IP masquerading doesn't work on linux-image-2.6.24-etchnhalf.1-686
Hello. I just upgraded my kernel to linux-image-2.6.24-etchnhalf.1-686 because gdb was printing the error message "Failed to read a valid object file image from memory." and breakpoints jump around when I try to debug something. According to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=401482 this is a bug in linux-image-2.6.18-6-k7. The problem is, IP masquerading doesn't work when booting the etchnhalf kernel. Is there any way to fix this? Attached is my dmesg and iptables rules, if that information is required. Thanks! Initializing cgroup subsys cpuset Linux version 2.6.24-etchnhalf.1-686 (Debian 2.6.24-6~etchnhalf.8etch1) (da...@debian.org) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Wed Apr 29 18:45:14 UTC 2009 BIOS-provided physical RAM map: BIOS-e820: - 0009d800 (usable) BIOS-e820: 0009d800 - 000a (reserved) BIOS-e820: 000f - 0010 (reserved) BIOS-e820: 0010 - 1fffb000 (usable) BIOS-e820: 1fffb000 - 1000 (ACPI data) BIOS-e820: 1000 - 2000 (ACPI NVS) BIOS-e820: fec0 - fec01000 (reserved) BIOS-e820: fee0 - fee01000 (reserved) BIOS-e820: - 0001 (reserved) 0MB HIGHMEM available. 511MB LOWMEM available. Entering add_active_range(0, 0, 131067) 0 entries of 256 used Zone PFN ranges: DMA 0 -> 4096 Normal 4096 -> 131067 HighMem131067 -> 131067 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0:0 -> 131067 On node 0 totalpages: 131067 DMA zone: 32 pages used for memmap DMA zone: 0 pages reserved DMA zone: 4064 pages, LIFO batch:0 Normal zone: 991 pages used for memmap Normal zone: 125980 pages, LIFO batch:31 HighMem zone: 0 pages used for memmap Movable zone: 0 pages used for memmap DMI 2.3 present. ACPI: RSDP 000F5E20, 0014 (r0 ASUS ) ACPI: RSDT 1FFFB000, 0030 (r1 ASUS A7V600 42302E31 MSFT 31313031) ACPI: FACP 1FFFB0B2, 0074 (r1 ASUS A7V600 42302E31 MSFT 31313031) ACPI: DSDT 1FFFB126, 2F84 (r1 ASUS A7V600 1000 MSFT 10B) ACPI: FACS 1000, 0040 ACPI: BOOT 1FFFB030, 0028 (r1 ASUS A7V600 42302E31 MSFT 31313031) ACPI: APIC 1FFFB058, 005A (r1 ASUS A7V600 42302E31 MSFT 31313031) ACPI: PM-Timer IO Port: 0xe408 ACPI: Local APIC address 0xfee0 ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled) Processor #0 6:8 APIC version 16 ACPI: LAPIC_NMI (acpi_id[0x00] high edge lint[0x1]) ACPI: IOAPIC (id[0x02] address[0xfec0] gsi_base[0]) IOAPIC[0]: apic_id 2, version 3, address 0xfec0, GSI 0-23 ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl edge) ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 low level) ACPI: IRQ0 used by override. ACPI: IRQ2 used by override. ACPI: IRQ9 used by override. Enabling APIC mode: Flat. Using 1 I/O APICs Using ACPI (MADT) for SMP configuration information Allocating PCI resources starting at 3000 (gap: 2000:dec0) swsusp: Registered nosave memory region: 0009d000 - 0009e000 swsusp: Registered nosave memory region: 0009e000 - 000a swsusp: Registered nosave memory region: 000a - 000f swsusp: Registered nosave memory region: 000f - 0010 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 130044 Kernel command line: root=/dev/hda3 ro mapped APIC to b000 (fee0) mapped IOAPIC to a000 (fec0) Enabling fast FPU save and restore... done. Enabling unmasked SIMD FPU exception support... done. Initializing CPU#0 PID hash table entries: 2048 (order: 11, 8192 bytes) Detected 1250.160 MHz processor. Console: colour VGA+ 80x25 console [tty0] enabled Dentry cache hash table entries: 65536 (order: 6, 262144 bytes) Inode-cache hash table entries: 32768 (order: 5, 131072 bytes) Memory: 511068k/524268k available (1787k kernel code, 12652k reserved, 717k data, 248k init, 0k highmem) virtual kernel memory layout: fixmap : 0xfff4c000 - 0xf000 ( 716 kB) pkmap : 0xff80 - 0xffc0 (4096 kB) vmalloc : 0xe080 - 0xff7fe000 ( 495 MB) lowmem : 0xc000 - 0xdfffb000 ( 511 MB) .init : 0xc0379000 - 0xc03b7000 ( 248 kB) .data : 0xc02bef31 - 0xc0372384 ( 717 kB) .text : 0xc010 - 0xc02bef31 (1787 kB) Checking if this processor honours the WP bit even in supervisor mode... Ok. Calibrating delay using timer specific routine.. 2502.85 BogoMIPS (lpj=5005712) Security Framework initialized SELinux: Disabled at boot. Capability LSM initialized Mount-cache hash table entries: 512 Initializing cgroup subsys ns Initializing cgroup subsys cpuacct CPU: After generic identify, caps: 0383fbff c1c3fbff CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64 bytes/line) CPU: L2 Cache: 256K (64 bytes
Re: IP masquerading
Many thanks for all these replies. I've now got it working now so that another Debian box and a Mac can both connect through the Debian gateway. The thing I was doing wrong was in setting the gateway on the other network machines. Like not doing it on the Debian one [doh!] and mixing up proxy server and gateway on the Mac. My Win98 PC still won't play ball, but that must be a problem with that machine's set-up. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IP masquerading
--- Matt Zagrabelny <[EMAIL PROTECTED]> wrote: > > > iptables -t nat -A POSTROUTING -o ethx -j SNAT > --to > > ppp_address > > this is the wrong approach for a dialup where you > would get a dynamic > ip. use masquerading instead. (this will always work > regardless of your > external ip assigned from the ISP) > > do the following commands: > > # iptables -t nat -A POSTROUTING -o ppp0 -j > MASQUERADE > # echo 1 > /proc/sys/net/ipv4/ip_forward > > if your external interface is not ppp0, then change > ppp0 to whatever > your external interface is. > > -matt zagrabelny > > Thanks for the correction, you are right, I do in that way because I have an static ip address. Regards. = -- Sergio Basurto J. If I have seen further it is by standing on the shoulders of giants. (Isaac Newton) -- __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IP masquerading
> iptables -t nat -A POSTROUTING -o ethx -j SNAT --to > ppp_address this is the wrong approach for a dialup where you would get a dynamic ip. use masquerading instead. (this will always work regardless of your external ip assigned from the ISP) do the following commands: # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # echo 1 > /proc/sys/net/ipv4/ip_forward if your external interface is not ppp0, then change ppp0 to whatever your external interface is. -matt zagrabelny -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IP masquerading
Maybe you only need to enable IP forwarding : ip_forward=yes in the file /etc/network/options Claude On Wed, 2004-12-08 at 23:43, Sergio Basurto Juarez wrote: > --- [EMAIL PROTECTED] wrote: > > > I wonder if someone could help please! > > > > I've upgraded to sarge, and built a new kernel with > > lots of the networking > > options built in. > > > > I've tried to set up IP masquerading so I can use my > > Debian PC as a router > > to a [dialup] ISP. The Debian machine has a serial > > modem and an ethernet > > card. The ethernet connects OK to the other > > computers [Macs and Windows] - > > you can ping either way and get responses. > > > > Once connected to the ISP, the Debian machine can > > ping the IP address of its > > modem and get a response, and canload web pages. > > But other machines get > > nothing when I try. > > > > dmesg on the Debian machine only lists: > > > > 192.168.0.0, although the address of eth0 is > > 192.168.0.5 > > the IP address of the modem ppp0 > > and 0.0.0.0 with the modem IP under "gateway". > > > > Any idea what could be wrong? > > > Try to setup your default gw to the address of the ppp > connection > > #route add default gw ppp_address > > also see how is you maskerade with > #iptables -L -t nat > > if is not active you shoul do like this > > iptables -t nat -A POSTROUTING -o ethx -j SNAT --to > ppp_address > > ethx is your external interface > Hope this help!!! > > > = > -- > Sergio Basurto J. > > If I have seen further it is by standing on the > shoulders of giants. (Isaac Newton) > -- > > > > __ > Do you Yahoo!? > The all-new My Yahoo! - Get yours free! > http://my.yahoo.com > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IP masquerading
--- [EMAIL PROTECTED] wrote: > I wonder if someone could help please! > > I've upgraded to sarge, and built a new kernel with > lots of the networking > options built in. > > I've tried to set up IP masquerading so I can use my > Debian PC as a router > to a [dialup] ISP. The Debian machine has a serial > modem and an ethernet > card. The ethernet connects OK to the other > computers [Macs and Windows] - > you can ping either way and get responses. > > Once connected to the ISP, the Debian machine can > ping the IP address of its > modem and get a response, and canload web pages. > But other machines get > nothing when I try. > > dmesg on the Debian machine only lists: > > 192.168.0.0, although the address of eth0 is > 192.168.0.5 > the IP address of the modem ppp0 > and 0.0.0.0 with the modem IP under "gateway". > > Any idea what could be wrong? > Try to setup your default gw to the address of the ppp connection #route add default gw ppp_address also see how is you maskerade with #iptables -L -t nat if is not active you shoul do like this iptables -t nat -A POSTROUTING -o ethx -j SNAT --to ppp_address ethx is your external interface Hope this help!!! = -- Sergio Basurto J. If I have seen further it is by standing on the shoulders of giants. (Isaac Newton) -- __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IP masquerading
On Wednesday 08 December 2004 1:09 pm, [EMAIL PROTECTED] wrote: > Once connected to the ISP, the Debian machine can ping the IP address > of its modem and get a response, and canload web pages. But other > machines get nothing when I try. Did you install the ipmasq package as well? -- Paul Johnson [EMAIL PROTECTED] http://ursine.dyndns.org/ pgpbafobTCgxr.pgp Description: PGP signature
IP masquerading
I wonder if someone could help please! I've upgraded to sarge, and built a new kernel with lots of the networking options built in. I've tried to set up IP masquerading so I can use my Debian PC as a router to a [dialup] ISP. The Debian machine has a serial modem and an ethernet card. The ethernet connects OK to the other computers [Macs and Windows] - you can ping either way and get responses. Once connected to the ISP, the Debian machine can ping the IP address of its modem and get a response, and canload web pages. But other machines get nothing when I try. dmesg on the Debian machine only lists: 192.168.0.0, although the address of eth0 is 192.168.0.5 the IP address of the modem ppp0 and 0.0.0.0 with the modem IP under "gateway". Any idea what could be wrong? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ip masquerading
On Tue, 16 Nov 2004 19:04:16 -0800, Daniel Asarnow <[EMAIL PROTECTED]> wrote: > Thanks for the advice. It looks like I'll be at this for a while...if > I can't make any headway with it, I'll ask for more help > > Thanks again, As a basis for your rules I recommend http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html (Rusty's Really Quick Guide To Packet Filtering) which is default-deny inbound, accept continuation traffic and outbound initiated traffic with an exception for local interfaces (I tend to change ! ppp0 to 'lo') -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ip masquerading
Thanks for the advice. It looks like I'll be at this for a while...if I can't make any headway with it, I'll ask for more help Thanks again, da On Tue, 16 Nov 2004 03:11:38 -0600, Yusuf <[EMAIL PROTECTED]> wrote: > Your firewall rules look, uh, ugly, meaning, not meant for human eyes. > You should try to isolate your problem from bottom to top: > > Try a minimalistic firewall. Just for testing, of course, as this is > totally insecure: > > # Clear all rules > /sbin/iptables -F; /sbin/iptables -t nat -F; /sbin/iptables -t mangle -F > > # Enable Masquerading > echo 1 > /proc/sys/net/ipv4/ip_forward > /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > If this solves your problems, then you should think about changing > firehol, making the firewall by hand (but with the great help of > fwbuilder), or (yuck!) trying to "debug" your current firehol rules. > > They are messing with the maximum segment size: > > YN tcpmss match 1400:1536 TCPMSS clamp to PMTU > > trying to divide oversized packets to the maximum transmission unit. > The MTU is traditionally a source of metaphysical and NAT troubles. > > The problem could also probably come from your connection settings. Try > different connections. You are over "fiver"? Try a dial-up for a change. > > DSL? Then maybee the aforementioned clamp is clashing with the one > provided by pppoe. Check the config in > /etc/ppp/providers/. Watch for the syndrome of the Roaring > Penguin: a few weeks ago my router suddenly stopped NATing, the only > clue being an obscure cry in /var/log/messages: > > Sep 24 19:45:48 severo pppd[1770]: Couldn't increase MTU to 1500 > > The dreaded MTU had again stroke! Well, more or less. The problem > resulted from the inclusion of the rp-pppoe.so plugin in my DSL config > after an update of pppoeconf. Or so I believe. > > Anyway, keep islolating the problem, using different frontends, configs, > connections, machines, religions, whatever, until you corner it in its > obscure burrow, and then, and then...! > > I have never recommended or performed a Linux reinstall becouse of > "soft" troubles (except that time when the filesystem went on vacation), > but there is always that option: partial or full reinstallation, quite > like in the ol' winbugs days. But much cleaner and quicker, of course. > > Good luck. You'll need it ;-) > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ip masquerading
Your firewall rules look, uh, ugly, meaning, not meant for human eyes. You should try to isolate your problem from bottom to top: Try a minimalistic firewall. Just for testing, of course, as this is totally insecure: # Clear all rules /sbin/iptables -F; /sbin/iptables -t nat -F; /sbin/iptables -t mangle -F # Enable Masquerading echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE If this solves your problems, then you should think about changing firehol, making the firewall by hand (but with the great help of fwbuilder), or (yuck!) trying to "debug" your current firehol rules. They are messing with the maximum segment size: YN tcpmss match 1400:1536 TCPMSS clamp to PMTU trying to divide oversized packets to the maximum transmission unit. The MTU is traditionally a source of metaphysical and NAT troubles. The problem could also probably come from your connection settings. Try different connections. You are over "fiver"? Try a dial-up for a change. DSL? Then maybee the aforementioned clamp is clashing with the one provided by pppoe. Check the config in /etc/ppp/providers/. Watch for the syndrome of the Roaring Penguin: a few weeks ago my router suddenly stopped NATing, the only clue being an obscure cry in /var/log/messages: Sep 24 19:45:48 severo pppd[1770]: Couldn't increase MTU to 1500 The dreaded MTU had again stroke! Well, more or less. The problem resulted from the inclusion of the rp-pppoe.so plugin in my DSL config after an update of pppoeconf. Or so I believe. Anyway, keep islolating the problem, using different frontends, configs, connections, machines, religions, whatever, until you corner it in its obscure burrow, and then, and then...! I have never recommended or performed a Linux reinstall becouse of "soft" troubles (except that time when the filesystem went on vacation), but there is always that option: partial or full reinstallation, quite like in the ol' winbugs days. But much cleaner and quicker, of course. Good luck. You'll need it ;-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ip masquerading
