Re: [expert] IP Masquerading Problems
You might want to try: echo 1 > /proc/sys/net/ipv4/ip_forward Also I noticed that the routing for eth0 is in the routing table twice, this seems a bit weird. If the above command doesn't fix it, try taking down the card (ifdown eth0) and bring it back up (ifup eth0) to see if this clears up those routes. Or you could use the "route" command, but I know that I try to avoid it :-) Nathan Callahan On Friday, June 1, 2001, at 01:47 PM, Abiel Reinhart wrote: > After reformatting my system and upgrading to Linux Mandrake 8.0 from > 7.2, I am unable to get IP masquerading to function. I was able to get > it working with 7.2 and with Redhat 7.0 and earlier, with the same > hardware configuration and client configuration I am using now. I am > using kernel 2.2.19 (my modem driver does not function with the 2.4.x > series), with all masquerading related options enabled. > > I am using a ppp modem connection, with a dynamically assigned IP. > > Linux router: 192.168.0.1 > Windows 2000 client: 192.168.0.2 (worked with Mandrake 7.2, so already > configured.) > > netstat -rn: > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt > Iface > 12.7.120.2510.0.0.0 255.255.255.255 UH0 0 0 > ppp0 > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 > eth0 > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 > eth0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 > lo > 0.0.0.0 12.7.120.2510.0.0.0 UG0 0 0 > ppp0 > > ipchains -nL: > Chain input (policy ACCEPT): > Chain forward (policy DENY): > target prot opt sourcedestination > ports > MASQ all -- 192.168.0.0/24 0.0.0.0/0 n/a > Chain output (policy ACCEPT): > > ifconfig: > eth0 Link encap:Ethernet HWaddr 00:20:78:10:1D:D6 > inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:9 errors:0 dropped:0 overruns:0 frame:0 > TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:1010 (1010.0 b) TX bytes:264 (264.0 b) > Interrupt:5 Base address:0xe000 > > loLink encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:3924 Metric:1 > RX packets:44 errors:0 dropped:0 overruns:0 frame:0 > TX packets:44 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:3248 (3.1 Kb) TX bytes:3248 (3.1 Kb) > > ppp0 Link encap:Point-to-Point Protocol > inet addr:12.7.121.89 P-t-P:12.7.120.251 > Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1518 Metric:1 > RX packets:213 errors:0 dropped:0 overruns:0 frame:0 > TX packets:214 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:10 > RX bytes:115513 (112.8 Kb) TX bytes:24652 (24.0 Kb) > > Local network connectivity is operating correctly (I can ping both > ways). Tcpdump on the router shows incoming activity on eth0 when I try > to access the Internet from 192.168.0.2, but no outgoing packets on > device ppp0. I am unable to ping my ppp gateway (12.7.120.251). > > Any help is greatly appreciated. Thank you. > > Abiel Reinhart > [EMAIL PROTECTED] >
[expert] IP Masquerading Problems
After reformatting my system and upgrading to Linux Mandrake 8.0 from 7.2, I am unable to get IP masquerading to function. I was able to get it working with 7.2 and with Redhat 7.0 and earlier, with the same hardware configuration and client configuration I am using now. I am using kernel 2.2.19 (my modem driver does not function with the 2.4.x series), with all masquerading related options enabled. I am using a ppp modem connection, with a dynamically assigned IP. Linux router: 192.168.0.1 Windows 2000 client: 192.168.0.2 (worked with Mandrake 7.2, so already configured.) netstat -rn: Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 12.7.120.2510.0.0.0 255.255.255.255 UH0 0 0 ppp0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 12.7.120.2510.0.0.0 UG0 0 0 ppp0 ipchains -nL: Chain input (policy ACCEPT): Chain forward (policy DENY): target prot opt sourcedestination ports MASQ all -- 192.168.0.0/24 0.0.0.0/0 n/a Chain output (policy ACCEPT): ifconfig: eth0 Link encap:Ethernet HWaddr 00:20:78:10:1D:D6 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:9 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1010 (1010.0 b) TX bytes:264 (264.0 b) Interrupt:5 Base address:0xe000 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:44 errors:0 dropped:0 overruns:0 frame:0 TX packets:44 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3248 (3.1 Kb) TX bytes:3248 (3.1 Kb) ppp0 Link encap:Point-to-Point Protocol inet addr:12.7.121.89 P-t-P:12.7.120.251 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1518 Metric:1 RX packets:213 errors:0 dropped:0 overruns:0 frame:0 TX packets:214 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:115513 (112.8 Kb) TX bytes:24652 (24.0 Kb) Local network connectivity is operating correctly (I can ping both ways). Tcpdump on the router shows incoming activity on eth0 when I try to access the Internet from 192.168.0.2, but no outgoing packets on device ppp0. I am unable to ping my ppp gateway (12.7.120.251). Any help is greatly appreciated. Thank you. Abiel Reinhart [EMAIL PROTECTED]
