.0.3:3128

# directplay stuff
$IPT -t nat -A PREROUTING -p tcp -d $PUBIP --dport 47624 \
-j DNAT --to-destination 192.168.0.103
$IPT -t nat -A PREROUTING -p tcp -d $PUBIP --dport 2300:2400 \
-j DNAT --to-destination 192.168.0.103
$IPT -t nat -A PREROUTING -p udp -d $PUBIP --dport 47624 \
-j DNAT --to-destination 192.168.0.103
$IPT -t nat -A PREROUTING -p udp -d $PUBIP --dport 2300:2400 \
-j DNAT --to-destination 192.168.0.103
$IPT -t nat -A PREROUTING -p tcp -d $PUBIP --dport 9110 \
-j DNAT --to-destination 192.168.0.103
$IPT -t nat -A PREROUTING -p tcp -d $PUBIP --dport 9113 \
-j DNAT --to-destination 192.168.0.103

$IPT -A INPUT -s localhost -j ACCEPT
$IPT -P INPUT DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

This last stanza is particularly interesting: the new netfilter
firewalling code implements what's known as a statefull firewall.  What
effectively happens is all new incoming connections are dropped, but
established connections (as well as new connections related to another,
like for www to work) are allowed.

It all works like a charm; I'm using kernel 2.4.0-test2-ac2.

-- 
--
Phil Brutsche   [EMAIL PROTECTED]

"There are two things that are infinite; Human stupidity and the
universe. And I'm not sure about the universe." - Albert Einstien

ip masq with 2.3.x kernels?

[Joseph de los Santos]

Hello,

   I am looking for some documentation on how to compile kernels 2.3.x with ip 
masq support. The current HOWTO  doesn't  cover those kernels yet.


Thanks for any advice.

IP Masq On/Off on a running kernel

[Andrew Clark]

I know that you can turn IP forwarding on and off on a running 
kernel with something like:

echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward

I was wondering if the same was possible with IP Masq?

Also, is there a library for tftp clients?  All I need to do is 
send a file to a server and be able to pull a file from a server 
(That's about all it can do isn't it?)

Regards,
Andrew Clark

Please CC replies to this post to me, I'm not on the list.

Re: IP Masq

[Oswald Buddenhagen]

>   I've been trying to build the kernel to include
>   the IP MASQ for the last few days without success.
>   I read most of the IP MASQ HOWTo and could not
>   find any of the suggested configuration variables
>   during the kernel config process.
> 
enable firewalling in the network setup. then you can enable masq-ing.

>   My debian box is a Potato with 2.2.13 kernel.  I tried
>   install 2.2.14 kernel before and it halt my box so
>   I re-installed the 2.2.13 again :(
> 
strange - probably you included some unnecessary drivers or missed a
required one.

-- 
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
--
Linux - the last service pack you'll ever need.

IP Masq

[Timothy C. Phan]

hi,

  I've been trying to build the kernel to include
  the IP MASQ for the last few days without success.
  I read most of the IP MASQ HOWTo and could not
  find any of the suggested configuration variables
  during the kernel config process.

  Could someone here in the debian list show me the
  steps neccessary to build the kernel with IP MASQ
  feature.

  My debian box is a Potato with 2.2.13 kernel.  I tried
  install 2.2.14 kernel before and it halt my box so
  I re-installed the 2.2.13 again :(

  Many thanks in advance!

---
tcp
[EMAIL PROTECTED]

Re: ip masq performance

[Pavel Epifanov]

On Tue, 22 Feb 2000, Stuart Ballard wrote:

>=As a first pass at configuring this thing (I don't plan on leaving it
>=like this, but I'm at the stage where I just want *something* that
>=works) I set it up using:
>=
>=echo "1" > /proc/sys/net/ipv4/ip_forward
>=ipchains -P forward MASQ
>=

Dear Stuart,

I have similar hardware configuration but first I was thinking about
security (this was only reason why I am with Linux - easy to configure
what you really want).

Please look on attached shell script I run on IP-UP event by PPPD.
It works not too bad for last couple of month (for me!).
If you will have a lot of messages in the logs than you need
to adjust some rules. I understand it is not perfect.

The idea is from one Web site (sorry I missed a name).

---
Regards,
Pavel Epifanov.

[EMAIL PROTECTED] , [EMAIL PROTECTED]

#!/bin/sh
#
# IPCHAINS-ALL
#
###
IPCHAINS="/sbin/ipchains"
# Allow forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

###
# Incoming packets from the outside network
$IPCHAINS -F input
# Outgoing packets from the internal network
$IPCHAINS -F output   
# Forwarding/masquerading
$IPCHAINS -F forward

###
# Allow MASQ connections 
$IPCHAINS -A forward -s 10.0.0.0/255.0.0.0 -j MASQ
#

###
# Disallow any UDP incomming connections
# SSH
$IPCHAINS -A input -p udp -s 0.0.0.0/0 53 -i ppp0 -j ACCEPT
# BBC real-audio
$IPCHAINS -A input -p udp -s 0.0.0.0/0 6970 -i ppp0 -j ACCEPT
# ??? WEB Browsing
$IPCHAINS -A input -p udp -s 0.0.0.0/0 2140 -i ppp0 -j ACCEPT
$IPCHAINS -A input -p udp -d 0.0.0.0/0 31789 -i ppp0 -j ACCEPT
#
# CIPE test
$IPCHAINS -A input -p udp -s 0.0.0.0/0 31121 -i ppp0 -j ACCEPT
$IPCHAINS -A input -p udp -s 0.0.0.0/0 31122 -i ppp0 -j ACCEPT
#
# default - REJECT
$IPCHAINS -A input -p udp -i ppp0 -l -j DENY
#

###
# Disallow any outside incomming connections
# RPC
$IPCHAINS -A input -p tcp -d 0.0.0.0/0  111 -i ppp0 -l -j DENY
# SMTP
$IPCHAINS -A input -p tcp -d 0.0.0.0/0   25 -i ppp0 -l -j DENY
# Printer
$IPCHAINS -A input -p tcp -d 0.0.0.0/0  515 -i ppp0 -l -j DENY
# ???
$IPCHAINS -A input -p tcp -d 0.0.0.0/0  840 -i ppp0 -l -j DENY
# DNS
$IPCHAINS -A input -p tcp -d 0.0.0.0/0   53 -i ppp0 -l -j DENY
# NFS
$IPCHAINS -A input -p tcp -d 0.0.0.0/0 2049 -i ppp0 -l -j DENY
# Concert?
$IPCHAINS -A input -p tcp -d 0.0.0.0/0  786 -i ppp0 -l -j DENY
# ???
#$IPCHAINS -A input -p tcp -d 0.0.0.0/0 1113 -i ppp0 -l -j DENY
#$IPCHAINS -A input -p tcp -d 0.0.0.0/0 1114 -i ppp0 -l -j DENY
#$IPCHAINS -A input -p tcp -d 0.0.0.0/0 1115 -i ppp0 -l -j DENY
#$IPCHAINS -A input -p tcp -d 0.0.0.0/0 1116 -i ppp0 -l -j DENY
#
# default - ACCEPT till TCP wrappers
$IPCHAINS -A input -p tcp -i ppp0 -j ACCEPT
#

###
#Set telnet, www and FTP for minimum delay - OUTPUT
$IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10
# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
#Set telnet, www and FTP for minimum delay - FORWARD
$IPCHAINS -A forward -p tcp -d 0/0 www -t 0x01 0x10
$IPCHAINS -A forward -p tcp -d 0/0 ftp -t 0x01 0x10
# Set ftp-data for maximum throughput
$IPCHAINS -A forward -p tcp -d 0/0 ftp-data -t 0x01 0x08

###
#
/usr/bin/logger -s IPCHAINS up.
###

Re: IP MASQ

[Kris]

At 17:53 22/02/00 +, Oleg Krivosheev <[EMAIL PROTECTED]> wrote:
^^^
   Hmmm?
> Related question: to my surprise i did not found example rules
> in ipmasq package for what i think is the most common case: ethernet
> 192.168.0.x network connected to outside world via PPP with static IP.