Here's the output of iptables -L -v -t nat: Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- anyppp+anywhere anywhere Chain OUTPUT (policy ACCEPT 1 packets, 60 bytes) pkts bytes target prot opt in out source destination thanks, da On Thu, 11 Nov 2004 12:14:20 +, Dave Ewart <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > > On Thursday, 11.11.2004 at 07:57 +, Alan Chandler wrote: > > > On Thursday 11 November 2004 03:03, Daniel Asarnow wrote: > > > > > The complete output of iptables -L is here: www.boxbattle.com/iptables.txt > > > A bit long... > > > > I don't know what its doing either - some things to check:- > > > > - There is a long list of IP networks which its doing something with > > (accepting or rejecting?). How do they cross relate to the sites you can't > > access? > > > > - I couldn't (but I only quickly glanced at the list) see where you are > > doing > > NAT forwarding. > > > > I don't know "firehol" but doesn't it have a configuration file which might > > be > > easier to understand? > > Show us iptables -L -v -t nat > > This will include your NAT rules. > > Dave. > - -- > Dave Ewart - [EMAIL PROTECTED] - jabber: [EMAIL PROTECTED] > All email from me is now digitally signed, key from http://www.sungate.co.uk/ > Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92 > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFBk1ecnhBnac0o2pIRAi5bAJ0RxQ3BS/ypnytv4Q0jz11ZusKmKgCgpTDj > BpRRHjF+k0NXXsRCo/PKLCM= > =ofFi > -END PGP SIGNATURE- > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ip masquerading
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday, 11.11.2004 at 07:57 +, Alan Chandler wrote: > On Thursday 11 November 2004 03:03, Daniel Asarnow wrote: > > > The complete output of iptables -L is here: www.boxbattle.com/iptables.txt > > A bit long... > > I don't know what its doing either - some things to check:- > > - There is a long list of IP networks which its doing something with > (accepting or rejecting?). How do they cross relate to the sites you can't > access? > > - I couldn't (but I only quickly glanced at the list) see where you are doing > NAT forwarding. > > I don't know "firehol" but doesn't it have a configuration file which might > be > easier to understand? Show us iptables -L -v -t nat This will include your NAT rules. Dave. - -- Dave Ewart - [EMAIL PROTECTED] - jabber: [EMAIL PROTECTED] All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBk1ecnhBnac0o2pIRAi5bAJ0RxQ3BS/ypnytv4Q0jz11ZusKmKgCgpTDj BpRRHjF+k0NXXsRCo/PKLCM= =ofFi -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ip masquerading
On Thursday 11 November 2004 03:03, Daniel Asarnow wrote: > The complete output of iptables -L is here: www.boxbattle.com/iptables.txt > A bit long... I don't know what its doing either - some things to check:- - There is a long list of IP networks which its doing something with (accepting or rejecting?). How do they cross relate to the sites you can't access? - I couldn't (but I only quickly glanced at the list) see where you are doing NAT forwarding. I don't know "firehol" but doesn't it have a configuration file which might be easier to understand? -- Alan Chandler [EMAIL PROTECTED] First they ignore you, then they laugh at you, then they fight you, then you win. --Gandhi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ip masquerading
Hey all, I have set up my debian box as a firewall/router for my home network (using firehol to actually make the firewall). Everything seems to be working just fine, except that the computers behind the firewall box can only access some websites. They can perform succesful DNS lookups on any site with a DNS record, but they can't ping (or load in a web browser) a could chunk of them (notably, ebay.com, amazon.com, nasa.gov). Similarly, they can't SMTP to some servers. When I traceroute these servers from these computers, the route deadends about one server before the website itself, on a server owned by the orginization/company. For example, traceroute amazon.com times out on a .amazon.com. I have no idea why it's doing this...I thought maybe it was https or SSL sites, but wellsfargo.com works, as does barnesandnoble.com. I also had thought it was certain IP ranges that weren't working properly. This is also not the case; sites which can't be accessed come from all over the IP spectrum. It seems that the computers behind the firewall are unable to ping or ssh into the debian router. The debian box can do everything flawlessly. The complete output of iptables -L is here: www.boxbattle.com/iptables.txt A bit long... Thanks in advance, D. A. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Initializing IP Masquerading...IP Masquerade has not been enabled in the kernel.
On Thu, Oct 17, 2002 at 10:16:55AM -0400, Jim Hribar wrote: > Installed ipmasq (apt-get install ipmasq) and it does not seem to be > working. The error message that puzzles me is: > > Initializing IP Masquerading...IP Masquerade has not been enabled in the > kernel. > done. > Loading IP Masquerade kernel modules...done. > > That occurs on boot. I installed Debian (woody) from the ide-pci network > install disks. Does this kernel have support for IP Masquerading? What > am I doing wrong. How can I get (without making my own) a kernel that > supports this? apt-get install kernel-image-. I'd say that the kernel on the boot disks *does not* have ip{chains,tables} compiled in or even available as a module for space reasons. -rob msg07796/pgp0.pgp Description: PGP signature
Re: How to setup IP Masquerading client
On Sun, 2002-06-30 at 20:59, Romel Sandoval wrote: > Thank to all who help me with my IP Addresses problem > > Now I have successfuly configured an IP Masquerading linux gateway, of > course with the 192.168.0.1 IP. I know its working correctly because I > have a windows machine as client getting the Internet from this linux > gateway. > > But I dont know what files I must edit in Debian to function as a client > and how. Help!!! run "route add default gw 192.168.0.1" to make the change permanent, add the line: gateway 192.168.0.1 under the appropriate interface -Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
How to setup IP Masquerading client
Thank to all who help me with my IP Addresses problem Now I have successfuly configured an IP Masquerading linux gateway, of course with the 192.168.0.1 IP. I know its working correctly because I have a windows machine as client getting the Internet from this linux gateway. But I dont know what files I must edit in Debian to function as a client and how. Help!!! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Update - RE: rc.local in debian (was: Ip Masquerading)
"Ronald Castillo" <[EMAIL PROTECTED]> writes: > Just to update something new I have found out.. I tried pinging my ADSL > router and my brother´s PC from my Linux box and it doesn't work either, > but it did work from my Windows PC when I had it connected directly to > my ADSL router. So, now I'm feeling pretty clueless... At least in all > my PCs (incluiding the masqueraded one) internet works perfectly. > > Just in case you need it, here's a copy of my /etc/network/interfaces > file: > > # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8) > > # The loopback interface > auto lo > iface lo inet loopback > > # The first network card - this entry was created during the Debian > installation > auto eth0 > iface eth0 inet static > address 10.0.0.3 > netmask 255.0.0.0 > gateway 10.0.0.1 > > iface eth1 inet static > address 10.0.0.4 > network 10.0.0.0 > netmask 255.0.0.0 > broadcast 10.0.0.255 > > Just to make a note, 10.0.0.1 is the IP of my ADSL router. Are both Ethernet cards plugged into the same physical network? (This would be a little weird.) If not, you get into the situation where the router tries to contact the ADSL box, and discovers it has two ways to get there (both interfaces are connected to 10.0.0.0/8), and guesses wrong. I suspect you probably want to reconfigure your ADSL box to be on some different IP address (say, 192.168.0.1), and then put in /etc/network/interfaces: auto eth0 eth1 iface eth0 inet static address 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255 gateway 192.168.0.1 iface eth1 inet static address 10.0.0.4 netmask 255.0.0.0 broadcast 10.255.255.255 This results in: 10.0.0.0/8 ++ 192.168.0.0/24 To internal network <-- eth1 | Router | eth0 --> To ADSL box ++ (If you're unfamiliar, a.b.c.d/n is CIDR notation, meaning "a network with network address a.b.c.d and the high n bits of the netmask set"; 10.0.0.0/8 means "the network 10.x.x.x", 192.168.0.0/24 is "192.168.0.x".) -- David Maze [EMAIL PROTECTED] http://people.debian.org/~dmaze/ "Theoretical politics is interesting. Politicking should be illegal." -- Abra Mitchell -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Update - RE: rc.local in debian (was: Ip Masquerading)
Just to update something new I have found out.. I tried pinging my ADSL router and my brother´s PC from my Linux box and it doesn't work either, but it did work from my Windows PC when I had it connected directly to my ADSL router. So, now I'm feeling pretty clueless... At least in all my PCs (incluiding the masqueraded one) internet works perfectly. Just in case you need it, here's a copy of my /etc/network/interfaces file: # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8) # The loopback interface auto lo iface lo inet loopback # The first network card - this entry was created during the Debian installation auto eth0 iface eth0 inet static address 10.0.0.3 netmask 255.0.0.0 gateway 10.0.0.1 iface eth1 inet static address 10.0.0.4 network 10.0.0.0 netmask 255.0.0.0 broadcast 10.0.0.255 Just to make a note, 10.0.0.1 is the IP of my ADSL router. Any light on this will be appreciated. Ronald Castillo -Original Message- From: Ronald Castillo [mailto:[EMAIL PROTECTED] Sent: miércoles, 05 de junio de 2002 21:40 To: debian-user@lists.debian.org Subject: RE: rc.local in debian (was: Ip Masquerading) Hello.. I have configured my second interface as you told me (with a few changes) and it's now working fine!!! Thanks a lot for your help to you all!!! Just two more questions.. I don't know if I should place "auto" on it because the Windows box isn't permanently turned on, so I think that Linux might show up an error message if the connection is up when the Windows box is off, doesn´t it? Just like when I enable my other card when it doesn't have a LAN cable in it. The other thing is that, from the "masqueraded" PC (the windows box), I can only ping the masquerading PC (the linux box) and not the other PCs connected to the network (my brother´s windows PC and my linux box connect directly to the ADSL router and my windows PC connects to the linux box). The PC I can't ping or access is my brother´s PC. Thanks for your assistance so far.. Ronald Castillo -Original Message- From: Vineet Kumar [mailto:[EMAIL PROTECTED] Sent: martes, 04 de junio de 2002 2:26 To: debian-user@lists.debian.org Subject: Re: rc.local in debian (was: Ip Masquerading) * Colin Watson ([EMAIL PROTECTED]) [020603 16:51]: > On Mon, Jun 03, 2002 at 11:49:54PM +0200, Ronald Castillo wrote: > > I was thinking that I should configure my secondary LAN card (the one > > that connects to my "internal" network) in the /etc/network/interfaces > > card, but I don't know what to place there. I have already configured > > the LAN card that connects me to the "outside world" without problems. > > Well, if it helps, here's an /etc/network/interfaces fragment from one > of my machines: > > iface eth1 inet static > address 192.168.42.1 > network 192.168.42.0 > netmask 255.255.255.0 > broadcast 192.168.42.255 > > This brings up an interface using the second network card with IP > address 192.168.42.1. Also, you'll probably want to add a line that says "auto eth1" which will make eth1 come up automatically at boot, instead of only after you say "ifup eth1". IIRC, though, that's new since after potato. good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume.shtml -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: rc.local in debian (was: Ip Masquerading)
Hello.. I have configured my second interface as you told me (with a few changes) and it's now working fine!!! Thanks a lot for your help to you all!!! Just two more questions.. I don't know if I should place "auto" on it because the Windows box isn't permanently turned on, so I think that Linux might show up an error message if the connection is up when the Windows box is off, doesn´t it? Just like when I enable my other card when it doesn't have a LAN cable in it. The other thing is that, from the "masqueraded" PC (the windows box), I can only ping the masquerading PC (the linux box) and not the other PCs connected to the network (my brother´s windows PC and my linux box connect directly to the ADSL router and my windows PC connects to the linux box). The PC I can't ping or access is my brother´s PC. Thanks for your assistance so far.. Ronald Castillo -Original Message- From: Vineet Kumar [mailto:[EMAIL PROTECTED] Sent: martes, 04 de junio de 2002 2:26 To: debian-user@lists.debian.org Subject: Re: rc.local in debian (was: Ip Masquerading) * Colin Watson ([EMAIL PROTECTED]) [020603 16:51]: > On Mon, Jun 03, 2002 at 11:49:54PM +0200, Ronald Castillo wrote: > > I was thinking that I should configure my secondary LAN card (the one > > that connects to my "internal" network) in the /etc/network/interfaces > > card, but I don't know what to place there. I have already configured > > the LAN card that connects me to the "outside world" without problems. > > Well, if it helps, here's an /etc/network/interfaces fragment from one > of my machines: > > iface eth1 inet static > address 192.168.42.1 > network 192.168.42.0 > netmask 255.255.255.0 > broadcast 192.168.42.255 > > This brings up an interface using the second network card with IP > address 192.168.42.1. Also, you'll probably want to add a line that says "auto eth1" which will make eth1 come up automatically at boot, instead of only after you say "ifup eth1". IIRC, though, that's new since after potato. good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume.shtml -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rc.local in debian (was: Ip Masquerading)