RE: [expert] IP Masquerading
Trusted Networks # $IPCHAINS -A input -s 209.113.135.0/24 -d $IP_ADDRESS_0 -j ACCEPT $IPCHAINS -A input -s frith.ne.mediaone.net -d $IP_ADDRESS_0 -j ACCEPT $IPCHAINS -A input -s danclark.ne.mediaone.net -d $IP_ADDRESS_0 -j ACCEPT $IPCHAINS -A input -s dunamis.ne.mediaone.net -d $IP_ADDRESS_0 -j ACCEPT # # Set telnet, www and FTP for minimum delay - This section manipulates the # # Type Of Service (TOS) bits of the packet. For this to work, you must have # # CONFIG_IP_ROUTE_TOS enabled in your kernel. # # $IPCHAINS -A output -p tcp -d $ANYWHERE www -t 0x01 0x10 $IPCHAINS -A output -p tcp -d $ANYWHERE telnet -t 0x01 0x10 $IPCHAINS -A output -p tcp -d $ANYWHERE ftp -t 0x01 0x10 # # Set FTP data for maximum throughput - This section manipulates the Type # # Of Service (TOS) bits of the packet. For this to work, you must have # # CONFIG_IP_ROUTE_TOS enabled in your kernel. # # $IPCHAINS -A output -p tcp -d $ANYWHERE ftp-data -t 0x01 0x08 # # Deny everything else hitting the input chain. # # $IPCHAINS -A input -p tcp -i $EXTERNAL_INTERFACE -d $IP_ADDRESS_0 -j DENY $IPCHAINS -A input -p udp -i $EXTERNAL_INTERFACE \ -d $IP_ADDRESS_0 $UNPRIVILEGED_PORTS -j DENY $IPCHAINS -A output -p icmp -i $EXTERNAL_INTERFACE -s $IP_ADDRESS_0 5 -j DENY #$IPCHAINS -A input -p icmp -i $EXTERNAL_INTERFACE \ # -s $ANYWHERE 5 13 14 15 16 17 18 -d $IP_ADDRESS_0 -j DENY ## # Allow everything else on the output chain. # ## $IPCHAINS -A output -i $EXTERNAL_INTERFACE -s $IP_ADDRESS_0 -j ACCEPT # # Masquerade the internal network so we have access to the Internet through # # our connection on the $EXTERNAL_INTERFACE.# # $IPCHAINS -A forward -i $EXTERNAL_INTERFACE -s $INTERNAL_NETWORK -j MASQ <<< end mail main at : [EMAIL PROTECTED] web f51.w3.to linux project LinuxMelayu.w3.to web mail f51.i-p.com icq #781787 -Original Message- From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> on behalf of"Sheridan Hawken" <[EMAIL PROTECTED]> Sent: Friday, November 03, 2000 6:08 AM To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Cc: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Subject:Re: [expert] IP Masquerading Hi Jon, I would use port forwarding. The rule in ipchains looks like this: /usr/sbin/ipmasqadm portfw -a -p tcp -L InternetIP Port -R InternalIP Port /usr/sbin/ipmasqadm portfw -a -p tcp -L xxx.xxx.xxx.xxx 80 -R xxx.xxx.xxx.xxx 80 ( this allows http through to an internal machine ) There are some good how to docs on Ipchains at www.linuxdoc.org that can tell you more about it. Sheridan Jon Greisz wrote: > I'm a linux newbie. I've set up a machine with Mandrake 7.1 that I'm about to >convert to 7.2. I want to use it as a firewall between my internal network and my >outside T1. I've got a firewall script set up using IPChains that seems to work >pretty well. I created and used internal network IP addresses. > > I've got several machines where I would like certain ports to get through the >firewall. I have assigned internet IP addresses for these machines that I would like >to translate to my internal IP's, and reverse it going out. But only on certain >ports. > > What is the best approach for this? > > Thanks, > > Jon Greisz > > *** REPLY SEPARATOR *** > > On 11/2/00 at 8:45 AM Mark Johnson wrote: > > >Yes, this looks like another eruption of off-topic posts... IMHO, VB should > >be ported because that is the only way to achieve portability for MS Office > >documents. StarOffice is really cool but ultimately not feasible if you are > >exchanging documents with a group of MS Office folks. Unfortunately, VB > >would bring office products closer to managing that feasiblity. > >Unfortunately, VB is not an elegant language but it suits it's purpose. Too > >bad tcl, perl, python, java, or javascript wasn't used for building these > >dynamic docs. But those languages present quite a learning curve, this was > >VB strength. Also, it enabled MS to lock in a lot of folks to it's > >proprietary ways of doing things. > > > Keep in touch with http://mandrakeforum.com: > Subscribe the "[EMAIL PROTECTED]" mailing list. Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] IP Masquerading