Could someone tell/send me this rules?

I've only just set up IP masquerading myself. Take a look at
 where you can fill in a script that does
everything for you including a basic firewall.

The only thing you need to add to the script is...

echo "1" > /proc/sys/net/ipv4/ip_forward

... at the top (and change InternalNetwork to something like
192.168.0.1/24). Run it after the PPP link is up and you're away!

Just don't do anything stupid like forget to delete the default gateway on
the actual gateway. (not that I'm guilty of actually doing that, you
understand...)

Incidentally, why is the Debian package of mserver[1] (MasqDialer) so
awkward? Where were the docs? /etc/mserver.conf was totally wrong - I ended
up installing from source. It does work wonderfully well, though - I'd
recommend it for those with an inet gateway - there's a lovely traffic view
in the client (available for Windows, Mac, Linux, etc, etc; get
 for the Windows client).
If anyone wants the config file for mserver then just ask.

HTH, etc,
  Kris

[1] 

ip masq performance

[Stuart Ballard]

I just successfully got ip masquerading set up on my home network (two
computers, one debian, one win98... debian box does the masquerading, of
course).

As a first pass at configuring this thing (I don't plan on leaving it
like this, but I'm at the stage where I just want *something* that
works) I set it up using:

echo "1" > /proc/sys/net/ipv4/ip_forward
ipchains -P forward MASQ

After setting up the gateway correctly on the win98 box, this gave some
sort of access through the linux box to the outside world. However, the
performance was abysmal - far worse than doing the same things directly
on the linux box. I did set "optimize as router not host" during my
kernel compile (does this apply to masquerading? how heavy a penalty
does this put on regular host usage... and for how much gain?). I also
enabled ICMP masquerading.

The linux box is a pentium 90 - slow but not *that* slow - with 72Mb
RAM. The connection between the two machines is BNC ethernet and doesn't
seem to be the bottleneck - transfers directly between the two machines
go very fast.

Is this horrible performance just something to be expected when using
masquerading? Are there any possible ways to speed it up? (could it be
caused by using gcc rather than gcc272 to compile the kernel? I thought
that would cause crashes, not slowdowns) Any tips on diagnosing the
problems?

Thanks in advance for any help,
Stuart.

Re: IP MASQ

[Oleg Krivosheev]

On Tue, 22 Feb 2000, Timothy C. Phan wrote:

> 
> Hi,
> 
>   Could someone show me where can I get information on
>   how to build the IP MASQ into the kernel (potato 2.2.14)?
> 
>   TIA!
> 
> ---
> tcp
> 

install ipmasq package and check the docs inside - 
there is IP MASQ url with info.

Related question: to my surprise i did not found example rules
in ipmasq package for what i think is the most common case: ethernet
192.168.0.x network connected to outside world via PPP with static IP.

Could someone tell/send me this rules?

thank you

Oleg

IP MASQ

[Timothy C. Phan]

Hi,

  Could someone show me where can I get information on
  how to build the IP MASQ into the kernel (potato 2.2.14)?

  TIA!

---
tcp

IP MASQ

[Timothy C. Phan]

Hi,

  Is kernel 2.2.14 built with IP masquerade? or all the
  2.2.xx kernel now have IP masquerade?

  I tried to rebuild the kernel 2.2.14 on the potato and
  I believe that I did not see any option at the options
  screen before building the kernel.

  TIA

---
tcp

recompile kernel for IP-MASQ

[Timothy C. Phan]

Hi,

  I'm trying to compile the kerne 2.2.14 with IP Masquerade
  option and I did know which options should I select for
  the IP Masquerade.  

  Please help.

  Thanks!


---
tcp

Re: dynamic IP's, IP masq and mail, can it be done?

[Joe Block]

Ethan Benson wrote:
> 
> Hi,
> 
> I have a small network connected to the internet via a IP masq
> gateway, and would like to get mail working, but the above setup is a
> nightmare for mail it would seem.
> 
> is it even possible for mail to work in such a setup or am i wasting
> my time?  I got the gateway machine to send mail, but my fake domain
> still shows up in various places, such as the message ID and a second
>  From line.  and in order to do that i had to setup a virtual table
> for all the local user accounts, otherwise when cron or something
> send mail to root it would go to [EMAIL PROTECTED] ...
> 
> I am using Postfix and have gone through pretty much all of the
> documentation on the web site and still don't have this all working
> very well, and it seems to be a very very messy setup.

I'm using postfix on slink to do this now.  It's been a while since I
set it up so I may be a little vague about some of the details, my
notebook with my debian notes has gone missing.

Do you have a domain already?  If you do, see if your isp will do uucp
delivery for you.  My home lan gets its mail via uucp from my desktop
machine at work.  If you don't have a domain and are unwilling to pay
for a top level domain, talk to the folks at dyndns.org about getting a
subdomain from them.

To do this (from vague memory, there may be a little more to it than
this)

1) set up a uucp link between your home gateway machine and your isp. 
There is a howto on this, so I won't go into detail. 

2) set up your domain's dns so that your isp is the mx for your domain.

3) have your isp configure their end so that all mail for your domain is
transferred via uucp to your machine.

4) Set up your home machine to send all mail outside your domain to your
isp (check out the postfix faq for details) via uucp.  This isn't
totally necessary if you have a fast link - I have a cablemodem and do
all my outgoing delivery myself.

5) Set up your ip-up script to add a call of 'uucico -S ispuucpname' to
force a connection to pick up your pending mail & send out your outgoing
queue.

6) add a cron job to do 'uucico -S ispuucpname' every hour or so to pick
up your mail

If you want to have incoming uucp over tcp and use a seperate password
file for uucp (recommended), put the password entries into
/etc/uucp/passwd and add

uucpstream  tcp nowait  root/usr/sbin/tcpd 
/usr/sbin/uucico -l

to your inetd.conf and then kill -HUP inetd

When I was using diald and ppp for a dialup connection, I had my ip-up
script touch /var/run/linkup and then had ip-down remove it.  Then I
could have cron jobs check to see if the link was already up before
doing anything.

The big advantage of having your mail come in over uucp is that it will
resume interrupted transfers where they left off, rather than making you
retransmit the whole message.  Very nice if you have timed local phone
service.

If your own isp won't do this, there are companies out there who will,
including the consulting firm I work with (http://www.communiweb.net).

jpb
-- 
Joe Block <[EMAIL PROTECTED]>
CREOL System Administrator

Social graces are the packet headers of everyday life.

Re: dynamic IP's, IP masq and mail, can it be done?