I'M NOT MEMER OF YOUR MAILING LISTS. WHY THIS MAILS COME TO ME? EVERY DAY COME TO ME 200 MAILS FROM YOUR MAILING LISTS. CAN YOU DO SOMETHING WITH IT? THANK YOU. - Original Message - From: "Vineet Kumar" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 04, 2002 2:26 AM Subject: Re: rc.local in debian (was: Ip Masquerading) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rc.local in debian (was: Ip Masquerading)
I'M NOT MEMER OF YOUR MAILING LISTS. WHY THIS MAILS COME TO ME? EVERY DAY COME TO ME 200 MAILS FROM YOUR MAILING LISTS. CAN YOU DO SOMETHING WITH IT? THANK YOU. - Original Message - From: "Colin Watson" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 04, 2002 1:50 AM Subject: Re: rc.local in debian (was: Ip Masquerading) > On Mon, Jun 03, 2002 at 11:49:54PM +0200, Ronald Castillo wrote: > > I was thinking that I should configure my secondary LAN card (the one > > that connects to my "internal" network) in the /etc/network/interfaces > > card, but I don't know what to place there. I have already configured > > the LAN card that connects me to the "outside world" without problems. > > Well, if it helps, here's an /etc/network/interfaces fragment from one > of my machines: > > iface eth1 inet static > address 192.168.42.1 > network 192.168.42.0 > netmask 255.255.255.0 > broadcast 192.168.42.255 > > This brings up an interface using the second network card with IP > address 192.168.42.1. > > -- > Colin Watson [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rc.local in debian (was: Ip Masquerading)
* Colin Watson ([EMAIL PROTECTED]) [020603 16:51]: > On Mon, Jun 03, 2002 at 11:49:54PM +0200, Ronald Castillo wrote: > > I was thinking that I should configure my secondary LAN card (the one > > that connects to my "internal" network) in the /etc/network/interfaces > > card, but I don't know what to place there. I have already configured > > the LAN card that connects me to the "outside world" without problems. > > Well, if it helps, here's an /etc/network/interfaces fragment from one > of my machines: > > iface eth1 inet static > address 192.168.42.1 > network 192.168.42.0 > netmask 255.255.255.0 > broadcast 192.168.42.255 > > This brings up an interface using the second network card with IP > address 192.168.42.1. Also, you'll probably want to add a line that says "auto eth1" which will make eth1 come up automatically at boot, instead of only after you say "ifup eth1". IIRC, though, that's new since after potato. good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume.shtml pgp0lHd6ZyoJC.pgp Description: PGP signature
Re: rc.local in debian (was: Ip Masquerading)
On Mon, Jun 03, 2002 at 11:49:54PM +0200, Ronald Castillo wrote: > I was thinking that I should configure my secondary LAN card (the one > that connects to my "internal" network) in the /etc/network/interfaces > card, but I don't know what to place there. I have already configured > the LAN card that connects me to the "outside world" without problems. Well, if it helps, here's an /etc/network/interfaces fragment from one of my machines: iface eth1 inet static address 192.168.42.1 network 192.168.42.0 netmask 255.255.255.0 broadcast 192.168.42.255 This brings up an interface using the second network card with IP address 192.168.42.1. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: rc.local in debian (was: Ip Masquerading)
Thanks a lot for your help!! I could finally get past that step, but now I came across another problem: I have compiled the kernel with the necessary modules, installed the "IP Masq" script and all that, but it still doesn't work. I've tried pinging my linux box from Windows XP with no success. I was thinking that I should configure my secondary LAN card (the one that connects to my "internal" network) in the /etc/network/interfaces card, but I don't know what to place there. I have already configured the LAN card that connects me to the "outside world" without problems. I would really appreciate any help about this. Thanks a lot for helping me so far.. Ronald Castillo -Original Message- From: Colin Watson [mailto:[EMAIL PROTECTED] On Behalf Of Colin Watson Sent: lunes, 03 de junio de 2002 13:16 To: debian-user@lists.debian.org Subject: Re: rc.local in debian (was: Ip Masquerading) On Mon, Jun 03, 2002 at 03:08:56AM -0500, Elizabeth Barham wrote: > I made my own entitled "local" in /etc/init.d by copying > /etc/init.d/skeleton to /etc/init.d/local, added what I needed it to > do in the start section, and created a softlink to it in rc2.d > entitled S99local. > > I don't know how others do it, though. That's pretty much what the FAQ advises: http://www.debian.org/doc/FAQ/ch-customizing.html#s-custombootscripts Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rc.local in debian (was: Ip Masquerading)
On Mon, Jun 03, 2002 at 03:08:56AM -0500, Elizabeth Barham wrote: > I made my own entitled "local" in /etc/init.d by copying > /etc/init.d/skeleton to /etc/init.d/local, added what I needed it to > do in the start section, and created a softlink to it in rc2.d > entitled S99local. > > I don't know how others do it, though. The "debian" way of setting up the symlinks is via update-rc.d (1), it will set up the symlinks for all of the runlevels. AFAIK, the system administrator is free to create new entries in /etc/init.d and set up symlinks. However, you may want to make sure that you won't "collide" with any packages you set up in the future. I usually do that by prefixing the script the "hostname-", but there probably are other (better) ways of avoiding collisions. -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Please study http://www.rfc855.org pgpgtIKhQ9SZq.pgp Description: PGP signature
Re: rc.local in debian (was: Ip Masquerading)
On Mon, Jun 03, 2002 at 03:08:56AM -0500, Elizabeth Barham wrote: > I made my own entitled "local" in /etc/init.d by copying > /etc/init.d/skeleton to /etc/init.d/local, added what I needed it to > do in the start section, and created a softlink to it in rc2.d > entitled S99local. > > I don't know how others do it, though. That's pretty much what the FAQ advises: http://www.debian.org/doc/FAQ/ch-customizing.html#s-custombootscripts Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rc.local in debian (was: Ip Masquerading)
I made my own entitled "local" in /etc/init.d by copying /etc/init.d/skeleton to /etc/init.d/local, added what I needed it to do in the start section, and created a softlink to it in rc2.d entitled S99local. I don't know how others do it, though. Elizabeth "Ronald Castillo" <[EMAIL PROTECTED]> writes: > Hello. > > Thanks to you all for your suggestions for trying to connect my Linux > box to my Windows one via serial port, but after trying some things and > not being able to make it work I decided to try to do that via network > cards. > > On the IP Masquerading HOWTO it says I have to edit my > "/etc/rc.d/rc.local" file, but actually I have 6 "rc?.d" folders in > /etc, and none of them have a "rc.local" file. Is there an equivalent > file in Debian I could use? > > Some help about this or a link to some Debian specific help will be > appreciated. > > Thanks for your help.. > > Ronald Castillo > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Ip Masquerading
Hello. Thanks to you all for your suggestions for trying to connect my Linux box to my Windows one via serial port, but after trying some things and not being able to make it work I decided to try to do that via network cards. On the IP Masquerading HOWTO it says I have to edit my "/etc/rc.d/rc.local" file, but actually I have 6 "rc?.d" folders in /etc, and none of them have a "rc.local" file. Is there an equivalent file in Debian I could use? Some help about this or a link to some Debian specific help will be appreciated. Thanks for your help.. Ronald Castillo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IP Masquerading
On Tue, 7 Aug 2001, Vineet Kumar wrote: > * [EMAIL PROTECTED] ([EMAIL PROTECTED]) [010807 10:35]: > > What is a good program for Windows 98 that will allow me to set up IP > > Masquerading to share my internet connection with some Linux boxes? > > > The Right Way to do this is to make one of the Linux machines do the > masquerade. A windows 98 machine should never used as any type of server > / gateway / anything except a desktop system. > > Additionally, this list is the wrong place to ask questions about > windows programs. If you are implying he should have asked on a Windows list... would he have got the same "Right" answer? Maybe he did the right thing. ;-) - Bruce
Re: IP Masquerading
* [EMAIL PROTECTED] ([EMAIL PROTECTED]) [010807 10:35]: > What is a good program for Windows 98 that will allow me to set up IP > Masquerading to share my internet connection with some Linux boxes? > The Right Way to do this is to make one of the Linux machines do the masquerade. A windows 98 machine should never used as any type of server / gateway / anything except a desktop system. Additionally, this list is the wrong place to ask questions about windows programs. Cheers, -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. Qba'g gernq ba zr!|tr 'a-zA-Z' 'n-za-mN-ZA-M' pgpMr0ZOT0eWw.pgp Description: PGP signature
Re: IP Masquerading
Firewall 1 is excellent having most of the features that are available in Linux. I remember reading somewhere Checkpoint do SOHO versions for about $500 so its not too expensive as these things go. On 0, [EMAIL PROTECTED] wrote: >What is a good program for Windows 98 that will allow me to set up IP >Masquerading to share my internet connection with some Linux boxes? > >-- Deven > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Patrick "No sig in my .sig" Kirk GSM: +44 7876 560 646 ICQ: 42219699
IP Masquerading
What is a good program for Windows 98 that will allow me to set up IP Masquerading to share my internet connection with some Linux boxes? -- Deven
Re: IP Masquerading: no connection to external network
On Saturday 23 June 2001 01:37, you wrote: > On Sat, Jun 23, 2001 at 01:22:37AM +0200, Brendon wrote: > > On Saturday 23 June 2001 01:11, Joost Kooij wrote: > > > How did you setup masquerading, did you install ipmasq.deb or did > > > you try everything by hand? > > > > I used the mini howto on www.linuxnewbie.org next to the Masquerading > > HOWTO. the iptables rules were setup by gShield. when i found that did > > not work i used the rc.firewall script given by the HOWTO. > > My advice: try it first with ipmasq.deb, it is a really nice package. > It lets you easily set up a basic nat gateway. Once you get it working > with ipmasq, you can always change to your homebrew setup. And if > it doesn't work with ipmasq either, well, submit a bug against ipmasq > (after you had rtfm that comes with the package of course). all in debian style, it worked automagically.. scary :) cheers, i wasn't familar with the package. Brendon
Re: IP Masquerading: no connection to external network
On Sat, Jun 23, 2001 at 01:22:37AM +0200, Brendon wrote: > On Saturday 23 June 2001 01:11, Joost Kooij wrote: > > How did you setup masquerading, did you install ipmasq.deb or did > > you try everything by hand? > > I used the mini howto on www.linuxnewbie.org next to the Masquerading HOWTO. > the iptables rules were setup by gShield. when i found that did not work i > used the rc.firewall script given by the HOWTO. My advice: try it first with ipmasq.deb, it is a really nice package. It lets you easily set up a basic nat gateway. Once you get it working with ipmasq, you can always change to your homebrew setup. And if it doesn't work with ipmasq either, well, submit a bug against ipmasq (after you had rtfm that comes with the package of course). Another advantage of ipmasq is that if you read the scripts, then that is a sort of howto in its own right. :-) And it should of course work out of the box. At least that is my experience. Cheers, Joost
Re: IP Masquerading: no connection to external network
On Saturday 23 June 2001 01:11, Joost Kooij wrote: > On Sat, Jun 23, 2001 at 12:45:18AM +0200, Brendon wrote: > > 'fraid it had no affect. the syslogs on both machines show nothing out of > > the ordinary either > > How did you setup masquerading, did you install ipmasq.deb or did > you try everything by hand? I used the mini howto on www.linuxnewbie.org next to the Masquerading HOWTO. the iptables rules were setup by gShield. when i found that did not work i used the rc.firewall script given by the HOWTO. rc.firewall (several comments removed to keep the size down. btw, the gateway and other machines use static ip#s): -- #!/bin/sh # # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ # modules are shown below but are commented out from loading. echo -e "\n\nIPMASQ *TEST* rc.firewall ruleset - v0.50\n" # The location of the 'iptables' program #IPTABLES=/sbin/iptables IPTABLES=/sbin/iptables # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" /sbin/depmod -a #Loads the OUTGOING FTP NAT functionality into the core IPTABLES code # # Disabled by default -- remove the "#" on the next line to activate #/sbin/insmod ip_nat_ftp #Load the INCOMING FTP tracking mechanism for the connection tracking #code # # Disabled by default -- remove the "#" on the next line to activate #/sbin/insmod ip_conntrack_ftp #CRITICAL: Enable IP forwarding since it is disabled by default since echo " - Enabling packet forwarding in the kernel" echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # echo " - Enabling dynamic addressing measures" # echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable simple IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the #192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask #connecting to the Internet on external interface "eth0". This #example will MASQ internal traffic out to the Internet not not #allow non-initiated traffic into your internal network. # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # echo " - Setting the default FORWARD policy to 'DROP'" echo " - Enabling SNAT (IPMASQ) functionality on eth0" $IPTABLES -P FORWARD DROP $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo -e "\nDone.\n" -- output when run: IPMASQ *TEST* rc.firewall ruleset - v0.50 - Verifying that all kernel modules are ok depmod: *** Unresolved symbols in /lib/modules/2.4.5/kernel/net/bridge/bridge.o - Enabling packet forwarding in the kernel - Setting the default FORWARD policy to 'DROP' - Enabling SNAT (IPMASQ) functionality on eth0 Done.