Sheridan, Thanks, I'll look at linuxdoc.org. I've downloaded Seattle Firewall as well and am looking at that. Thanks again, Jon *** REPLY SEPARATOR *** On 11/2/00 at 3:08 PM Sheridan Hawken wrote: >Hi Jon, > >I would use port forwarding. The rule in ipchains looks like this: > >/usr/sbin/ipmasqadm portfw -a -p tcp -L InternetIP Port -R InternalIP Port > >/usr/sbin/ipmasqadm portfw -a -p tcp -L xxx.xxx.xxx.xxx 80 -R xxx.xxx.xxx.xxx 80 ( >this allows http through to an internal machine ) > >There are some good how to docs on Ipchains at www.linuxdoc.org that can tell you >more about it. > >Sheridan > > >Jon Greisz wrote: > >> I'm a linux newbie. I've set up a machine with Mandrake 7.1 that I'm about to >convert to 7.2. I want to use it as a firewall between my internal network and my >outside T1. I've got a firewall script set up using IPChains that seems to work >pretty well. I created and used internal network IP addresses. >> >> I've got several machines where I would like certain ports to get through the >firewall. I have assigned internet IP addresses for these machines that I would like >to translate to my internal IP's, and reverse it going out. But only on certain >ports. >> >> What is the best approach for this? >> >> Thanks, >> >> Jon Greisz >> >> *** REPLY SEPARATOR *** >> >> On 11/2/00 at 8:45 AM Mark Johnson wrote: >> >> >Yes, this looks like another eruption of off-topic posts... IMHO, VB should >> >be ported because that is the only way to achieve portability for MS Office >> >documents. StarOffice is really cool but ultimately not feasible if you are >> >exchanging documents with a group of MS Office folks. Unfortunately, VB >> >would bring office products closer to managing that feasiblity. >> >Unfortunately, VB is not an elegant language but it suits it's purpose. Too >> >bad tcl, perl, python, java, or javascript wasn't used for building these >> >dynamic docs. But those languages present quite a learning curve, this was >> >VB strength. Also, it enabled MS to lock in a lot of folks to it's >> >proprietary ways of doing things. >> >> >> Keep in touch with http://mandrakeforum.com: >> Subscribe the "[EMAIL PROTECTED]" mailing list. Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] IP Masquerading
Hi Jon, I would use port forwarding. The rule in ipchains looks like this: /usr/sbin/ipmasqadm portfw -a -p tcp -L InternetIP Port -R InternalIP Port /usr/sbin/ipmasqadm portfw -a -p tcp -L xxx.xxx.xxx.xxx 80 -R xxx.xxx.xxx.xxx 80 ( this allows http through to an internal machine ) There are some good how to docs on Ipchains at www.linuxdoc.org that can tell you more about it. Sheridan Jon Greisz wrote: > I'm a linux newbie. I've set up a machine with Mandrake 7.1 that I'm about to >convert to 7.2. I want to use it as a firewall between my internal network and my >outside T1. I've got a firewall script set up using IPChains that seems to work >pretty well. I created and used internal network IP addresses. > > I've got several machines where I would like certain ports to get through the >firewall. I have assigned internet IP addresses for these machines that I would like >to translate to my internal IP's, and reverse it going out. But only on certain >ports. > > What is the best approach for this? > > Thanks, > > Jon Greisz > > *** REPLY SEPARATOR *** > > On 11/2/00 at 8:45 AM Mark Johnson wrote: > > >Yes, this looks like another eruption of off-topic posts... IMHO, VB should > >be ported because that is the only way to achieve portability for MS Office > >documents. StarOffice is really cool but ultimately not feasible if you are > >exchanging documents with a group of MS Office folks. Unfortunately, VB > >would bring office products closer to managing that feasiblity. > >Unfortunately, VB is not an elegant language but it suits it's purpose. Too > >bad tcl, perl, python, java, or javascript wasn't used for building these > >dynamic docs. But those languages present quite a learning curve, this was > >VB strength. Also, it enabled MS to lock in a lot of folks to it's > >proprietary ways of doing things. > > > Keep in touch with http://mandrakeforum.com: > Subscribe the "[EMAIL PROTECTED]" mailing list. begin:vcard n:Hawken;Sheridan tel;fax:+1.403.253.5580 tel;work:+1.403.253.5531 x-mozilla-html:FALSE url:www.alterna.com org:Alterna Technologies Group Inc.;Shared Service Centre adr:;;Suite 200, 5970 Centre Street SE ;Calgary;Alberta;T2H 0C1;Canada version:2.1 email;internet:[EMAIL PROTECTED] title:Technology Analyst x-mozilla-cpt:;-29760 fn:Sheridan Hawken end:vcard Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
[expert] IP Masquerading