[Allan M. Wind]

On 2000-01-25 01:29:55, Ethan Benson wrote:

> I have a small network connected to the internet via a IP masq 
> gateway, and would like to get mail working, but the above setup is a 
> nightmare for mail it would seem.

Why?  Sounds like mail masq'ing.

> is it even possible for mail to work in such a setup or am i wasting 
> my time?

Depends on what you are trying to do.  Outgoing mail should be "easy",
incoming mail wouldn't make sense unless you have a domain name (of
some sort).

> I got the gateway machine to send mail, but my fake domain still
> shows up in various places, such as the message ID and a second From
> line.

Hmm... sounds like you didn't masq the envelope.

> and in order to do that i had to setup a virtual table for all the
> local user accounts, otherwise when cron or something send mail to
> root it would go to [EMAIL PROTECTED] ...

I used:

canonical_maps = hash:/etc/postfix/canonical

to map root to my normal email (in case my box dies,
it might have left a clue there).

root [EMAIL PROTECTED]

and 

sender_canonical_maps = hash:/etc/postfix/canonical_sender

to map a user without a real email adderss to my email address

user [EMAIL PROTECTED]

and finally:

recipient_canonical_maps = hash:/etc/postfix/canonical_receiver

to have mail to the user without email be delivered locally
if send from my box.

> should I just get a static IP and a real domain name or is there some 
> way to make this work that is not too ugly?

There's no way around specifying your local acconuts as you have to
tell your mta that it's only authorative for a set of accounts.  You
could automative things using something like make with a dependency on
your /etc/passwd and some script to filter out the accounts that you
don't care about.

> (the way i got mail to work partially, was to disable dns lookups in 
> postfix, which allows mail to get delivered within the fake network, 
> and setting myorigin to alaska.net on the gateway

Ok.

> and setting the vitual table to redirect root and such to localhost
> but other machines cannot send mail still. and the gateway i think
> does not send correct mail since it has all this fake crap in it...)

You probaly need to enable relay for your local network, but otherwise
it sounds like you're on the right path.


/Allan
-- 
Allan M. Wind   Email: [EMAIL PROTECTED]
P.O. Box 2022   Phone: 781.279.4513 (home)
Woburn, MA 01888-0022   Phone: 781.274.7000 ext. 368 (work)

dynamic IP's, IP masq and mail, can it be done?

[Ethan Benson]

Hi,

I have a small network connected to the internet via a IP masq 
gateway, and would like to get mail working, but the above setup is a 
nightmare for mail it would seem.


is it even possible for mail to work in such a setup or am i wasting 
my time?  I got the gateway machine to send mail, but my fake domain 
still shows up in various places, such as the message ID and a second 
From line.  and in order to do that i had to setup a virtual table 
for all the local user accounts, otherwise when cron or something 
send mail to root it would go to [EMAIL PROTECTED] ...


I am using Postfix and have gone through pretty much all of the 
documentation on the web site and still don't have this all working 
very well, and it seems to be a very very messy setup.


should I just get a static IP and a real domain name or is there some 
way to make this work that is not too ugly?


(the way i got mail to work partially, was to disable dns lookups in 
postfix, which allows mail to get delivered within the fake network, 
and setting myorigin to alaska.net on the gateway and setting the 
vitual table to redirect root and such to localhost but other 
machines cannot send mail still. and the gateway i think does not 
send correct mail since it has all this fake crap in it...)


thanks for any advice..

--
Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/

Re: IP Masq

[Ethan Benson]

On 19/1/2000 Timothy C. Phan wrote:



  Many thanks on the IP masquerading HOWTO. I'll download it
  and read it.

  I used to remember that debian has different way to compile
  the kernel.  Is there an HOWTO on Debian kernel compile/install.


yes but its not required, get the kernel-package package and read its 
docs, it lets you create kernel  .debs like debian distributes.



  Secondly, I looked at all the packages that I've mirror on slink,
  I saw the base directory has only kernel-image-2.03[3-8]_2.3..
  My question is what is version 2.0 and 2.2 that you mentioned
  in your email(included).  What diff, and which to use.


kernel 2.0 is used in slink, potato uses kernel 2.2, 2.2 is a better 
kernel to use for ip masq IMO.  I am not certain if any debian 
packaged kernel has IP masq compiled in though, i suspect they do.



  Lastly, what is in the ipmasg package?


basically a set of prewritten ipchains rules to protect the internal 
private network, prevent spoofing and to set up the masqerading.  you 
install it and your done pretty much, i have looked at it and it 
seems sufficient.  do note that it does nothing to protect the 
firewall itself, it works on the assumption you disable all its 
services.  if not you need to setup some ipchains rules yourself 
(which i am now trying to do...)



  Thank you very much again!


np


--
Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/

Re: IP Masq

[Timothy C. Phan]

Hi Ethan,

  Many thanks on the IP masquerading HOWTO. I'll download it
  and read it.

  I used to remember that debian has different way to compile
  the kernel.  Is there an HOWTO on Debian kernel compile/install.

  Secondly, I looked at all the packages that I've mirror on slink,
  I saw the base directory has only kernel-image-2.03[3-8]_2.3..
  My question is what is version 2.0 and 2.2 that you mentioned
  in your email(included).  What diff, and which to use.

  Lastly, what is in the ipmasg package?

  Thank you very much again!

Ethan Benson wrote:
> 
> On 18/1/2000 Timothy C. Phan wrote:
> 
> >   I'd like to know if the slink kernel is built with IP Masq?
> >   Or could someone point me to where can I find information
> >   on setup a IP Masq linux box.  TIA!
> 
> Check out the IP masquerading HOWTO, on your favorite HOWTO mirror.
> it explains all the options you need to enable when recompiling your
> kernel (if you need to, i never use stock kernels for any longer then
> it takes to compile my own) it also goes over in detail how to
> configure everything properly, for both 2.0 and 2.2 kernels.
> 
> potato and possibly slink have a ipmasq package which seems to work
> right out the box if your kernel is ipmasq compiled, though i think
> it would be a good idea to read the howto and go over those rules to
> make sure they are appropriate for your environment.  (you may have
> differing security requirements etc)
> 
> Ethan

Re: IP Masq

[Ethan Benson]

On 18/1/2000 Timothy C. Phan wrote:


  I'd like to know if the slink kernel is built with IP Masq?
  Or could someone point me to where can I find information
  on setup a IP Masq linux box.  TIA!


Check out the IP masquerading HOWTO, on your favorite HOWTO mirror. 
it explains all the options you need to enable when recompiling your 
kernel (if you need to, i never use stock kernels for any longer then 
it takes to compile my own) it also goes over in detail how to 
configure everything properly, for both 2.0 and 2.2 kernels.


potato and possibly slink have a ipmasq package which seems to work 
right out the box if your kernel is ipmasq compiled, though i think 
it would be a good idea to read the howto and go over those rules to 
make sure they are appropriate for your environment.  (you may have 
differing security requirements etc)


Ethan

IP Masq

[Timothy C. Phan]

Hi,

  I'd like to know if the slink kernel is built with IP Masq?
  Or could someone point me to where can I find information
  on setup a IP Masq linux box.  TIA!

---
tcp

IP Masq not running?

[fairfax]

I have a 2.2.12 kernel with IP Chains, IP Masq, diald, etc.  I have determined 
that the server never dials out, when one of the workstations tries to access 
the internet, unless I type in the command "ipmasq" at the server prompt. 