Re: IP Masquerading: no connection to external network
On Sat, Jun 23, 2001 at 12:45:18AM +0200, Brendon wrote: > 'fraid it had no affect. the syslogs on both machines show nothing out of the > ordinary either How did you setup masquerading, did you install ipmasq.deb or did you try everything by hand? Cheers, Joost
Re: IP Masquerading: no connection to external network
On Saturday 23 June 2001 00:35, you wrote: > On Fri, Jun 22, 2001 at 11:56:52PM +0200, Brendon wrote: > > Gateway: external ip 195.38.200.201 internal ip 192.162.0.1 > > Laptop: internal ip 192.162.0.2 > > desktop:.. > > > > the gateway is able to access the net and the laptop. > > the laptop is able to ping the gateway on both it's external and internal > > ip but cannot access (ping) external sites by either their ip or name. > > The laptop has no default route set, is my bet. If that is the problem, > then you can fix it on the laptop by doing: > > /sbin/route add default gw 192.162.0.1 'fraid it had no affect. the syslogs on both machines show nothing out of the ordinary either
Re: help with IP Masquerading, 2.4 kernel
"Dwayne C. Litzenberger" <[EMAIL PROTECTED]> writes: > Turn on forwarding: > > echo "1" >/proc/sys/net/ipv4/ip_forward That's already done. As I said, I can connect to remote systems through the firewall machine, and data flows back and forth. It's just that it freezes up within a couple of minutes, usually. Dan
Re: help with IP Masquerading, 2.4 kernel
Oh yeah, instead, you can edit /etc/network/options and change: ip_forward=no to ip_foward=yes Then, either run "/etc/init.d/networking restart", or reboot the system. -- Dwayne C. Litzenberger - [EMAIL PROTECTED] pgp6ccRNFlCig.pgp Description: PGP signature
Re: help with IP Masquerading, 2.4 kernel
Turn on forwarding: echo "1" >/proc/sys/net/ipv4/ip_forward -- Dwayne C. Litzenberger - [EMAIL PROTECTED] pgphUNIWDB0hH.pgp Description: PGP signature
help with IP Masquerading, 2.4 kernel
My main machine, scratchy, is connected to the net using PPPOE (PPP over ethernet) over DSL. I have another machine, cheddar, connected to a second ethernet card on scratchy with an ethernet crossover cable. I am trying to using netfilter (iptables) to masquerade cheddar behind scratchy, and it is almost working: pings and DNS lookups work fine, with no packets dropped and no errors. telnet and ssh work as well, until I try to transfer a lot of data at once (e.g. a screenful, such as appears when you bring up a man page), at which point the connection freezes. wget freezes immediately. But netstat -i doesn't show any errors or dropped packets, and there is nothing in the log files of any of the three machines involved. Connections between cheddar and scratchy and between scratchy and the outside world work perfectly. Any suggestions where to look further? Here's are some settings: cheddar# ifconfig eth0 Link encap:Ethernet HWaddr 00:01:03:85:AC:D8 inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:22 errors:0 dropped:0 overruns:0 frame:0 TX packets:28 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:11 Base address:0xd400 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16144 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 cheddar# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth0 0.0.0.0 192.168.0.1 0.0.0.0 UG0 00 eth0 scratchy# ifconfig eth0 Link encap:Ethernet HWaddr 00:80:C8:B9:FD:24 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:180469 errors:1 dropped:0 overruns:0 frame:16190 TX packets:173454 errors:87 dropped:0 overruns:0 carrier:153 collisions:1241 txqueuelen:100 RX bytes:113137907 (107.8 Mb) TX bytes:19757452 (18.8 Mb) Interrupt:3 Base address:0x300 eth1 Link encap:Ethernet HWaddr 00:E0:98:03:CF:B0 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:28329 errors:0 dropped:0 overruns:0 frame:0 TX packets:29667 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1911832 (1.8 Mb) TX bytes:42401143 (40.4 Mb) Interrupt:9 Base address:0x320 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16144 Metric:1 RX packets:26861 errors:0 dropped:0 overruns:0 frame:0 TX packets:26861 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:13163203 (12.5 Mb) TX bytes:13163203 (12.5 Mb) ppp0 Link encap:Point-to-Point Protocol inet addr:129.100.240.47 P-t-P:129.100.2.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:84071 errors:0 dropped:0 overruns:0 frame:0 TX packets:71905 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:93703135 (89.3 Mb) TX bytes:6373070 (6.0 Mb) scratchy# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 129.100.2.1 0.0.0.0 255.255.255.255 UH0 00 ppp0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth1 0.0.0.0 129.100.2.1 0.0.0.0 UG0 00 ppp0 scratchy# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.0.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Thanks for any help anyone can provide! Dan
Re: Ip masquerading help
> Check your routing table with 'route -n'. > Do you have a route on the Linux router machine that looks like this? -- > > Destination Gateway GenmaskIface > 200.189.192.144 0.0.0.0 255.255.255.248eth1 I guess the problem is on the ipmasq rules. I'll put three NICs on the router now - Today I have two NICs (really a mess): eth0: 200.189.194.x, 200.207.217.187 (gateway 129 - ADSL), 10.0.0.x eth1: 10.0.1.x (the strange thing is that 10.0.0.x and 10.0.1.x talk to each other) Also, as 200.207.217.129 is the default gw, the computer cannot be accessed via the 200.189.194.150 ip ... is there any way to make the computer respond to both the ips ? Thank you again gui
Re: Ip masquerading help
Guilherme Barile wrote: > >From a computer in the 10.0.0.x network I can ping the internet (via ADSL) > and any computer on the 10.0.1.x network (vice versa for the computers on > the 10.0.1.x net) BUT, i cannot access the servers connected to NIC2 (eth1) > directly I need some special rule for that. Check your routing table with 'route -n'. Do you have a route on the Linux router machine that looks like this? -- Destination Gateway GenmaskIface 200.189.192.144 0.0.0.0 255.255.255.248eth1 Matthew
Re: Ip masquerading help
"Guilherme Barile" <[EMAIL PROTECTED]> writes: > Hello debian users. > I am having the following ip masquerading issue: > > 1) I have four networks in my office > > 200.189.194.144 (netmask 255.255.255.248) - internet servers > > 10.0.0.x (netmask 255.255.255.0) - internal network > > 10.0.1.x (netmask 255.255.255.0) - other internal network > > 200.217.207.129 (netmask 255.255.255.255) - ADSL router > Could you post the output of the route command for your router and for an internal box? I have a feeling it has something to do with that, although if 200.189.194.144 is an internet server that the internal boxes are trying to access through dns, it should route through the router and back correctly. Can external boxes see the internet server? -Anthony.
Ip masquerading help
Hello debian users. I am having the following ip masquerading issue: 1) I have four networks in my office 200.189.194.144 (netmask 255.255.255.248) - internet servers 10.0.0.x (netmask 255.255.255.0) - internal network 10.0.1.x (netmask 255.255.255.0) - other internal network 200.217.207.129 (netmask 255.255.255.255) - ADSL router I want a linux server (2.2 kernel) to route the packets and let everybody access the internet via the ADSL link. That's how I imagine the thing built: eth2) 10.0.1.x | eth1) 200.189.194.144 | | | eth0) 10.0.0.x-- | | eth0:0) 200.207.217.129--- | | | | | --- | NIC1NIC2 NIC3 | | | | linux router | --- so eth2 is 10.0.1.1, eth1 is 200.189.194.150 and eth0 has 10.0.0.1 and 200.207.217.129 ips (thanks to ip alising), so after this setup i connect the interfaces to the corresponding hubs (the network hubs are NOT interconnected), configure everything on /etc/network/interfaces and start ipmasquerading (debian ipmasq package) 200.207.217.129, the ADSL port, is the default gateway. >From a computer in the 10.0.0.x network I can ping the internet (via ADSL) and any computer on the 10.0.1.x network (vice versa for the computers on the 10.0.1.x net) BUT, i cannot access the servers connected to NIC2 (eth1) directly I need some special rule for that. Can anyone shed a light ? Thank you very much in advance gui
Re: IP masquerading
"Dwight" == Dwight Johnson <[EMAIL PROTECTED]> writes: > On 10 Dec 2000, Willy Lee wrote: >> Install the 'ipmasq' Debian package. Configure, read its docs. >> Nothing could be easier. (er, unless you have a non-standard >> setup) > I am new to Debian, but is this still true? I do not have this > package installed, but I am doing IP masquerading on my 2.2 > installation just by making a script to execute on boot from the > commands: > ipchains -P forward DENY ipchains -A forward -i ppp0 -j MASQ echo 1 > > /proc/sys/net/ipv4/ip_forward > after launching my pppd (dial on demand). > Perhaps there are different ways to do it. 'Tis certainly so. I myself had a homegrown script that I added to /etc/init.d by hand, but then I heard of the 'ipmasq' package from this list, and tried it. The ipmasq scripts were nicer and more complete than the ones I had written, so I decided to keep them, and toss mine. :) There's certainly no need to install ipmasq if you're satisfied with your own scripts, I think. =wl -- Albert ``Willy'' Lee, Emacs user, game programmer "They call me CRAZY - just because I DARE to DREAM of a RACE of SUPERHUMAN MONSTERS!"