I'm a linux newbie. I've set up a machine with Mandrake 7.1 that I'm about to convert to 7.2. I want to use it as a firewall between my internal network and my outside T1. I've got a firewall script set up using IPChains that seems to work pretty well. I created and used internal network IP addresses. I've got several machines where I would like certain ports to get through the firewall. I have assigned internet IP addresses for these machines that I would like to translate to my internal IP's, and reverse it going out. But only on certain ports. What is the best approach for this? Thanks, Jon Greisz *** REPLY SEPARATOR *** On 11/2/00 at 8:45 AM Mark Johnson wrote: >Yes, this looks like another eruption of off-topic posts... IMHO, VB should >be ported because that is the only way to achieve portability for MS Office >documents. StarOffice is really cool but ultimately not feasible if you are >exchanging documents with a group of MS Office folks. Unfortunately, VB >would bring office products closer to managing that feasiblity. >Unfortunately, VB is not an elegant language but it suits it's purpose. Too >bad tcl, perl, python, java, or javascript wasn't used for building these >dynamic docs. But those languages present quite a learning curve, this was >VB strength. Also, it enabled MS to lock in a lot of folks to it's >proprietary ways of doing things. Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] IP Masquerading, The ABCs of
Charles Curley wrote: > > -> Ultimately the ISP has to block these packets at their routers, or they > -> get into trouble, so it's not a huge problem -- but all you need is for > -> two people on the same subnet to make the same mistake, and you've got > -> trouble. > > No, read the extract from the RFC elsewhere in this thread. If the ISP > sees any packets addressed on the private network, then the RFC has been > violated. I posted that extract -- and I wasn't saying you're not violating the RFC if your private packets go out onto the local subnet... it's just that the damage that can be done is limited if the ISP's routers are properly configured (that is, to discard packets with private address ranges). -Stephen-
Re: [expert] IP Masquerading, The ABCs of
On Sun, Apr 16, 2000 at 05:13:38PM -0400, Stephen F. Bosch wrote: -> "Eric L. Brine" wrote: -> > -> > > Even if masquerading works in this situation, you STILL have packets -> > > with 192.168.0 headers going out onto the local subnet, and if your ISP -> > > notices this, you're going to get your wrists slapped. -> > -> > I don't believe that's the problem. The problems are security/privacy and -> > bandwidth usage. -> -> Ultimately the ISP has to block these packets at their routers, or they -> get into trouble, so it's not a huge problem -- but all you need is for -> two people on the same subnet to make the same mistake, and you've got -> trouble. No, read the extract from the RFC elsewhere in this thread. If the ISP sees any packets addressed on the private network, then the RFC has been violated. -> -> > Security: The ISP and possibly other clients can see your internal -> > packets, and possibly even gain access to your private network. -> -> Exactly. Agreed. And that is both a necessary and sufficient reason to multi-home the firewall and keep the private net traffic off the ISP's net. -- -- C^2 No windows were crashed in the making of this email. Looking for fine software and/or web pages? http://w3.trib.com/~ccurley
Re: The right way to do a private network [WAS [expert] IP Masquerading,The ABCs of]
:) Ok, I've seen the light, I'll be getting another network card. Thanks for all the thorough answers. On Sun, 16 Apr 2000, Stephen F. Bosch wrote: > I'm resubmitting this response in the interest of helping everybody set > up their private networks: > > David Nordlund wrote: > > > > Hi, I've got a system arrangement that goes something like this. > > I have computer A(Mandrake 7) and computer B(Corel 1) connected to a hub. > > Also connected to the hub is a cable modem, C. C is good friends with > > A, but isn't really on speaking terms with B. > > (The cable modem is set up for the MAC address in computer A) > > You should try resetting the cable modem (if it is a Motorola, there's a > reset tab on the back) while it is connected to the hub. It should > reacquaint itself with its new friend, the hub. > > Having said that, this is not a MAC address issue. I'm not surprised > you're having problems, you've made some bad assumptions (and I suspect > you're also making your cable ISP's network not very happy =) ). > > But I'm interrupting. > > > Each computer has one ethernet card. I can get A talking to B if > > I ifconfig eth0 to a private network IP (192.168.0.1) but then it won't > > talk to the