I do have the file ipmasq in /etc/init.d (and in rcS.d, etc. as S41ipmasq), I 
have included the first portion of the file below.  I tried adding the line 
"/sbin/ipmasq" to this file, right below the line that starts out "test", but 
this had no effect.  

What do I need to do to make the dialout process automatic?

IPMASQ-
#!/bin/bash
#
# ipmasq.init   Set up IP Masquerading for Debian systems
#
#   v3.0 19 July 1998

test -x /sbin/ipmasq || exit 1

case $1 in
start|restart|force-reload)
...
- END ---

Thanks,

Steve Martin

IP Masq question

[Lance Hoffmeyer]

I am trying to setup IP MASQ on a home network.  I am running Potato.  I have 
the server which we will call C1 and one client which we will call C2.  I have 
setup C1 for caching DNS.  I have also setup C1 for IP Masquarading.  I am 
having problems getting
C2 to connect to the internet using names such as 'www.debian.org' although it 
can connect with '209.81.8.242'.  This leads me
to believe that this is a DNS problem and not a IP Masq problem (correct?).  
When I start 'nslookup' I get:

Default Server: localhost
Address: 127.0.0.1

and I can lookup domain names.  Now, according to the DNS HOWTO I have a 
properly functioning 'caching DNS'.  In my
'resolv.conf' file on C2 I have:

nameserver 10.254.2.1

which is the address for my server.

Why is my 'caching DNS' not working on C2? I am not certain what other 
information to include that might help in this
problem and I try to keep my emails short.  The only other information I can 
offer is that I can

Telnet and FTP from C1 to C2 but I can only
FTP and cannot Telnet from C2 to C1.

Any help would be appreciated.

Thanks

Lance

Re: Identd behind IP Masq?

[Joe Kellner]

Did you read the documentation for midentd and set up a file with the identd
responce you want for your masqueraded machine?

--
Praying mantis entrapped Cicada posing bravery with his might
Climbing the hill with spearing fist portrays the fearless fight
Striking with deadly fist again and again to reach supreme
8th generation student of Wah Lum northern praying mantis Kung Fu.
- Original Message -


From: "Harlan Crystal" <[EMAIL PROTECTED]>
To: 
Sent: Friday, October 22, 1999 4:29 AM
Subject: Identd behind IP Masq?


> Greetings,
>
> I recently reinstalled my system, and I previously
> was able to run identd while behind IP masquerading.
>
> I've installed the midentd package (identd with
> ip masq support) yet when I attempt to connect
> to irc servers, it will say " Got Ident response"
> yet still the server will not allow me in claiming
> I need to install identd.  Am I missing something
> important to get this working?
>
>
> thanks,
>  - Harlan
>
>
> --
> Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] <
/dev/null
>
>

Identd behind IP Masq?

[Harlan Crystal]

Greetings,

I recently reinstalled my system, and I previously 
was able to run identd while behind IP masquerading.

I've installed the midentd package (identd with 
ip masq support) yet when I attempt to connect 
to irc servers, it will say " Got Ident response" 
yet still the server will not allow me in claiming 
I need to install identd.  Am I missing something 
important to get this working?


thanks,
 - Harlan

Re: DNS and IP MASQ

[Edward Kear]

At 07:09 PM 9/25/99 +0200, Jean-Yves BARBIER wrote:
>On Sat, Sep 25, 1999 at 10:10:32AM -0500, Lance Hoffmeyer wrote:
>> 
>> I have a server that dials into the internet with a client attached on a
home network.  My IP MASQ is working and the 
>> client can connect to the internet, but only using IP Addresses.  The
client cannot connect using domain names.  
>
>Hi Lance,
>that means your DNS isn't working at all (its work is precisely to convert
domain names to real IPs!)
>
>> So , the connection is  10.254.2.2 --eth0--->  10.254.2.1ppp>
internet
>> 
>> If I type nslookup from the server I get:
>> 
>> Default Server:  ns2.us.prserv.net
>> Address:  165.87.201.244
>
>Perhaps you said your DNS that its (first) forwarder is ns2.us.prserv.net.
>A forwarder is generaly the ISP's DNS, which, because of the great amount
of request it gets, contains
>most of the regular IPs you need; so if you use a forwarder, it will first
look to its records to see
>if it has the right IP within; and if not, it will query the ROOT.SERVERS,
which are the source of
>*all* correspondances between names & IPs.
>
>> I'm really not sure where this comes from but I know that if I remove it
and put something else in it's place I am not
>> able to browse the web or fetch email.  What can I try so that the
client can connect via domain names and not just
>> IP Addresses?
>
>First, DNS is acting under UDP protool, second you need to let it pass
through the firewall (and return too ;).
>
>MY firewall says: let anything, any protocols pass within the LAN; then,
for the INPUT from WEB, it says: 
>let ALL UDP packets on ports [1024-5999] & [6011-65535] pass (hole is to
secure X Window).
>The OUTPUT chains says: let ALL UDP packets, external destination port =
domain (port 53), PASS.
>Then, then MASQuerade says: MASQuerade from LAN to WEB, source LAN, DEST
anywhere, UDP/domain(53) PASS.
>
>Hope it will help
>
>JY
>
>-- 
Try setting up a caching-only DNS on your firewall that uses your ISP's DNS
as its forwarder.  Then configure all of your clients to point to your DNS.

Install the bind package and read the DNS-HowTo.

Ed

Re: DNS and IP MASQ

[Jean-Yves BARBIER]

On Sat, Sep 25, 1999 at 10:10:32AM -0500, Lance Hoffmeyer wrote:
> 
> I have a server that dials into the internet with a client attached on a home 
> network.  My IP MASQ is working and the 
> client can connect to the internet, but only using IP Addresses.  The client 
> cannot connect using domain names.  

Hi Lance,
that means your DNS isn't working at all (its work is precisely to convert 
domain names to real IPs!)

> So , the connection is  10.254.2.2 --eth0--->  10.254.2.1ppp> internet
> 
> If I type nslookup from the server I get:
> 
> Default Server:  ns2.us.prserv.net
> Address:  165.87.201.244

Perhaps you said your DNS that its (first) forwarder is ns2.us.prserv.net.
A forwarder is generaly the ISP's DNS, which, because of the great amount of 
request it gets, contains
most of the regular IPs you need; so if you use a forwarder, it will first look 
to its records to see
if it has the right IP within; and if not, it will query the ROOT.SERVERS, 
which are the source of
*all* correspondances between names & IPs.

> I'm really not sure where this comes from but I know that if I remove it and 
> put something else in it's place I am not
> able to browse the web or fetch email.  What can I try so that the client can 
> connect via domain names and not just
> IP Addresses?

First, DNS is acting under UDP protool, second you need to let it pass through 
the firewall (and return too ;).

MY firewall says: let anything, any protocols pass within the LAN; then, for 
the INPUT from WEB, it says: 
let ALL UDP packets on ports [1024-5999] & [6011-65535] pass (hole is to secure 
X Window).
The OUTPUT chains says: let ALL UDP packets, external destination port = domain 
(port 53), PASS.
Then, then MASQuerade says: MASQuerade from LAN to WEB, source LAN, DEST 
anywhere, UDP/domain(53) PASS.