Re: IP masquerading (Using IPMASQ package)
I've looked over this package and it seems to be what I want. My question is; how do you set up port forwarding with this package? The documentation is not too clear (at least not to me) about modifying or creating rules. I thank you for you help. --- ICQ #:14518882 - Original Message - From: "Willy Lee" <[EMAIL PROTECTED]> To: Sent: Sunday, December 10, 2000 7:18 PM Subject: Re: IP masquerading > "Kyle" == Kyle Peterson <[EMAIL PROTECTED]> writes: > > > I was reading the IP masq how-to and it shows how to setup ipchains > > in a rc.firewall file. From what I gather, debian uses a different > > boot system. How would I make the rc.firewall for a debian system? > > I am new to debian, I am used to using redhat. > > Install the 'ipmasq' Debian package. Configure, read its docs. > Nothing could be easier. (er, unless you have a non-standard > setup) > > =wl > > -- > Albert ``Willy'' Lee, Emacs user, game programmer > "They call me CRAZY - just because I DARE to DREAM of a RACE of > SUPERHUMAN MONSTERS!" > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: IP masquerading
On 10 Dec 2000, Willy Lee wrote: > "Kyle" == Kyle Peterson <[EMAIL PROTECTED]> writes: > > > I was reading the IP masq how-to and it shows how to setup ipchains > > in a rc.firewall file. From what I gather, debian uses a different > > boot system. How would I make the rc.firewall for a debian system? > > I am new to debian, I am used to using redhat. > > Install the 'ipmasq' Debian package. Configure, read its docs. > Nothing could be easier. (er, unless you have a non-standard > setup) I am new to Debian, but is this still true? I do not have this package installed, but I am doing IP masquerading on my 2.2 installation just by making a script to execute on boot from the commands: ipchains -P forward DENY ipchains -A forward -i ppp0 -j MASQ echo 1 > /proc/sys/net/ipv4/ip_forward after launching my pppd (dial on demand). Perhaps there are different ways to do it. Dwight
Re: IP masquerading
"Kyle" == Kyle Peterson <[EMAIL PROTECTED]> writes: > I was reading the IP masq how-to and it shows how to setup ipchains > in a rc.firewall file. From what I gather, debian uses a different > boot system. How would I make the rc.firewall for a debian system? > I am new to debian, I am used to using redhat. Install the 'ipmasq' Debian package. Configure, read its docs. Nothing could be easier. (er, unless you have a non-standard setup) =wl -- Albert ``Willy'' Lee, Emacs user, game programmer "They call me CRAZY - just because I DARE to DREAM of a RACE of SUPERHUMAN MONSTERS!"
Re: IP masquerading - another approach
At 11:20 AM 12/10/00 +0100, Leen Besselink wrote: On Sun, 10 Dec 2000, Sebastiaan wrote: > Hi, > > you can make a script and put it in /etc/init.d and make a link to one of > the /etc/rcX.d. With the number (like S40firewall) you can set the > priority. > As an alternative, in Debian you have a /etc/rc.boot where you can put > files which must be started at boottime (but not after a init 1; init 2). > This is fine if you are using a static IP. Otherwise, most firewall scripts I've seen will need to get your dynamic interface IP address from ifconfig. For "always on" connections like cable modems, put a line like "up /usr/local/sbin/my-firewall" into the proper stanza of /etc/network/interfaces (where /usr/local/sbin/my-firewall is your firewall script) so that the script will be run during "ifup". For ppp you can put the firewall script into /etc/ppp/ip-up.d and /etc/ppp/ip-down.d (or put a script there that calls your firewall script). I have both cable and ppp connections so I do both. This way the firewall gets updated at boot time (/etc/init.d/networking uses ifup) and then it gets run again whenever ppp goes up or down.
Re: IP masquerading
On Sun, 10 Dec 2000, Sebastiaan wrote: > Hi, > > you can make a script and put it in /etc/init.d and make a link to one of > the /etc/rcX.d. With the number (like S40firewall) you can set the > priority. > As an alternative, in Debian you have a /etc/rc.boot where you can put > files which must be started at boottime (but not after a init 1; init 2). > Actually if you want to make it easier on yourself, Debian has a tool for this: update-rc.d Which you can use to add a script to the run levels you want (or you can choose default).
Re: IP masquerading
Hi, you can make a script and put it in /etc/init.d and make a link to one of the /etc/rcX.d. With the number (like S40firewall) you can set the priority. As an alternative, in Debian you have a /etc/rc.boot where you can put files which must be started at boottime (but not after a init 1; init 2). Greetz, Sebastiaan On Sun, 10 Dec 2000, Kyle Peterson wrote: > I was reading the IP masq how-to and it shows how to setup ipchains in a > rc.firewall file. From what I gather, debian uses a different boot system. > How would I make the rc.firewall for a debian system? I am new to debian, I > am used to using redhat. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: IP masquerading
Kyle Peterson wrote: > > I was reading the IP masq how-to and it shows how to setup ipchains in a > rc.firewall file. From what I gather, debian uses a different boot system. > How would I make the rc.firewall for a debian system? I am new to debian, I > am used to using redhat. i usually make a firewall script, dump it in /etc/init.d then link to it from /etc/rc2.d there are many ways to do it, that is how i do it on my systems. nate ::: ICQ: 75132336 http://www.aphroland.org/ http://www.linuxpowered.net/ [EMAIL PROTECTED]
IP masquerading
I was reading the IP masq how-to and it shows how to setup ipchains in a rc.firewall file. From what I gather, debian uses a different boot system. How would I make the rc.firewall for a debian system? I am new to debian, I am used to using redhat.
Re: Workstation and IP-Masquerading -> newbieDoc?
On Sun, Nov 12, 2000 at 11:00:59AM -0800, Michael Smith wrote: > I just set up a masquerade box at work in about 1.5 hours (from scratch) with > Debian. Just make your box with two nics, configure one nic for your outside > connection, configure the other for 192.168.0.1, and then install the ipmasq > package. One of the questions the package asks you is if you want to start > masquerading. Say yes. You might have to tweak the ipchains a little after > that, > but the minimum install works right out of the box. For the other boxes, > give them > ip's in the 192.168.0.XXX range, and tell them that 192.168.0.1 is their > gateway. It > was so easy, I was surprised. any chance we could talk you into fleshing that out a bit and posting it to eGroups.com/files/newbieDoc? :) ? -- There are only two places in the world where time takes precedence over the job to be done. School and prison. --William Glasser [EMAIL PROTECTED]***http://www.dontUthink.com/ volunteer to document your experience for next week's newbies -- http://www.eGroups.com/messages/newbieDoc
Re: Workstation and IP-Masquerading
I just set up a masquerade box at work in about 1.5 hours (from scratch) with Debian. Just make your box with two nics, configure one nic for your outside connection, configure the other for 192.168.0.1, and then install the ipmasq package. One of the questions the package asks you is if you want to start masquerading. Say yes. You might have to tweak the ipchains a little after that, but the minimum install works right out of the box. For the other boxes, give them ip's in the 192.168.0.XXX range, and tell them that 192.168.0.1 is their gateway. It was so easy, I was surprised. BTW, this is what I like about debian--all the default configurations are just where you want them to be. --Mike Robert Kasunic wrote: > Hi, > > I have two PC's at home and would like to share my internet connection > (DSL) between them. As I don't want a third computer here running all the time > I was thinking to enable IP-Masquerading on one of them and build a > firewall on it as well. It will be running Samba too. Nevertheless I'd like to > continue using these PC's as Workstations. > > Does that seem to be a useful approach? I would really appreciate any > opions or suggestions you might have. TIA. > > Robert > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null -- Michael J. Smith [EMAIL PROTECTED] 2250 Patterson #25 Eugene, OR 97405 (541)346-7562
Re: Workstation and IP-Masquerading
Theres two options - you can do as you want and use one of the existing machines as a firewall/masq box etc, but it will have to be running linux. It will work, but will be less secure, and more confusing than the second option. Are you aware that any low-end pentium or 486 will work fine as a firewall? it doesn't have to be a flash machine... I was using a 486 SX33 with 12 Mb ram and 500 Mb HD for about 12 months. It doesn't need a monitor or keyboard (unless you want to display syslogd on it - herc mono monitors are very good for that.) The other advantage of this is that things are easier all-round. At 11:02 AM 11/11/00 +0100, you wrote: Hi, I have two PC's at home and would like to share my internet connection (DSL) between them. As I don't want a third computer here running all the time I was thinking to enable IP-Masquerading on one of them and build a firewall on it as well. It will be running Samba too. Nevertheless I'd like to continue using these PC's as Workstations. Does that seem to be a useful approach? I would really appreciate any opions or suggestions you might have. TIA. Robert -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null -- Criggie
Re: Workstation and IP-Masquerading
On Sat, 11 Nov 2000 11:02:14 +0100, Robert Kasunic said: > Hi, > > I have two PC's at home and would like to share my internet connection > (DSL) between them. As I don't want a third computer here running all the > time > I was thinking to enable IP-Masquerading on one of them and build a > firewall on it as well. It will be running Samba too. Nevertheless I'd like > to > continue using these PC's as Workstations. > > Does that seem to be a useful approach? I would really appreciate any > opions or suggestions you might have. TIA. Well i have the same situation with my cable connection and after seeing all the cable hits my machine was getting from the net, even though i had ipchains running i felt i wanted to isolate my pc with a router/firewall. I estimated an old 486 and some NIC's would cost about a $100. But since i didn't want another noisy big box around i got a Netgear gateway-router for only a few dollars more. This little gem has a 4-port 10/100 switch built in for your LAN, acts as DHCP client and server, does NAT (ip masquerading), has programmable filters just like ipchains rules, port forwarding and logs filter hits and more to syslog so i can see the logs running xconsole on the desk top. I was able to just plug it in and run with the default filter rules then later added more fliters so that a outside port scan from shields-up and hackerwhacker shows my ports closed (about 2000 actually scanned). You can read a review and user opinions at practicallynetworked.com. gEEk||dOOd^Deb+iaN&&XFce$aaZZ goes(-_-)
Workstation and IP-Masquerading
Hi, I have two PC's at home and would like to share my internet connection (DSL) between them. As I don't want a third computer here running all the time I was thinking to enable IP-Masquerading on one of them and build a firewall on it as well. It will be running Samba too. Nevertheless I'd like to continue using these PC's as Workstations. Does that seem to be a useful approach? I would really appreciate any opions or suggestions you might have. TIA. Robert
Re: Firewall/IP-masquerading
Willi Dyck <[EMAIL PROTECTED]> writes: > > > Willi Dyck wrote: > > > > > > > > Hi. > > > > > > > > I don't understand the world (Debian)anymore. > > > > As soon as I compile things like > > > > - ip firewalling > > > > - ip masquerading > > > > - ip forwarding into the kernel, I can't ping any host by it's name. > > > > I am able to ping IP's. Seems like a DNS Lookup failure. But why?? > > > > I didn't changed any file I only compiled the features listed above. > > > > When I boot the old kernel again the problem seems to be gone. > > > > WHY??? What is the logical thing here??? > > > > Thanx for your help. > > >Gary Hennigan writes: > > My guess is that you've got a chain in the default rules that's > > blocking DNS access. DNS access isn't a simple one to block/unblock, > > if I remember correctly. Just look at the logs (/var/log/syslog) and > > see if any of the output rules, with a source inside your LAN, is > > being denied. Personally, if I were you I'd get PMFirewall, > > I have no chains blocking DNS access, I'm only blocking telnet and > netbios. > And /var/log/syslog isn't saying a word about ipchains. I wonder if my > firewall script was started at startup/links are set. How to check it? ipchains -L will show you all the chains you have installed. Also, in Debian potato, there's ipchains-save which prints out all the installed chains in a format that can be restored via ipchains-restore. Gary