cable. B won't talk to A if A is set to the IP address that > > the cable modem gives it(via DHCP). > > *argh* > > This is bad (you are sending garbage private IP packets out onto the > loop), and it won't work. > > Let's start from the beginning. > > Your cable ISP gives you *one* DHCP assigned IP address, and it passes > you this IP address through the cable device. The network hardware on > their end can be configured to pass multiple DHCP addresses to *one* > cable device, but you're not paying for this and you didn't get it. What > does this mean? You can only have *one* interface connected to the cable > modem. Based on the scenario you described above, you have two. > > Survey says? > > *BT* > > Item two: Let us assume that it's even *possible* for you to assign a > separate IP to B. Now you have put two machines which are on *different* > IP networks (one on 192.168.0.0 and one on 24.0.0.0) on the same > *physical* network. They will most definitely be ignoring each other, > you can count on that. > > Survey says? > > *BZT* > > Enough Family Feud references -- let's fix this. > > > Is it possible to get A & B talking to each other while A is on > > the net? If so, I assume I can masquarade B through A. > > Make sure you're clear about what masquerading is. In order to > masquerade, you need a gateway machine (essentially a router) between > your private network (192.168.0.0) and the public Internet (here in the > form of network 24.0.0.0). This means that your hub *cannot* be on the > public side! Only *gateway* devices can have a presence on the public > network. > > In masquerading, the gateway machine will rewrite all the packet headers > destined for the public network so that they have a valid, public IP > address on them (this is, in your case, the IP that is assigned to you > via DHCP), and will rewrite the returning packet headers with the > appropriate private IP address before sending them out onto the local > network. > > A possible scenario is this: > > Machine A has *two* (sorry) ethernet adapters, one *external* (we'll > call this eth0, which you connect to the cable modem) and one *internal* > (called eth1, which is connected to B using a crossover cable or > connected to the hub, in which case you can add as many other machines > as the hub will handle). > > Try to think in terms of interfaces. It is the interface that has the IP > address. > > So here, eth0 has the IP address (on network 24.0.0.0) assigned to it > via DHCP, and eth1 has a static address on the private network > 192.168.0.0. It's usually wise to use 192.168.0.1, it cuts down on > confusion. This is becomes the default gateway for the machines on your > private network. The gateway machine will then forward packets as > appropriate between the private and public networks, providing you have > IP forwarding enable and ipchains configured properly. > > The machines on your network (based on our example) can have any address > from 192.168.0.1 to 192.168.0.254. The terminating octets of 0 and 255 > are reserved as network numbers and broadcast addresses respectively. > > So, to make a long answer short, yes, you will need an additional > network card -- but if you are going to set up IP masquerading, you have > some reading to do =). > > Start with the IPCHAINS how-to. You can find it at www.linuxdoc.org. > > -Stephen- >
Re: [expert] IP Masquerading, The ABCs of
"Eric L. Brine" wrote: > > > Even if masquerading works in this situation, you STILL have packets > > with 192.168.0 headers going out onto the local subnet, and if your ISP > > notices this, you're going to get your wrists slapped. > > I don't believe that's the problem. The problems are security/privacy and > bandwidth usage. Ultimately the ISP has to block these packets at their routers, or they get into trouble, so it's not a huge problem -- but all you need is for two people on the same subnet to make the same mistake, and you've got trouble. > Bandwidth: All internal packets are also being sent over to the ISP. This > can cause performance problems. For example, if the LAN is 100Mbps and the > connection to the world is only 1 Mbps, a transfer from one machine to > another on the LAN will be limited to 1Mbps. Hadn't thought of that -- interesting =). > Security: The ISP and possibly other clients can see your internal > packets, and possibly even gain access to your private network. Exactly. -Stephen-
Re: [expert] IP Masquerading, The ABCs of