Hope it will help

JY

-- 
Jean-Yves F. Barbier <[EMAIL PROTECTED]>
 %DCL-MEM-BAD, bad memory
VMS-F-PDGERS, pudding between the ears

DNS and IP MASQ

[Lance Hoffmeyer]

I have a server that dials into the internet with a client attached on a home 
network.  My IP MASQ is working and the 
client can connect to the internet, but only using IP Addresses.  The client 
cannot connect using domain names.  

So , the connection is  10.254.2.2 --eth0--->  10.254.2.1ppp> internet

If I type nslookup from the server I get:

Default Server:  ns2.us.prserv.net
Address:  165.87.201.244

I'm really not sure where this comes from but I know that if I remove it and 
put something else in it's place I am not
able to browse the web or fetch email.  What can I try so that the client can 
connect via domain names and not just
IP Addresses?

Lance

Networking Success! and a Q about IP Masq

[Mark Wagnon]

Thanks to everyone!

I finally managed to get my networking problem figured out. For some
reason some of the arguments to route that the book I have suggested
didn't work right (I couldn't even ping 127.0.0.1!) I was pulling my
hair out over what I thought was a module problem (I re-compiled my
kernel umpteen times). 

I just got IP Masquerading going (too easy!) and its great to browse
from my other linux box. I'm running an older kernel and I plan to get
the latest asap. Right now I'm using ipfwadm to set up masquerading, but
I seem to recall that has been changed with 2.2 kernels...is that right?
If so is it just as easy to set up?

Hopefully by next weekend I'll have my windows machine wired in too.

Thanks again
-- 
 __   _
Mark Wagnon Debian GNU/ -o) / /  (_)__  __   __
Chula Vista, CA /\\/ /__/ / _ \/ // /\ \/ /   
[EMAIL PROTECTED]  _\_v/_/_//_/\_,_/ /_/\_\
   http://www.debian.org

IP Masq troubles

[Richard Drisko]

Hi

I'm trying to set up masquerading for our lab at school.
We have an existing network of wintendo machines with Samba running
on my Potato machine (skippy).  Just recently we got an internet hook up.
We're behind a firewall and get an IP via DHCP.  

I put another NIC in skippy and now I can see both networks, but it doesn't
seem to forward packets to the outside.  I can't figure it out, I set this up
at home in literaly 5 minutes and it just worked.  The only difference
I can see is the IP we get, in the 198.162.x.x range.  Maybe this is
the problem?

Anyway here's my firewall rules and routing table.

Chain input (policy DENY):
target prot opt sourcedestination   ports
ACCEPT all  --  anywhere  anywhere  n/a
ACCEPT all  --  10.0.0.0/8anywhere  n/a
ACCEPT all  --  anywhere  192.168.15.52 n/a
DENY   all  l-  10.0.0.0/8anywhere  n/a
Chain forward (policy DENY):
target prot opt sourcedestination   ports
MASQ   all  --  10.0.0.0/8anywhere  n/a
Chain output (policy DENY):
target prot opt sourcedestination   ports
ACCEPT all  --  anywhere  anywhere  n/a
ACCEPT all  --  anywhere  10.0.0.0/8n/a
ACCEPT all  --  192.168.15.0/24   anywhere  n/a
DENY   all  l-  anywhere  10.0.0.0/8n/a

Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
192.168.15.0*   255.255.255.0   U 0  00 eth0
10.0.0.0*   255.0.0.0   U 0  00 eth1
default rtr33.auhsd.k12 0.0.0.0 UG0  00 eth0

I'd really appreciate any help.  I need to get this working so I
can get back to studying.  

Please CC me at [EMAIL PROTECTED]

Thanks
Rick

Networking IP Masq question

[Steve Martin]

-BEGIN PGP SIGNED MESSAGE-

I have a question regarding networking and IP Masquerading that doesn't
seem to be handled in "just one" HOWTO. Perhaps someone here can help.

I have 3 boxes on a small home LAN, connected to the 'net with ADSL. I
have 2 static IP's. Boxes 1 and 2 are both running debian Linux 2.1 with
kernel 2.2.4 on box 1, kernel 2.2.1 on box 2. Box 3 is running Windows 98.

Box 1 is the gateway box connected to the DSL router, and is running IP
Chains. eth0 is set to my first static IP, and eth1 is set to 192.168.1.1.
To connect the other 2 machines, I have an rj-45 cable running from eth1
on box 1 to a Linksys 10/100 ethernet switch, and boxes 2 and 3 are
connected to the switch via the same method, with their respective eth0.

At the present time, all three boxen have access to the 'net with IP
Masq'ing and all is working fine. The question that I haven't been able to
find the answer to is this. How, using the same network topography as I
currently have, can I make use of my second IP? My guess is that it's
something using IP Alias, but I haven't bee able to figure out on my own
how to alias the boxes on my LAN to use the second IP.

Any help would be greatly appreciated. I'm not presently subscribed to
debian-user, but I will be checking the list for replies to this request
if you don't wish to respond directly back to me. 

TIA
Steve Martin 

- -
Steve Martin (not the famous one)  |  If a man's legacy is measured by
[EMAIL PROTECTED]  |  his achievements, I haven't a
nunya_ in EFnet #Linux |  moment to waste. 
   |  First thing tomorrow...
- --

-BEGIN PGP SIGNATURE-
Version: 2.6.3a
Charset: noconv

iQB1AwUBNwAUltHaod5HvfUxAQF7mAL/YXkFaujbiURp8VWF+rBnJcrY5GroS6ul
nmfO+bUfJAcmooeWUnt4PJd13NCV8l5eLp1+fo8nL3IAoYuY5g3Cr7slzJWERBtd
A64ClqHQMqweHF5ptKfyTNOK4ETMFSC6
=Fax8
-END PGP SIGNATURE-

Re: IP Masq

[Peter Ludwig]

On Tue, 16 Mar 1999, Torsten Landschoff wrote:

> Ahem - this way you block portmap from the outside but let everything else in.
> That's bad! And, of course - portmap alone will not buy you anything, you will
> need to enable rpc.mountd and rpc.nfsd to the inside too.

I understand that, after reading through all the documentation that I've
got here, but please explain one thing to me.  That hosts.deny file you
saw was DIRECT from the default installation, if it's so bad to have it
set that way, why didn't they TELL people?

Besides, that file is actually irrelevant to me, as I'm running IP
Masquerading and a few other things that attack the incoming connection
first... mainly I deny access from outside to everything.  The hosts.deny
file is just used (by myself anyway as far as I can tell) by my internal
network, and I _WANT_ all of the ports in the internal network to work.

> > These files are VERY important, without them setup correctly, no matter
> > what I did I couldn't do anything.
> 
> With your setup you could do nearly everything.

Really?  Then why couldn't I?

> > For your information portmap refers to the gateway/hosts DNS server, and
> > the above files should be on the gateway/host.
> 
> portmap is not a dns server. The dns is called named. portmap is a program to

I was attempting to simplify my explanation, sorry if it has offended you
slightly, or put your back up.  A better wording would be :-

"For your information portmap refers to the system you are calling your
gateway/host, and the above files should be similar to those you have on
your gateway/host."

> enable remote procedure calls (rpc) so you can use services like network
> information system (nis) or network file system (nfs). You do not want to open
> these to the outside!