Re: Firewall/IP-masquerading
> Nate Amsden <[EMAIL PROTECTED]> writes: > > not sure what kernels your using but: > > > > - i've never gotten MASQ to work with DNS on 2.2 i've always had to > put > > a DNS on the masq machine and point machines to it instead, this was > not > > the case in 2.0 where it was able to masq without any trouble. > > Hmm. I'm not sure what you mean here. I have a firewall/masq machine > and I know for a fact that my main PC, which sits behind this > firewall, has no problem reaching my remote DNS servers using > masquerading (I don't currently run a DNS server myself). > > > try putting a DNS on yer masq box and point everything to it. > > Yikes! That's not a trivial task and it's of questionable value given > what I'm able to do, as stated above. > > > Willi Dyck wrote: > > > > > > Hi. > > > > > > I don't understand the world (Debian)anymore. > > > As soon as I compile things like > > > - ip firewalling > > > - ip masquerading > > > - ip forwarding into the kernel, I can't ping any host by it's name. > > > I am able to ping IP's. Seems like a DNS Lookup failure. But why?? > > > I didn't changed any file I only compiled the features listed above. > > > When I boot the old kernel again the problem seems to be gone. > > > WHY??? What is the logical thing here??? > > > Thanx for your help. > > My guess is that you've got a chain in the default rules that's > blocking DNS access. DNS access isn't a simple one to block/unblock, > if I remember correctly. Just look at the logs (/var/log/syslog) and > see if any of the output rules, with a source inside your LAN, is > being denied. Personally, if I were you I'd get PMFirewall, I have no chains blocking DNS access, I'm only blocking telnet and netbios. And /var/log/syslog isn't saying a word about ipchains. I wonder if my firewall script was started at startup/links are set. How to check it? > > http://www.pmfirewall.com/PMFirewall/ > > And start with the rules they insert and build on that. > > It's quick, asks simple questions and gets you going quickly. > > Gary > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < > /dev/null > -- Sent through GMX FreeMail - http://www.gmx.net
Re: Firewall/IP-masquerading
> on Tue, Sep 05, 2000 at 12:59:25PM -0700, Nate Amsden sent 1.1K bytes on > their merry way: > > not sure what kernels your using but: > I am using kernel 2.2.16. > I'm using 2.2.17 (woody) > > > - i've never gotten MASQ to work with DNS on 2.2 i've always had to > put > > a DNS on the masq machine and point machines to it instead, this was > not > > the case in 2.0 where it was able to masq without any trouble. > > DNS works fine fromt he other side of my MASQ router; Perhaps there is > some difference between UDP dns requests and TCP? *shrug* > > I would suspect some stray ipchains rule is denying the DNS traffic. No rules are denying DNS traffic. I even can't ping any host from the firewalling box although a connection to my ISP is established, surely. > > Dan > -- > Spinfire Magenta In Real Life: Dan Noe > Freelance Hacker http://www.isomerica.net/ >31 5B 89 66 F7 E8 73 34 50 6A 79 C4 32 E1 0E 4A > -- Sent through GMX FreeMail - http://www.gmx.net pgpRbAaaikfPU.pgp Description: PGP signature
Re: Firewall/IP-masquerading
Alvin Oga wrote: > > hi ya.. > > what flags do you have set in your linux-2.2.*/.config file ??? the ones that apply to firewalls/networking: CONFIG_PACKET=y CONFIG_FIREWALL=y CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_FIREWALL=y CONFIG_IP_MASQUERADE=y CONFIG_IP_MASQUERADE_ICMP=y CONFIG_IP_MASQUERADE_MOD=y CONFIG_IP_MASQUERADE_IPAUTOFW=y CONFIG_IP_MASQUERADE_IPPORTFW=y CONFIG_IP_MASQUERADE_MFW=y CONFIG_IP_ALIAS=y CONFIG_SYN_COOKIES=y CONFIG_SKB_LARGE=y everything that is not shown is not set. > what is the "generic" rules you have in your /etc/rc.firewall i don't have a rc.firewall, but i do use a script in /etc/init.d the rules for masq are echo -n "Enabling IP Masqing for 10.10.10.0 Network .." ipchains -P forward DENY ipchains -A forward -j MASQ -s 10.10.10.0/24 -d 0.0.0.0/0 echo ".done" echo "Enabling Port forwarding for Unreal Tournament to 10.10.10.10.." ipmasqadm autofw -A -r udp -h 10.10.10.10 -v ipmasqadm autofw -A -r udp 7778 7778 -h 10.10.10.10 -v ipmasqadm autofw -A -r udp 7779 7779 -h 10.10.10.10 -v ipmasqadm autofw -A -r udp 27900 27900 -h 10.10.10.10 -v i have about 70 other rules but those don't have anything to do with the masq just a bunch of accept/rejects for various services on the main box. the network im on now is just 2 physical machines and usually a couple of virtual(vmware) machines. nate -- ::: ICQ: 75132336 http://www.aphroland.org/ http://www.linuxpowered.net/ [EMAIL PROTECTED]
Re: Firewall/IP-masquerading
hi ya.. what flags do you have set in your linux-2.2.*/.config file ??? what is the "generic" rules you have in your /etc/rc.firewall have fun linuxing alvin On Tue, 5 Sep 2000, Nate Amsden wrote: > not sure what kernels your using but: > > - i've never gotten MASQ to work with DNS on 2.2 i've always had to put > a DNS on the masq machine and point machines to it instead, this was not > the case in 2.0 where it was able to masq without any trouble. > > try putting a DNS on yer masq box and point everything to it. > > nate > > Willi Dyck wrote: > > > > Hi. > > > > I don't understand the world (Debian)anymore. > > As soon as I compile things like > > - ip firewalling > > - ip masquerading > > - ip forwarding into the kernel, I can't ping any host by it's name. > > I am able to ping IP's. Seems like a DNS Lookup failure. But why?? > > I didn't changed any file I only compiled the features listed above. > > When I boot the old kernel again the problem seems to be gone. > > WHY??? What is the logical thing here??? > > Thanx for your help. > > > > -- > > Sent through GMX FreeMail - http://www.gmx.net > > > > -- > > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null > > -- > ::: > ICQ: 75132336 > http://www.aphroland.org/ > http://www.linuxpowered.net/ > [EMAIL PROTECTED] > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null >
Re: Firewall/IP-masquerading
Nate Amsden <[EMAIL PROTECTED]> writes: > not sure what kernels your using but: > > - i've never gotten MASQ to work with DNS on 2.2 i've always had to put > a DNS on the masq machine and point machines to it instead, this was not > the case in 2.0 where it was able to masq without any trouble. Hmm. I'm not sure what you mean here. I have a firewall/masq machine and I know for a fact that my main PC, which sits behind this firewall, has no problem reaching my remote DNS servers using masquerading (I don't currently run a DNS server myself). > try putting a DNS on yer masq box and point everything to it. Yikes! That's not a trivial task and it's of questionable value given what I'm able to do, as stated above. > Willi Dyck wrote: > > > > Hi. > > > > I don't understand the world (Debian)anymore. > > As soon as I compile things like > > - ip firewalling > > - ip masquerading > > - ip forwarding into the kernel, I can't ping any host by it's name. > > I am able to ping IP's. Seems like a DNS Lookup failure. But why?? > > I didn't changed any file I only compiled the features listed above. > > When I boot the old kernel again the problem seems to be gone. > > WHY??? What is the logical thing here??? > > Thanx for your help. My guess is that you've got a chain in the default rules that's blocking DNS access. DNS access isn't a simple one to block/unblock, if I remember correctly. Just look at the logs (/var/log/syslog) and see if any of the output rules, with a source inside your LAN, is being denied. Personally, if I were you I'd get PMFirewall, http://www.pmfirewall.com/PMFirewall/ And start with the rules they insert and build on that. It's quick, asks simple questions and gets you going quickly. Gary
Re: Firewall/IP-masquerading
on Tue, Sep 05, 2000 at 12:59:25PM -0700, Nate Amsden sent 1.1K bytes on their merry way: > not sure what kernels your using but: I'm using 2.2.17 (woody) > - i've never gotten MASQ to work with DNS on 2.2 i've always had to put > a DNS on the masq machine and point machines to it instead, this was not > the case in 2.0 where it was able to masq without any trouble. DNS works fine fromt he other side of my MASQ router; Perhaps there is some difference between UDP dns requests and TCP? *shrug* I would suspect some stray ipchains rule is denying the DNS traffic. Dan -- Spinfire MagentaIn Real Life: Dan Noe Freelance Hackerhttp://www.isomerica.net/ 31 5B 89 66 F7 E8 73 34 50 6A 79 C4 32 E1 0E 4A pgprYhfW3voJj.pgp Description: PGP signature
Re: Firewall/IP-masquerading
not sure what kernels your using but: - i've never gotten MASQ to work with DNS on 2.2 i've always had to put a DNS on the masq machine and point machines to it instead, this was not the case in 2.0 where it was able to masq without any trouble. try putting a DNS on yer masq box and point everything to it. nate Willi Dyck wrote: > > Hi. > > I don't understand the world (Debian)anymore. > As soon as I compile things like > - ip firewalling > - ip masquerading > - ip forwarding into the kernel, I can't ping any host by it's name. > I am able to ping IP's. Seems like a DNS Lookup failure. But why?? > I didn't changed any file I only compiled the features listed above. > When I boot the old kernel again the problem seems to be gone. > WHY??? What is the logical thing here??? > Thanx for your help. > > -- > Sent through GMX FreeMail - http://www.gmx.net > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null -- ::: ICQ: 75132336 http://www.aphroland.org/ http://www.linuxpowered.net/ [EMAIL PROTECTED]
Firewall/IP-masquerading
Hi. I don't understand the world (Debian)anymore. As soon as I compile things like - ip firewalling - ip masquerading - ip forwarding into the kernel, I can't ping any host by it's name. I am able to ping IP's. Seems like a DNS Lookup failure. But why?? I didn't changed any file I only compiled the features listed above. When I boot the old kernel again the problem seems to be gone. WHY??? What is the logical thing here??? Thanx for your help. -- Sent through GMX FreeMail - http://www.gmx.net
Re: Newbie needs help with IP-Masquerading
A list of steps you've already performed would be useful in order to pinpoint where things are going wrong. Cheers, Jason. --On Wednesday, August 9, 2000 6:22 -0500 Jason Schepman <[EMAIL PROTECTED]> wrote: HELP!! I can't get IPMASQ working. I've recompiled my kernel to add MASQ support and I'm pretty sure that I got it right. I've read through the HOW-TO but I had problems following along (I think it was written with BSD in mind.not Sys5). Anywaysany ideas or suggestions would be helpful. I can't even tell you exactly what the problem is. All I know is that my windows machine can't hit the internet when going through the debian box. (It's not a DNS thing because I can't ping the DNS server from windows either.) -Jason -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
Re: Newbie needs help with IP-Masquerading
What does it say when you do: ipchains -L Ron Rademaker On Wed, 9 Aug 2000, Jason Schepman wrote: > HELP!! I can't get IPMASQ working. I've recompiled my kernel to add MASQ > support and I'm pretty sure that I got it right. I've read through the > HOW-TO but I had problems following along (I think it was written with BSD > in mind.not Sys5). Anywaysany ideas or suggestions would be > helpful. I can't even tell you exactly what the problem is. All I know is > that my windows machine can't hit the internet when going through the debian > box. > > (It's not a DNS thing because I can't ping the DNS server from windows > either.) > > -Jason > > > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null >
Newbie needs help with IP-Masquerading
HELP!! I can't get IPMASQ working. I've recompiled my kernel to add MASQ support and I'm pretty sure that I got it right. I've read through the HOW-TO but I had problems following along (I think it was written with BSD in mind.not Sys5). Anywaysany ideas or suggestions would be helpful. I can't even tell you exactly what the problem is. All I know is that my windows machine can't hit the internet when going through the debian box. (It's not a DNS thing because I can't ping the DNS server from windows either.) -Jason
Re: ip masquerading on debian slink
On Fri, May 26, 2000 at 01:32:42PM -0700, Pann McCuaig wrote: > 2.0.x kernels don't use ipchains, but its predecessor, whose name > escapes me at the moment. That would be ipfwadm. Cheers, Tom -- The University of California Statistics Department; where mean is normal, and deviation standard.