Boy it shure looks like folks need a lesson in basic networking. i cant imagin the problems if some just happens to duplicate an IP addy of a system down the pipe. Someone would be very upset when there machine droped off the network. I know I would be extreemly ticked off. On Sun, 16 Apr 2000, Stephen F. Bosch wrote: > David Nordlund wrote: > > > > ...An alias IP? Sounds like that might do the trick. How does one create > > an alias IP? > > > > On Sat, 15 Apr 2000, Lisa Mountjoy wrote: > > > John: > > > > > > I have the same setup as you, somewhat. I have a hub, 2 computers and a DSL > > > modem. Computer A is my mandrake server, B is a win98 client, and the DSL > > > modem connected to the hub. Computer A is setup with the static ip address i > > > was assigned for my net connection, with an alias ip of 192.168.0.1. The win98 > > > client connects to the net through ip masquerading i set up on the linux > > > server. So far everything runs smoothly...originally i had the win98 machine > > > being the one directly connected to the net, but that was a pain in the neck. > > > > > > Lisa Mountjoy > > Is anybody listening? > > This is really bad, folks -- if I understand you correctly, you're > (both) sending private IP packets onto the local subnet! Bill Beauchemin Sunnyvale MDC Control Center GlobalCenter (a Global Crossing company) 888-541-9888
Re: [expert] IP Masquerading, The ABCs of
> This is really bad, folks -- if I understand you correctly, you're > (both) sending private IP packets onto the local subnet! I concur. > Even if masquerading works in this situation, you STILL have packets > with 192.168.0 headers going out onto the local subnet, and if your ISP > notices this, you're going to get your wrists slapped. I don't believe that's the problem. The problems are security/privacy and bandwidth usage. Bandwidth: All internal packets are also being sent over to the ISP. This can cause performance problems. For example, if the LAN is 100Mbps and the connection to the world is only 1 Mbps, a transfer from one machine to another on the LAN will be limited to 1Mbps. Security: The ISP and possibly other clients can see your internal packets, and possibly even gain access to your private network. ELB -- Eric L. Brine | Chicken: The egg's way of making more eggs. [EMAIL PROTECTED] | Do you always hit the nail on the thumb? ICQ# 4629314 | An optimist thinks thorn bushes have roses.
The right way to do a private network [WAS [expert] IP Masquerading, The ABCs of]
I'm resubmitting this response in the interest of helping everybody set up their private networks: David Nordlund wrote: > > Hi, I've got a system arrangement that goes something like this. > I have computer A(Mandrake 7) and computer B(Corel 1) connected to a hub. > Also connected to the hub is a cable modem, C. C is good friends with > A, but isn't really on speaking terms with B. > (The cable modem is set up for the MAC address in computer A) You should try resetting the cable modem (if it is a Motorola, there's a reset tab on the back) while it is connected to the hub. It should reacquaint itself with its new friend, the hub. Having said that, this is not a MAC address issue. I'm not surprised you're having problems, you've made some bad assumptions (and I suspect you're also making your cable ISP's network not very happy =) ). But I'm interrupting. > Each computer has one ethernet card. I can get A talking to B if > I ifconfig eth0 to a private network IP (192.168.0.1) but then it won't > talk to the cable. B won't talk to A if A is set to the IP address that > the cable modem gives it(via DHCP). *argh* This is bad (you are sending garbage private IP packets out onto the loop), and it won't work. Let's start from the beginning. Your cable ISP gives you *one* DHCP assigned IP address, and it passes you this IP address through the cable device. The network hardware on their end can be configured to pass multiple DHCP addresses to *one* cable device, but you're not paying for this and you didn't get it. What does this mean? You can only have *one* interface connected to the cable modem. Based on the scenario you described above, you have two. Survey says? *BT* Item two: Let us assume that it's even *possible* for you to assign a separate IP to B. Now you have put two machines which are on *different* IP networks (one on 192.168.0.0 and one on 24.0.0.0) on the same *physical* network. They will most definitely be ignoring each other, you can count on that. Survey says? *BZT* Enough Family Feud references -- let's fix this. > Is it possible to get A & B talking to each other while A is on > the net? If so, I assume I can masquarade B through A. Make sure you're clear about what masquerading is. In order to masquerade, you need a gateway machine (essentially a