But the problem he was experiencing (and so was I until I changed my files
to the above settings) was that if you came in from outside you _COULD_
access everything, but coming in from the local network - nothing at all.

My system runs very well now, I've got a secondary machine that I
occassionally have linux running on it, but more often has OS/2 or Win95
running on it (for web page design more than anything else).

BTW - I believe that I already have had one person (at least) attempt to
get into my system from outside, it was pretty slack the way he tried so
it was only half-hearted, but as I expected - bounce... 

Regards,
Peter Ludwig

Re: IP Masq

[Torsten Landschoff]

On Tue, Mar 02, 1999 at 06:39:27PM +1000, Peter Ludwig wrote:
 
> The Client machine needs to have it's default gateway set as your
> gateway/host machine.  Oops... forgot an important detail before, you'll
> need to allow the IP number for your client machine as part of the allowed
> systems in your hosts.allow file for portmap:
> [hosts.allow snipped]
> 
> # /etc/hosts.deny: list of hosts that are _not_ allowed to access the
> system.
> #  See the manual pages hosts_access(5), hosts_options(5)
> #  and /usr/doc/netbase/portmapper.txt.gz
> #
> # Example:ALL: some.host.name, .some.domain
> # ALL EXCEPT in.fingerd: other.host.name, .other.domain
> #
> # If you're going to protect the portmapper use the name "portmap" for the
> # daemon name. Remember that you can only use the keyword "ALL" and IP
> # addresses (NOT host or domain names) for the portmapper. See portmap(8)
> # and /usr/doc/netbase/portmapper.txt.gz for further information.
> #
> # The PARANOID wildcard matches any host whose name does not match its
> # address.
> portmap: ALL
> 
> 

Ahem - this way you block portmap from the outside but let everything else in.
That's bad! And, of course - portmap alone will not buy you anything, you will
need to enable rpc.mountd and rpc.nfsd to the inside too.

> These files are VERY important, without them setup correctly, no matter
> what I did I couldn't do anything.

With your setup you could do nearly everything.

> For your information portmap refers to the gateway/hosts DNS server, and
> the above files should be on the gateway/host.

portmap is not a dns server. The dns is called named. portmap is a program to
enable remote procedure calls (rpc) so you can use services like network
information system (nis) or network file system (nfs). You do not want to open
these to the outside!

Hope this helps
Torsten


pgpUV78nr91S4.pgp
Description: PGP signature

Re: IP Masq

[Peter Ludwig]

On Tue, 2 Mar 1999, Paul Nathan Puri wrote:
> When you say 'set up ip forwarding,' do you mean on the gateway/host or
> the linux client?

On the client.  Depending on how your Internet Connection is established
(I use pon/poff myself) it may or may not setup a default route on the
gateway.host machine.

> I've followed the mini howto very closely, and feel quit close.  My
> machines ping each other no problem.  But my linux client will not reach
> the outside world.  I'm running 2.2.2 on both machines.  I think I need to
> add a route on my linux client that says my gateway is 192.168.1.1, but
> "route add" doesn't work, but the howto is RH specific and I don't have
> the file: /etc/sysconfig/network-scripts/ifcfg-eth0.

Yeah, I had a problem with understanding how the ipforwarding worked when
reading the howto's myself.. that's why I use dotfile-ipfwadm I can then
just point and click  (I hope that's a microsoft trademark, because
if it is...).  Anyhow, after allowing IP Masquerading I used
dotfile-ipfwadm and well, the system worked fine.

The Client machine needs to have it's default gateway set as your
gateway/host machine.  Oops... forgot an important detail before, you'll
need to allow the IP number for your client machine as part of the allowed
systems in your hosts.allow file for portmap:

Example from my system :-

# /etc/hosts.allow: list of hosts that are allowed to access the system.
#   See the manual pages hosts_access(5), hosts_options(5)
#   and /usr/doc/netbase/portmapper.txt.gz
#
# Example:ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper. See portmap(8)
# and /usr/doc/netbase/portmapper.txt.gz for further information.
#
portmap: 192.168.1.0/255.255.255.0 192.168.1.2/255.255.255.0


Also make sure (for security purposes, you don't want somebody playing
with your system from outside, i.e. the internet) that you have the
hosts.deny set similar to the file below


# /etc/hosts.deny: list of hosts that are _not_ allowed to access the
system.
#  See the manual pages hosts_access(5), hosts_options(5)
#  and /usr/doc/netbase/portmapper.txt.gz
#
# Example:ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper. See portmap(8)
# and /usr/doc/netbase/portmapper.txt.gz for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
portmap: ALL



These files are VERY important, without them setup correctly, no matter
what I did I couldn't do anything.

For your information portmap refers to the gateway/hosts DNS server, and
the above files should be on the gateway/host.

Hope this helps,
Peter Ludwig

Re: IP Masq

[Paul Nathan Puri]

When you say 'set up ip forwarding,' do you mean on the gateway/host or
the linux client?

I've followed the mini howto very closely, and feel quit close.  My
machines ping each other no problem.  But my linux client will not reach
the outside world.  I'm running 2.2.2 on both machines.  I think I need to
add a route on my linux client that says my gateway is 192.168.1.1, but
"route add" doesn't work, but the howto is RH specific and I don't have
the file: /etc/sysconfig/network-scripts/ifcfg-eth0.



NatePuri
Certified Law Student
& Debian GNU/Linux Monk
McGeorge School of Law
[EMAIL PROTECTED]
http://ompages.com

On Tue, 2 Mar 1999, Peter Ludwig wrote:

> On Mon, 1 Mar 1999, Paul Nathan Puri wrote:
> > I your address 191.168.1.1 also the address you gave your gateway?
> 
> Yes.  My Linux box serves the other machine I have here.  (It used to
> serve a win95 machine, but they person who owned the machine got a little
> bit silly and kept turning off the network settings which I had setup for
> it).
> 
> > Just wondering if my host and gateway are the same computer, whether I
> > just need 192.168.1.1 or another as well?
> 
> Well, it works for me.  If your main problem is that the other machine
> does not seem to be able to receive packets from the internet (i.e. it's a
> linux box or some such beastie), try setting up ip-forwarding.  I
> installed dotfile-ipfwadm and after I'd setup my system, boy did things
> run great.  I had a little problem originally with everything not being
> setup 100%, i.e. from the secondary machine (the one behind the linux box)
> I was able to request web pages, or ftp sites, but I couldn't receive
> them.
> 
> Regards,
>   Peter Ludwig
> 
> 
> 

Re: IP Masq

[Peter Ludwig]

On Mon, 1 Mar 1999, Paul Nathan Puri wrote:
> I your address 191.168.1.1 also the address you gave your gateway?

Yes.  My Linux box serves the other machine I have here.  (It used to
serve a win95 machine, but they person who owned the machine got a little
bit silly and kept turning off the network settings which I had setup for
it).

> Just wondering if my host and gateway are the same computer, whether I
> just need 192.168.1.1 or another as well?

Well, it works for me.  If your main problem is that the other machine
does not seem to be able to receive packets from the internet (i.e. it's a
linux box or some such beastie), try setting up ip-forwarding.  I
installed dotfile-ipfwadm and after I'd setup my system, boy did things
run great.  I had a little problem originally with everything not being
setup 100%, i.e. from the secondary machine (the one behind the linux box)
I was able to request web pages, or ftp sites, but I couldn't receive
them.