Re: ip masquerading on debian slink
On Fri, Nov 24, 2000 at 02:09, Brad Reid wrote: > hello i've got a LAN setup and would like a linux box on it to be a > gateway. the LAN works fine but it is a class C network and i would > like to enable ip masquerading on the linux box (debian slink). > i'm having two problems: >1. debian distributions don't compile ip masquerading into the kernel, > right? >2. kernel compile problems. > > problem 1: decoding an error message generated while trying to enable ip > masquerading on kernel without ip masquerading enabled. >error messages: > # ipchains -F input > ipchains: setsockopt failed: Protocol not available > # ipchains -F > ipchains: cannot open file '/proc/net/ip_fwnames' 2.0.x kernels don't use ipchains, but its predecessor, whose name escapes me at the moment. > problem2: compiling the kernel. i configure the kernel the way the IP > Masquerade howto suggests for 2.0.x kernels. the compilation almost > completes and generates a command 'as86' which generates a command not > found error. any suggestions? You need to install the bin86 package. BTW, when you get the kernel properly compiled the ipmasq package drops right in and gives you what you want. Luck, Pann -- geek by nature, Linux by choice L I N U X .~. The Choice /V\ http://www.ourmanpann.com/linux/ of a GNU /( )\ Generation ^^-^^
ip masquerading on debian slink
hello i've got a LAN setup and would like a linux box on it to be a gateway. the LAN works fine but it is a class C network and i would like to enable ip masquerading on the linux box (debian slink). i'm having two problems: 1. debian distributions don't compile ip masquerading into the kernel, right? 2. kernel compile problems. problem 1: decoding an error message generated while trying to enable ip masquerading on kernel without ip masquerading enabled. error messages: # ipchains -F input ipchains: setsockopt failed: Protocol not available # ipchains -F ipchains: cannot open file '/proc/net/ip_fwnames' problem2: compiling the kernel. i configure the kernel the way the IP Masquerade howto suggests for 2.0.x kernels. the compilation almost completes and generates a command 'as86' which generates a command not found error. any suggestions? any help or references to relevant documentation would be appreciated. thanks, __ Brad Reid, [EMAIL PROTECTED]
Re: Defalut kernel and ip masquerading
I guess there's some kind of module somewhere that should be loaded in (using modprobe). Ron Rademaker On Fri, 26 May 2000 [EMAIL PROTECTED] wrote: > > > Someone on this list wrote recently wondering if > they would need to recompile their kernel inorder > to get ip masquerading working. > > They are using a stock kernel version 2.0.38 that > came with slink and said that when they executed the > command... > > /sbin/ipfwadm -F -p deny > > they got the following... > > ipfwadm: setsockopt failed: Protocol not available. > > I suggested first using... > > echo "1" > /proc/sys/net/ipv4/ip_forward > > but this did not seem to help. Does the stock kernel > not support ip masquerading or does the problem lie elsewhere. > > TIA > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null >
Defalut kernel and ip masquerading
Someone on this list wrote recently wondering if they would need to recompile their kernel inorder to get ip masquerading working. They are using a stock kernel version 2.0.38 that came with slink and said that when they executed the command... /sbin/ipfwadm -F -p deny they got the following... ipfwadm: setsockopt failed: Protocol not available. I suggested first using... echo "1" > /proc/sys/net/ipv4/ip_forward but this did not seem to help. Does the stock kernel not support ip masquerading or does the problem lie elsewhere. TIA
Re: Defalut kernel and ip masquerading
[EMAIL PROTECTED] wrote: > > Someone on this list wrote recently wondering if > they would need to recompile their kernel inorder > to get ip masquerading working. > > They are using a stock kernel version 2.0.38 that > came with slink and said that when they executed the > command... > > /sbin/ipfwadm -F -p deny > > they got the following... > > ipfwadm: setsockopt failed: Protocol not available. > > I suggested first using... > > echo "1" > /proc/sys/net/ipv4/ip_forward > > but this did not seem to help. Does the stock kernel > not support ip masquerading or does the problem lie elsewhere. > > TIA I posted the question a couple weeks ago, only about the default potato kernel, not slink. The response I got at the time was that it does *not* enable ip masquerading and that a new kernel must be compiled. Time to upgrade anyway! ;-) Stan
Re: IP Masquerading, SSH, and X
Beavis said: > ok, is it possible to open a x-windows interface through a ssh connection > from a remote location all on static IP's? Yes. > more specifically, start x from a ssh client on another system. > > if so, please don't just say it is possible, but explain how ssh to the other box. Enter the appropriate command to start up the desired X client on the other machine. Watch the application display on your local screen. If it doesn't work, verify that the ssh client and server both have X11Forwarding yes in their config files. (For anyone who cares, X worked just fine through my ssh/masquing system from the start, I just wasn't patient enough. Over a (slow) dialup link, I've been able to bring up imapbiff, which displays in a 64x64 window - after over a minute's delay. When I thought it wasn't working, I was trying to run Netscape in a much larger (~900x750 or so) window...) -- The Shortest Windows Manual: "Turn off the power switch." Geek Code 3.1: GCS d- s+: a- C++ UL++$ P+>+++ L++> E- W--(++) N+ o+ !K w---$ O M- !V PS+ PE Y+ PGP t 5++ X+ R++ tv- b++ DI D G e* h+ r++ y+
Re: IP Masquerading, SSH, and X
it may be worth looking into VNC, http://www.uk.research.att.com/vnc/ and vnc with SSH: http://www.uk.research.att.com/vnc/sshwin.html its probably the simplist way to get up and goin. but it depends on what apps you want to run (e.g. vmware does not run worth a crap on an vnc X server) nate On Mon, 3 Apr 2000, Beavis wrote: beavis >ok, is it possible to open a x-windows interface through a ssh connection beavis >from a remote location all on static IP's? beavis > beavis >DSL to DSL from example. beavis > beavis >more specifically, start x from a ssh client on another system. beavis > beavis >if so, please don't just say it is possible, but explain how beavis > beavis >thankx --beavis-- just a guy from a small town trying to learn something beavis > beavis > beavis >> > I'm currently set up such that I can ssh into my machine at work from beavis >home beavis >> > and all works well as long as I stay within the console session. beavis >However, beavis >> > I'm on a dialup line (no DSL yet...) and use IP masquerading, which beavis >appears beavis >> > to prevent X clients on my work box from connecting to the X server here beavis >at beavis >> > home. beavis >> > beavis >> If you log in via ssh, then you should be able to start x-applications beavis >> out-of-the-box. ssh creates a proxy x-server and thus forwards any beavis >> x-connection through the encrypted connection opened by the masqueraded beavis >> host. beavis >> if it does not work, then check, if "ForwardX11 yes" is in your beavis >> ~/.ssh/config. if it is, then check, how $DISPLAY is set on the remote beavis >> machine after ssh-login. it should be something like :10.0 beavis >> - if it is not, then ssh does not forward the x-connections ... don't ask beavis >> me, why. beavis >> beavis >> -- beavis >> Hi! I'm a .signature virus! Copy me into your ~/.signature, please! beavis >> -- beavis >> Linux - the last service pack you'll ever need. beavis >> beavis >> beavis >> -- beavis >> Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < beavis >/dev/null beavis >> beavis >> beavis > beavis > beavis >-- beavis >Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null beavis > [mailto:[EMAIL PROTECTED] ]-- Vice President Network Operations http://www.firetrail.com/ Firetrail Internet Services Limited http://www.aphroland.org/ Everett, WA 425-348-7336http://www.linuxpowered.net/ Powered By:http://comedy.aphroland.org/ Debian 2.1 Linux 2.0.36 SMPhttp://yahoo.aphroland.org/ -[mailto:[EMAIL PROTECTED] ]-- 8:31pm up 7 days, 2:11, 1 user, load average: 0.23, 0.22, 0.13
Re: IP Masquerading, SSH, and X
ok, is it possible to open a x-windows interface through a ssh connection from a remote location all on static IP's? DSL to DSL from example. more specifically, start x from a ssh client on another system. if so, please don't just say it is possible, but explain how thankx --beavis-- just a guy from a small town trying to learn something > > I'm currently set up such that I can ssh into my machine at work from home > > and all works well as long as I stay within the console session. However, > > I'm on a dialup line (no DSL yet...) and use IP masquerading, which appears > > to prevent X clients on my work box from connecting to the X server here at > > home. > > > If you log in via ssh, then you should be able to start x-applications > out-of-the-box. ssh creates a proxy x-server and thus forwards any > x-connection through the encrypted connection opened by the masqueraded > host. > if it does not work, then check, if "ForwardX11 yes" is in your > ~/.ssh/config. if it is, then check, how $DISPLAY is set on the remote > machine after ssh-login. it should be something like :10.0 > - if it is not, then ssh does not forward the x-connections ... don't ask > me, why. > > -- > Hi! I'm a .signature virus! Copy me into your ~/.signature, please! > -- > Linux - the last service pack you'll ever need. > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null > >
Re: ip masquerading
On Fri, Mar 31, 2000 at 06:48:19PM +0200, Philip Lehman wrote: > > I'm trying to set up IP masquerading on a slink/potato box which is > supposed to route the traffic on my home LAN over an ISDN dial-up > line. I have to admit that I have no experience with advanced > networking of this kind. > > I read the IP masquerading HOWTO. It suggests a sample "rc.firewall" > script to set up masquerading and simple firewalling. It appears to me > that this interferes with the /etc/init.d/* scripts used by related > Debian packages, and I'd rather do it the Debian way. > I would recommend installing the ipmasq package, which is reasonably smart and will usually set up IP masquerading for you automatically. > rc.firewall wants to run: > # echo "1" > /proc/sys/net/ipv4/ip_forward > # echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > I haven't found this in any other script in /etc/init.d/*. What's the > default way to do this? Write my own script? > Yes. > And it wants to run: > # /sbin/ipfwadm -F -p deny > # /sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0 > > I guess this is what /etc/init.d/ipmasq is for, but I'm feeling lost > as far as the configuration is concerned. The postinstall script asked > for the client IPs on the LAN and I entered that, but where is this > stored? Do I have to do anything in addition to that, or can I rely on > the defaults? I don't need anything fancy, but the setup should be > halfway secure. > Have a look in /etc/ipmasq directory. If you are running slink, you may want to install the ipmasq from potato, which may be a bit smarter. Pete
ip masquerading
I'm trying to set up IP masquerading on a slink/potato box which is supposed to route the traffic on my home LAN over an ISDN dial-up line. I have to admit that I have no experience with advanced networking of this kind. I read the IP masquerading HOWTO. It suggests a sample "rc.firewall" script to set up masquerading and simple firewalling. It appears to me that this interferes with the /etc/init.d/* scripts used by related Debian packages, and I'd rather do it the Debian way. rc.firewall wants to run: # echo "1" > /proc/sys/net/ipv4/ip_forward # echo "1" > /proc/sys/net/ipv4/ip_dynaddr I haven't found this in any other script in /etc/init.d/*. What's the default way to do this? Write my own script? And it wants to run: # /sbin/ipfwadm -F -p deny # /sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0 I guess this is what /etc/init.d/ipmasq is for, but I'm feeling lost as far as the configuration is concerned. The postinstall script asked for the client IPs on the LAN and I entered that, but where is this stored? Do I have to do anything in addition to that, or can I rely on the defaults? I don't need anything fancy, but the setup should be halfway secure. TIA -- Philip Lehman <[EMAIL PROTECTED]>
Re: IP Masquerading, SSH, and X
> I'm currently set up such that I can ssh into my machine at work from home > and all works well as long as I stay within the console session. However, > I'm on a dialup line (no DSL yet...) and use IP masquerading, which appears > to prevent X clients on my work box from connecting to the X server here at > home. > If you log in via ssh, then you should be able to start x-applications out-of-the-box. ssh creates a proxy x-server and thus forwards any x-connection through the encrypted connection opened by the masqueraded host. if it does not work, then check, if "ForwardX11 yes" is in your ~/.ssh/config. if it is, then check, how $DISPLAY is set on the remote machine after ssh-login. it should be something like :10.0 - if it is not, then ssh does not forward the x-connections ... don't ask me, why. -- Hi! I'm a .signature virus! Copy me into your ~/.signature, please! -- Linux - the last service pack you'll ever need.