router) between your private network (192.168.0.0) and the public Internet (here in the form of network 24.0.0.0). This means that your hub *cannot* be on the public side! Only *gateway* devices can have a presence on the public network. In masquerading, the gateway machine will rewrite all the packet headers destined for the public network so that they have a valid, public IP address on them (this is, in your case, the IP that is assigned to you via DHCP), and will rewrite the returning packet headers with the appropriate private IP address before sending them out onto the local network. A possible scenario is this: Machine A has *two* (sorry) ethernet adapters, one *external* (we'll call this eth0, which you connect to the cable modem) and one *internal* (called eth1, which is connected to B using a crossover cable or connected to the hub, in which case you can add as many other machines as the hub will handle). Try to think in terms of interfaces. It is the interface that has the IP address. So here, eth0 has the IP address (on network 24.0.0.0) assigned to it via DHCP, and eth1 has a static address on the private network 192.168.0.0. It's usually wise to use 192.168.0.1, it cuts down on confusion. This is becomes the default gateway for the machines on your private network. The gateway machine will then forward packets as appropriate between the private and public networks, providing you have IP forwarding enable and ipchains configured properly. The machines on your network (based on our example) can have any address from 192.168.0.1 to 192.168.0.254. The terminating octets of 0 and 255 are reserved as network numbers and broadcast addresses respectively. So, to make a long answer short, yes, you will need an additional network card -- but if you are going to set up IP masquerading, you have some reading to do =). Start with the IPCHAINS how-to. You can find it at www.linuxdoc.org. -Stephen-
Re: [expert] IP Masquerading, The ABCs of
David Nordlund wrote: > > ...An alias IP? Sounds like that might do the trick. How does one create > an alias IP? > > On Sat, 15 Apr 2000, Lisa Mountjoy wrote: > > John: > > > > I have the same setup as you, somewhat. I have a hub, 2 computers and a DSL > > modem. Computer A is my mandrake server, B is a win98 client, and the DSL > > modem connected to the hub. Computer A is setup with the static ip address i > > was assigned for my net connection, with an alias ip of 192.168.0.1. The win98 > > client connects to the net through ip masquerading i set up on the linux > > server. So far everything runs smoothly...originally i had the win98 machine > > being the one directly connected to the net, but that was a pain in the neck. > > > > Lisa Mountjoy Is anybody listening? This is really bad, folks -- if I understand you correctly, you're (both) sending private IP packets onto the local subnet! Even if masquerading works in this situation, you STILL have packets with 192.168.0 headers going out onto the local subnet, and if your ISP notices this, you're going to get your wrists slapped. The fact remains -- if you are only getting one IP from your ISP, whether it be static or dynamic, your DSL or cable device CANNOT be connected to the hub (at least not a hub to which other devices with private IP addresses are connected), or you violate RFC 1918. To recap: if you want to have many machines connected to the net and you have only one static or dynamic IP, the network terminal device must physically connect to a gateway machine *first*. Just in case anybody has any doubts, here is a relevant section of RFC 1918: "Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, and packets with private source or destination addresses should not be forwarded across such links. Routers in networks not using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out) routing information about private networks. If such a router receives such information the rejection shall not be treated as a routing protocol error. Indirect references to such addresses should be contained within the enterprise." ^^^ If you need help with this, I've already offered it. -Stephen-
Re: [expert] IP Masquerading, The ABCs of