Regards,
Peter Ludwig

Re: IP Masq

[Paul Nathan Puri]

I your address 191.168.1.1 also the address you gave your gateway?

Just wondering if my host and gateway are the same computer, whether I
just need 192.168.1.1 or another as well?

NatePuri
Certified Law Student
& Debian GNU/Linux Monk
McGeorge School of Law
[EMAIL PROTECTED]
http://ompages.com

On Tue, 2 Mar 1999, Peter Ludwig wrote:

> On Mon, 1 Mar 1999, Paul Nathan Puri wrote:
> > I'm trying to IP Masq so that I can set up shared ppp.  
> > I enabled experimental drivers.  Then, when trying to enable networking
> > stuff, I can't find the IP Forwarding option.  
> 
> To get the IP Forwarding option you need to enable some weird options, I
> believe it's multicast something or other under 2.0.X or well, you can
> just select IP Masquarding under 2.2.1...
> 
> > Also, I don't know what to do about ifconfig:  I tried this:
> > eth0 192.168.1.1 netmask 255.255.255.0 gateway 192.168.1.1 broadcast
> > 192.168.1.255.
> > What am I doing wrong here?  I think I need to change the ip number after
> > 'eth0' to something else and add an entry to /etc/hosts.  Is this so?
> 
> I'm not sure why you need all those values, all I have mine setup to (and
> it works) is:
> ifconfig eth0 192.168.1.1 netmask 255.255.255.0
> 
> I added the gateway into the route of the machines that connect to this
> box to internet :)  Works fine for me :)
> 
> 
> 
> -- 
> Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
> 
> 

Re: IP Masq

[Paul Nathan Puri]

I did read it...

NatePuri
Certified Law Student
& Debian GNU/Linux Monk
McGeorge School of Law
[EMAIL PROTECTED]
http://ompages.com

On Mon, 1 Mar 1999, Ramiel Givergis wrote:

> Read --> http://metalab.unc.edu/LDP/HOWTO/mini/IP-Masquerade.html
> before you ask any questions.
> 
> 
> At 10:49 PM 3/1/99 -0800, Paul Nathan Puri wrote:
> >I'm trying to IP Masq so that I can set up shared ppp.  
> >
> >I enabled experimental drivers.  Then, when trying to enable networking
> >stuff, I can't find the IP Forwarding option.  
> >
> >Also, I don't know what to do about ifconfig:  I tried this:
> >eth0 192.168.1.1 netmask 255.255.255.0 gateway 192.168.1.1 broadcast
> >192.168.1.255.
> >
> >What am I doing wrong here?  I think I need to change the ip number after
> >'eth0' to something else and add an entry to /etc/hosts.  Is this so?
> >
> >NatePuri
> >Certified Law Student
> >& Debian GNU/Linux Monk
> >McGeorge School of Law
> >[EMAIL PROTECTED]
> >http://ompages.com
> >
> >
> >-- 
> >Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < 
> >/dev/null
> 
> 
> 
> 
> Ramiel Givergis, [EMAIL PROTECTED], http://www.relm.net 
> --~~~===<[^]>===~~~-- 
> This mail is a natural product. The slight variations in spelling and 
> grammar enhance its individual character and beauty and in no way are to 
> be considered flaws or defects.
> 
> 
> -- 
> Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
> 
> 

Re: IP Masq

[Ramiel Givergis]

Read --> http://metalab.unc.edu/LDP/HOWTO/mini/IP-Masquerade.html
before you ask any questions.


At 10:49 PM 3/1/99 -0800, Paul Nathan Puri wrote:
>I'm trying to IP Masq so that I can set up shared ppp.  
>
>I enabled experimental drivers.  Then, when trying to enable networking
>stuff, I can't find the IP Forwarding option.  
>
>Also, I don't know what to do about ifconfig:  I tried this:
>eth0 192.168.1.1 netmask 255.255.255.0 gateway 192.168.1.1 broadcast
>192.168.1.255.
>
>What am I doing wrong here?  I think I need to change the ip number after
>'eth0' to something else and add an entry to /etc/hosts.  Is this so?
>
>NatePuri
>Certified Law Student
>& Debian GNU/Linux Monk
>McGeorge School of Law
>[EMAIL PROTECTED]
>http://ompages.com
>
>
>-- 
>Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < 
>/dev/null




Ramiel Givergis, [EMAIL PROTECTED], http://www.relm.net 
--~~~===<[^]>===~~~-- 
This mail is a natural product. The slight variations in spelling and 
grammar enhance its individual character and beauty and in no way are to 
be considered flaws or defects.

Re: IP Masq

[Peter Ludwig]

On Mon, 1 Mar 1999, Paul Nathan Puri wrote:
> I'm trying to IP Masq so that I can set up shared ppp.  
> I enabled experimental drivers.  Then, when trying to enable networking
> stuff, I can't find the IP Forwarding option.  

To get the IP Forwarding option you need to enable some weird options, I
believe it's multicast something or other under 2.0.X or well, you can
just select IP Masquarding under 2.2.1...

> Also, I don't know what to do about ifconfig:  I tried this:
> eth0 192.168.1.1 netmask 255.255.255.0 gateway 192.168.1.1 broadcast
> 192.168.1.255.
> What am I doing wrong here?  I think I need to change the ip number after
> 'eth0' to something else and add an entry to /etc/hosts.  Is this so?

I'm not sure why you need all those values, all I have mine setup to (and
it works) is:
ifconfig eth0 192.168.1.1 netmask 255.255.255.0

I added the gateway into the route of the machines that connect to this
box to internet :)  Works fine for me :)

IP Masq

[Paul Nathan Puri]

I'm trying to IP Masq so that I can set up shared ppp.  

I enabled experimental drivers.  Then, when trying to enable networking
stuff, I can't find the IP Forwarding option.  

Also, I don't know what to do about ifconfig:  I tried this:
eth0 192.168.1.1 netmask 255.255.255.0 gateway 192.168.1.1 broadcast
192.168.1.255.

What am I doing wrong here?  I think I need to change the ip number after
'eth0' to something else and add an entry to /etc/hosts.  Is this so?

NatePuri
Certified Law Student
& Debian GNU/Linux Monk
McGeorge School of Law
[EMAIL PROTECTED]
http://ompages.com

Re: IP Masq and debian

[Lee Bradshaw]

Thanks for the help everyone. After looking at things some more, I
dropped ipfwadm and patched the kernel to support ipchains. I haven't
totally configured my second pc, but I can bring it up manually as a
backup to my isdn router. (My isp seems to have performance problems on
isdn, and I can sometimes get better response with a 56K modem.)

FYI I have a machine at work where I'm setting up masquerading and three
ethernet cards. Ipchains looked like it would support that system better
than ipfwadm and it seems to be the required in the future anyway.