IP Masquerading, SSH, and X
I'm currently set up such that I can ssh into my machine at work from home and all works well as long as I stay within the console session. However, I'm on a dialup line (no DSL yet...) and use IP masquerading, which appears to prevent X clients on my work box from connecting to the X server here at home. Given that FTP and Quake have lumps of code that can be used to help incoming connections find their way through a masqing host, I assume that similar code exists for X. Where can I find it? (Or at least directions on how to get X working on this sort of setup?) -- The Shortest Windows Manual: "Turn off the power switch." Geek Code 3.1: GCS d- s+: a- C++ UL++$ P+>+++ L++> E- W--(++) N+ o+ !K w---$ O M- !V PS+ PE Y+ PGP t 5++ X+ R++ tv- b++ DI D G e* h+ r++ y+
IP masquerading - connections persist too long
I have recently switched my ISDN card to a firewall machine, running kernel 2.2.13 and slink. I am now finding that connections remain open for up to 10 minutes. I think that the masquerading part of the kernel has opened them in order to fulfil connection requests, but is not closing them when the original program closes the connection to the firewall. As a result, I am incurring unnecessary call charges. Does anyone know of a way to force the masqueraded connection to shut down at the same time as the original one? -- Oliver Elphick[EMAIL PROTECTED] Isle of Wight http://www.lfix.co.uk/oliver PGP key from public servers; key ID 32B8FAA1 "O come, let us worship and bow down; let us kneel before the LORD our maker."Psalms 95:6
Weird Routing/IP-Masquerading issue
orwell has two ethernet cards and serves as the router for my home network. eth0 connects to a cable modem with IP 24.x.x.x.x (assigned via DHCP). eth1 connects to the home network with ip 192.168.1.1. The routing works fine, and I never have any problems getting to the outside world from any of the other systems on the network...except for orwell. When I'm actually physically logged into orwell, I'm sometimes unable to establish TCP connections with the outside world. I just ran fetchmail on magellan (192.168.1.2) and it connected to my ISP's POP server fine. But, even as I speak, fetchmail on orwell is blocking on the connect() call because it cannot establish a TCP connection with the outside world. I'm totally bewildered. Twenty minutes from now, it could work fine. Instead of using the ipmasq package, I setup the network and some special IP-Masquerading hacks (for Napster, DirectX, and ICQ) through /etc/init.d/network, which I've attached. I also use portfw to forward orwell:81 to magellan:8080 to let others access my Zope server, but I don't think that that is an issue either. I'm running Debian potato and kernel 2.2.12 on orwell. Does anyone have any ideas? Please CC me as I'm not currently subscribed to debian-user (I can only handle one high-traffic list, and zope takes the cake!) -- Stephen Pitts [EMAIL PROTECTED] webmaster - http://www.mschess.org #! /bin/sh ifconfig lo 127.0.0.1 # internal network is hard-coded; external is setup by DHCP ifconfig eth0 > /dev/null ifconfig eth1 192.168.1.1 netmask 255.255.255.0 ipchains -P forward DENY ipchains -A forward -s 192.168.1.0/16 -j MASQ echo "1" > /proc/sys/net/ipv4/ip_forward # for DirectPlay games :-) ipmasqadm autofw -A -r udp 2300 2400 -h 192.168.1.2 ipmasqadm autofw -A -r tcp 2300 2400 -h 192.168.1.2 ipmasqadm autofw -A -r udp 47624 47624 -h 192.168.1.2 ipmasqadm autofw -A -r tcp 47624 47624 -h 192.168.1.2 # for napster ipmasqadm autofw -A -r tcp 6699 6699 -h 192.168.1.2 # for ICQ ipmasqadm autofw -A -r tcp 31000 32000 -h 192.168.1.2
2.3x and IP masquerading
Marcin If you are ready to live dangerously, I would suggest you join the the Linux Kernel mailing list, [EMAIL PROTECTED] They should steer you in the right direction. -- David Natkins Email to: [EMAIL PROTECTED] Fax to: (718) 488-1780 Phone: (718) 403-2474
Re: ipchains ip-masquerading configutation
On Tue, Oct 05, 1999 at 09:12:51AM -0600, [EMAIL PROTECTED] wrote: > I would like to know if there is a standard place to put the ipchains > commands for ip masquerading so they get executed at boot time. For now, > I stuck them in /etc/init.d/bootmisc.sh but if there is a more customary > location for them I want to put them there so that they don't accidentally > get blown away during a package upgrade. I put them in /etc/init.d/network with all the other network configuration. You might want to put them in a seperate script somewhere else and call that script if you're particularly paranoid about this happening. -- Mark Brown mailto:[EMAIL PROTECTED] (Trying to avoid grumpiness) http://www.tardis.ed.ac.uk/~broonie/ EUFShttp://www.eusa.ed.ac.uk/societies/filmsoc/ pgpFOMQ9sId9U.pgp Description: PGP signature
Re: ipchains ip-masquerading configutation
On Tue, Oct 05, 1999 at 09:12:51AM -0600, [EMAIL PROTECTED] wrote: > Greetings: > > I would like to know if there is a standard place to put the ipchains > commands for ip masquerading so they get executed at boot time. For now, > I stuck them in /etc/init.d/bootmisc.sh but if there is a more customary > location for them I want to put them there so that they don't accidentally > get blown away during a package upgrade. > > -- Mark Zimmerman Hi Mark, Mine are loacated in the regular directory: /etc/ipmasq/rules. I only have one file.def, containing all the rules, the ipmasq is launched in /etc/rcS.d, as # 41 link. JY -- Jean-Yves F. Barbier <[EMAIL PROTECTED]> "A word to the wise: a credentials dicksize war is usually a bad idea on the net." (David Parsons in c.o.l.development.system, about coding in C.)
ipchains ip-masquerading configutation
Greetings: I would like to know if there is a standard place to put the ipchains commands for ip masquerading so they get executed at boot time. For now, I stuck them in /etc/init.d/bootmisc.sh but if there is a more customary location for them I want to put them there so that they don't accidentally get blown away during a package upgrade. -- Mark Zimmerman
ip masquerading rules
Hi, I'm trying to set a Debian/Slink as ip-masquerade for 2 192.168.x.x networks. I had set the rules with ipfwadm and the Masquerading ones are working well; all connections to external nets through 3rd interface are masquerade. My problem is that I want some networks not being masquerade, only forward. The forward rules were written in first place in the /etc/network file and they are listed firstly with ipfwadm -F -l. What I need to do in order to avoid masquerading some networks? The output of ipfwadm -F -l is: IP firewall forward rules, default policy: accept type prot source destination ports acc all 192.168.9.0/24 xxx.xx.xx.0/24 n/a acc all 192.168.10.0/24 xxx.xxx.yy.0/24 n/a acc all xxx.xxx.xx.0/24 192.168.9.0/24 n/a acc all xxx.xxx.yy.0/24 192.168.10.0/24 n/a acc all 192.168.9.0/24 192.168.24.0/22 n/a acc all 192.168.10.0/24 192.168.24.0/22 n/a acc all 192.168.24.0/22 192.168.9.0/24 n/a acc all 192.168.24.0/22 192.168.10.0/24 n/a acc/m all 192.168.9.0/24 0.0.0.0/0n/a acc/m all 192.168.10.0/24 0.0.0.0/0n/a --- And the ipfwadm -M -ln is: IP masquerading entries prot expire source destination ports udp 04:57.47 192.168.10.13xxx.xxx.xx.5 137 (61046) -> 137 udp 00:19.32 192.168.10.14xxx.xxx.xx.9 1038 (61034) -> 53 udp 00:19.31 192.168.10.14xxx.xxx.xx.9 1037 (61033) -> 53 udp 00:08.70 192.168.10.15xxx.xxx.xx.5 137 (61028) -> 137 tcp 12:29.34 192.168.10.15xxx.xxx.xx.126 1050 (61044) -> 21 udp 00:06.26 192.168.10.14xxx.xxx.xx.5 137 (61015) -> 137 --- The xxx.xxx.xx.XX entries shouldn't be here since the rule for forwarding is listed firstly. What is going wrong here? Thanks and sorry for the long post. []s, Mario O.de Menezes"Many are the plans in a man's heart, but IPEN-CNEN/SP is the Lord's purpose that prevails" http://curiango.ipen.br/~mario Prov. 19.21
Re: ip masquerading/port forwarding
On Sun, Jun 27, 1999 at 12:24:03AM -0400, Paul Miller wrote: > I'm using Debian/unstable and kernel v2.2.10. I have a ip masquerading > Linux box setup and working. I'd like to configure ports 137 to 139 of an > internal machine to act as ports 20137 to 20139 on the external interface of > the Linux box. I.e., the internal ip address sent from the internal machine > is replaced with the external interface's address and anything sent to the > external interface on ports 20137 to 20139, the external interface ip > address is replaced with the internal machines ip addressed and forwarded to > the internal machine on ports 137 to 139. Okay, I'm assuming here that you have portfw compiled into the kernel, or available as a module, and that you have ipmasqadm installed. ipmasqadm portfw -a -P tcp -L external.ip 20137 -R internal.ip 137 ipmasqadm portfw -a -P tcp -L external.ip 20139 -R internal.ip 139 ...replacing external.ip and internal.ip with the obvious things :-) Now this works for requests coming in - requests to port 20137 are rewritten to port 137 and forwarded to the internal machine... I think you also want something to rewrite the outgoing stuff from the internal machine using port 137 to 20137 as well, right? This should do it: ipmasqadm portfw -a -P tcp -L internal.ip 137 -R external.ip 20137 ipmasqadm portfw -a -P tcp -L internal.ip 139 -R external.ip 20139 ...again replacing internal.ip and external.ip with the obvious. However, this time you want to use the internal.ip of the masquerading machine (I think, try it both ways). If Samba needs UDP as well (I don't think it does...) then double up the entries, replacing 'tcp' with 'udp' for the second ones. I haven't actually tried this, but it should work fine. Let me know... -- Matthew Gregan [EMAIL PROTECTED]
ip masquerading/port forwarding
I'm using Debian/unstable and kernel v2.2.10. I have a ip masquerading Linux box setup and working. I'd like to configure ports 137 to 139 of an internal machine to act as ports 20137 to 20139 on the external interface of the Linux box. I.e., the internal ip address sent from the internal machine is replaced with the external interface's address and anything sent to the external interface on ports 20137 to 20139, the external interface ip address is replaced with the internal machines ip addressed and forwarded to the internal machine on ports 137 to 139. (I'm trying to get samba/windows networking to work over a linux ip masquerading box.) Any ideas? Thanks -Paul BTW- anyone know the ipmasq mailing list? I tried to subscribe to one of them and now I'm only getting the digest and can't post messages... (?).
RE: Samba/Windows/etc over IP Masquerading
I'm not using a NT domain controller, but I think NT, as well as Win95/98, will hold local elections to see which machine will carry the browsing list every 15 minutes or so... I'm not sure if additional information is sent from NT (without an initial client message); a DHCP service may operate this way (?). I'm wondering if Linux/ipmasq can assign the 137-139 ports for each of the internal client machines as other ports of the Linux box and communicate to the external machines as if multiple copies of samba were running on the same machine. Lately I've been playing with ipchains on the Linux box and now I can no longer connect to the external machines from the internal machines, with the exception of connecting to the WINS server (?). Other than upgrading the ipmasq package, I don't know what I changed to cause this to happen. I'm going to try disabling all the security rules and that helps. -Paul -Original Message- From: Marc MacIntyre [mailto:[EMAIL PROTECTED] Sent: Friday, June 25, 1999 6:40 PM To: [EMAIL PROTECTED] Subject: Samba/Windows/etc over IP Masquerading Paul, I saw your post on the mailing list, and am facing the same problem. I did a tcpdump from my masquerade server, looking for possible traffic, and didn't see anything that was obviously a failing connection. Could the NT domain controller be trying to establish a connection back to the masqueraded clients? -- Marc MacIntyre Systems Administrator [EMAIL PROTECTED] How come Superman could stop bullets with his chest, but always ducked when someone threw a chair at him? -
samba/win95 network over ip-masquerading
I'm running Debian/Linux "potato" kernel 2.2.10 with Samba 2.0.4b and I'm trying to setup a Linux box to masquerade and allow browsing across the Linux box. Currently, IP Masquerading is working and I'm using the default Debian auto-configuration. More specifically, I want the machines on the local network to see and be able to access the machines on the outside network and vice-versa. And, if possible I'd like the Linux box to only be seen/accessible by the local network (not as important). Here's the situation: There are 3 win95 machines behind the Linux box and a WINS server on the outside, which I'm not in control of. Right now the local network is 192.168.1.x on eth0 and the outside is 192.168.100.x on eth1 (which will be changed to a non-private IP in the future). I've tried setting up the Linux box as a WINS server and having the local machines point to it, but then there is no link to the outside machines. If the local machines point to the outside WINS server, nothing seems to work. If I telnet into the Linux box, smbclient -L {machine} is able to locate the clients without any problems or help from DNS, yet the machines don't report a browse list containing machines from the other network. --- Just recently I changed the firewall rules so the default policy is ACCEPT for input, output, and forward and I deleted the DENY rule from the input and output chains just to make things a little easier. Now, the local machines are set to the WINS server on the outside network and are able to browse and connect to those machines + the inside machines. So, one direction is working. Now, how can I get it to work the other way? I think it should be possible because I think the WINS server stores the IP and port of the clients machines, thus is the Linux ip masq box manipulated the WINS connections from the inside to the outside network so that the machine was the Linux box outside IP and changed the ports, everything should work fine. --- do I need more MASQ/firewall rules? What can I do? Thanks, -Paul
Re: IP Masquerading
On Mon, Jun 14, 1999 at 07:47:36AM +0100, [EMAIL PROTECTED] wrote: > Is there any Debian specific documentation on IP Masquerading? I've read > the mini how-to, but debian seems to have this extra /etc/ipmasq.conf file > so I'm looking foe the correct way to configure debian IP Masquerading > before I start asking any stupid questions. If there isn't any should we > consider writing some? I had been masquerading with slack before I got debian and I didnt have to change anything. It is very straightforward on 2.2 kernel, read the ipchains-howto. I dont have this ipmasq.conf file tho, maybe there's something specific on potato? -Lex pgppmXsHl7VjQ.pgp Description: PGP signature
Re: IP Masquerading
On Mon, 14 Jun 1999 07:47:36 +0100, [EMAIL PROTECTED] wrote: >Is there any Debian specific documentation on IP Masquerading? I've read >the mini how-to, but debian seems to have this extra /etc/ipmasq.conf file >so I'm looking foe the correct way to configure debian IP Masquerading >before I start asking any stupid questions. If there isn't any should we >consider writing some? I got it working solely with the mini-howto, and I don't have that file on my system... Gertjan. -- Gertjan Klein <[EMAIL PROTECTED]> The Boot Control home page: http://www.xs4all.nl/~gklein/bcpage.html
IP Masquerading
Is there any Debian specific documentation on IP Masquerading? I've read the mini how-to, but debian seems to have this extra /etc/ipmasq.conf file so I'm looking foe the correct way to configure debian IP Masquerading before I start asking any stupid questions. If there isn't any should we consider writing some?