-- 
Lee Bradshaw [EMAIL PROTECTED] (preferred)
Alantro Communications   [EMAIL PROTECTED]

Re: IP Masq and debian

[John Forest]

Lee Bradshaw wrote:
> Hi,
> 
> How am I supposed to use the ipmasq package with ppp? Is it possible?
> I tried using 0.0.0.0 as the external ip address, but I received a
> few error messages when booting and I couldn't telnet to the machine
> anymore. I couldn't find any documentation in /usr/doc/ipmasq and the
> man pages just said that there were no useful man pages. After removing
> ipmasq and rebooting telnet to the machine worked fine again.
> 
> I executed the following commands to get masquerading to work manually:
> 
>   ipfwadm -F -p deny
>   ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
> 
> After changing the default route on another system I was able to bring
> up web pages through the masquerading system.
> 
> Does anyone have any suggestions on how to use the ipmasq package with ppp and
> dynamic addresses (I assume it works ok with static addresses)? How about
> suggestions on where to put ipfwadm filtering commands in the initialization
> directories?
> 
> -- 
> Lee Bradshaw [EMAIL PROTECTED] (preferred)
> Alantro Communications   [EMAIL PROTECTED]
> 
> 
I put the 'ipfwadm' commands in a file called localrc and used the update-rc.d
command to put it as S91 in the startup sequence.
(see /etc/init.d/README for more information)

As far as dynamic ip addressing.  I use the option -W ppp0 to indicate the
dynamic port.  eg:
   ipfwadm -I -a deny -S 192.168.0.0/16 -W ppp0 -o
Will prevent anything from coming over the dialup line pretending to be one of
the private ip numbers, with logging (-o).
Doesn't matter what ip number I received from my ISP.

John.

Re: IP Masq and debian

[Wayne Cuddy]

I think for the second line you don't need to specify the -D, if you
only specify -S  then -D defaults to anywhere.

> >  ipfwadm -F -p deny
> >  ipfwadm -F -a m -S 192.168.1.0/2

I am not using dynamic addressing but I did write some custom scripts
that setup my ipmasq system, as the ones that came with the
distribution are not so great.

My suggestion to you is read the docs for PPP.  /etc/ppp/ip.up and
/etc/ppp/ip.down are executed when a ppp connection is
connected/disconnected.  The arguments to these scripts are the
addresses negotiated during the connection so you could setup your
ipmasq using this information easily.

Hope this helps man..

> At 06:31 PM 10/08/1998 -0400, Lee Bradshaw wrote:
> >Hi,
> >
> >How am I supposed to use the ipmasq package with ppp? Is it possible?
> >I tried using 0.0.0.0 as the external ip address, but I received a
> >few error messages when booting and I couldn't telnet to the machine
> >anymore. I couldn't find any documentation in /usr/doc/ipmasq and the
> >man pages just said that there were no useful man pages. After removing
> >ipmasq and rebooting telnet to the machine worked fine again.
> >
> >I executed the following commands to get masquerading to work manually:
> >
> >  ipfwadm -F -p deny
> >  ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
> >
> >After changing the default route on another system I was able to bring
> >up web pages through the masquerading system.
> >
> >Does anyone have any suggestions on how to use the ipmasq package with ppp
> and
> >dynamic addresses (I assume it works ok with static addresses)? How about
> >suggestions on where to put ipfwadm filtering commands in the initialization
> >directories?
> >
> >-- 
> >Lee Bradshaw [EMAIL PROTECTED] (preferred)
> >Alantro Communications   [EMAIL PROTECTED]
> >
> >
> >--  
> >Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] <
> /dev/null
> >
> >
> 
> 
> --  
> Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
> 

Wayne Cuddy
CRB-WEB (C & H Consulting)
http://www.crb-web.com
[EMAIL PROTECTED]

Re: IP Masq and debian

[Dimitri P.]

Hi there... I stumbled on the same problem and I am now running it with the
scipt in /etc/rc.boot/ipmasq disabled, 
and a startup file similar to what you are using. 
It seems to be the simplest way to run IP masq. 
I ahaven't tried deciphering the script that uses /etc/ipmasq.conf to see
what it does different from th 2 simple lines that seem to work just fine. 

I believe there is some fine line between setting up masqarading and
protecting the system from the outside world, as setup in
/etc/init.d/netbase spoofing section... I need to read some more and try to
figure out how these itnerellate to each other. I think i have spoofing
protection disabled on my machine; I commented out all the  "deny" lines :)

I hope some of this makes sense...helpful comments are always welcomed :)

Dimitri 




At 06:31 PM 10/08/1998 -0400, Lee Bradshaw wrote:
>Hi,
>
>How am I supposed to use the ipmasq package with ppp? Is it possible?
>I tried using 0.0.0.0 as the external ip address, but I received a
>few error messages when booting and I couldn't telnet to the machine
>anymore. I couldn't find any documentation in /usr/doc/ipmasq and the
>man pages just said that there were no useful man pages. After removing
>ipmasq and rebooting telnet to the machine worked fine again.
>
>I executed the following commands to get masquerading to work manually:
>
>  ipfwadm -F -p deny
>  ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
>
>After changing the default route on another system I was able to bring
>up web pages through the masquerading system.
>
>Does anyone have any suggestions on how to use the ipmasq package with ppp
and
>dynamic addresses (I assume it works ok with static addresses)? How about
>suggestions on where to put ipfwadm filtering commands in the initialization
>directories?
>
>-- 
>Lee Bradshaw [EMAIL PROTECTED] (preferred)
>Alantro Communications   [EMAIL PROTECTED]
>
>
>--  
>Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] <
/dev/null
>
>

IP Masq and debian

[Lee Bradshaw]

Hi,

How am I supposed to use the ipmasq package with ppp? Is it possible?
I tried using 0.0.0.0 as the external ip address, but I received a
few error messages when booting and I couldn't telnet to the machine
anymore. I couldn't find any documentation in /usr/doc/ipmasq and the
man pages just said that there were no useful man pages. After removing
ipmasq and rebooting telnet to the machine worked fine again.

I executed the following commands to get masquerading to work manually:

  ipfwadm -F -p deny
  ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0

After changing the default route on another system I was able to bring
up web pages through the masquerading system.

Does anyone have any suggestions on how to use the ipmasq package with ppp and
dynamic addresses (I assume it works ok with static addresses)? How about
suggestions on where to put ipfwadm filtering commands in the initialization
directories?

-- 
Lee Bradshaw [EMAIL PROTECTED] (preferred)
Alantro Communications   [EMAIL PROTECTED]

Re: IP Masq

[Dimitri P.]

"You have IP-masq"do you mean configured or simply installed?
you can run ipmasqconfig , or edit /etc/ipmasq.conf 

read the how-to or simply do this:

ipfwadm -F -p deny
ipfwadm  -F -a m -S xxx.xxx.xxx.0/24  -D 0.0.0.0/0  

where xxx.xxx.xxx.xxx the address of your internal class C network address.
the 24 becomes 16 for a class b and 8 for class a.

www.linux.org , support , mini  HOT-TOs has one on ip masquarading


Dimitri 

At 08:12 AM 10/06/1998 -0400, Collin Rose wrote:
>I have IP masq and all dependents. How do I set it up for a PPP Dial up
>connection?
>
>
>
>
>
>--  
>Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] <
/dev/null
>
>

IP Masq

[Collin Rose]

I have IP masq and all dependents. How do I set it up for a PPP Dial up
connection?

IP Masq

[Collin Rose]

Is there a way to setup IP Masqing with out recompiling the kernel? A module
maybe (where)?

RE: IP Masq Mystery!

[Steve Freeman]

>From your netstat output, it looks like your default gateway isn't set
up under hamm.  Also, check wingnut's nameserver.  It should be pointing
to your ISP's nameserver address.

Steve


--  
Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < /dev/null