...An alias IP? Sounds like that might do the trick. How does one create an alias IP? On Sat, 15 Apr 2000, Lisa Mountjoy wrote: > John: > > I have the same setup as you, somewhat. I have a hub, 2 computers and a DSL > modem. Computer A is my mandrake server, B is a win98 client, and the DSL > modem connected to the hub. Computer A is setup with the static ip address i > was assigned for my net connection, with an alias ip of 192.168.0.1. The win98 > client connects to the net through ip masquerading i set up on the linux > server. So far everything runs smoothly...originally i had the win98 machine > being the one directly connected to the net, but that was a pain in the neck. > > Lisa Mountjoy > > > On Fri, 14 Apr 2000, you wrote: > > > Hi, I've got a system arrangement that goes something like this. > > > I have computer A(Mandrake 7) and computer B(Corel 1) connected to a hub. > > > Also connected to the hub is a cable modem, C. C is good friends with > > > A, but isn't really on speaking terms with B. > > > (The cable modem is set up for the MAC address in computer A) > > > > > > Each computer has one ethernet card. I can get A talking to B if > > > I ifconfig eth0 to a private network IP (192.168.0.1) but then it won't > > > talk to the cable. B won't talk to A if A is set to the IP address that > > > the cable modem gives it(via DHCP). > > > > > > Is it possible to get A & B talking to each other while A is on > > > the net? If so, I assume I can masquarade B through A. Or am I going to > > > have to get a second ethernet card for computer A? > > > > > You'll most likely need to get a second NIC for computer A. > > Since the IP address is apparently going to computer A and > > not to the cablemodem, you're stuck. > > John >
Re: [expert] IP Masquerading, The ABCs of
John: I have the same setup as you, somewhat. I have a hub, 2 computers and a DSL modem. Computer A is my mandrake server, B is a win98 client, and the DSL modem connected to the hub. Computer A is setup with the static ip address i was assigned for my net connection, with an alias ip of 192.168.0.1. The win98 client connects to the net through ip masquerading i set up on the linux server. So far everything runs smoothly...originally i had the win98 machine being the one directly connected to the net, but that was a pain in the neck. Lisa Mountjoy > On Fri, 14 Apr 2000, you wrote: > > Hi, I've got a system arrangement that goes something like this. > > I have computer A(Mandrake 7) and computer B(Corel 1) connected to a hub. > > Also connected to the hub is a cable modem, C. C is good friends with > > A, but isn't really on speaking terms with B. > > (The cable modem is set up for the MAC address in computer A) > > > > Each computer has one ethernet card. I can get A talking to B if > > I ifconfig eth0 to a private network IP (192.168.0.1) but then it won't > > talk to the cable. B won't talk to A if A is set to the IP address that > > the cable modem gives it(via DHCP). > > > > Is it possible to get A & B talking to each other while A is on > > the net? If so, I assume I can masquarade B through A. Or am I going to > > have to get a second ethernet card for computer A? > > > You'll most likely need to get a second NIC for computer A. > Since the IP address is apparently going to computer A and > not to the cablemodem, you're stuck. > John
Re: [expert] IP Masquerading, The ABCs of
On Fri, 14 Apr 2000, you wrote: > Hi, I've got a system arrangement that goes something like this. > I have computer A(Mandrake 7) and computer B(Corel 1) connected to a hub. > Also connected to the hub is a cable modem, C. C is good friends with > A, but isn't really on speaking terms with B. > (The cable modem is set up for the MAC address in computer A) > > Each computer has one ethernet card. I can get A talking to B if > I ifconfig eth0 to a private network IP (192.168.0.1) but then it won't > talk to the cable. B won't talk to A if A is set to the IP address that > the cable modem gives it(via DHCP). > > Is it possible to get A & B talking to each other while A is on > the net? If so, I assume I can masquarade B through A. Or am I going to > have to get a second ethernet card for computer A? > You'll most likely need to get a second NIC for computer A. Since the IP address is apparently going to computer A and not to the cablemodem, you're stuck. John
Re: [expert] IP Masquerading, The ABCs of
On Fri, Apr 14, 2000 at 11:21:55PM -0300, David Nordlund wrote: -> -> Hi, I've got a system arrangement that goes something like this. -> I have computer A(Mandrake 7) and computer B(Corel 1) connected to a hub. -> Also connected to the hub is a cable modem, C. C is good friends with -> A, but isn't really on speaking terms with B. -> (The cable modem is set up for the MAC address in computer A) -> -> Each computer has one ethernet card. I can get A talking to B if -> I ifconfig eth0 to a private network IP (192.168.0.1) but then it won't -> talk to the cable. B won't talk to A if A is set to the IP address that -> the cable modem gives it(via DHCP). -> -> Is it possible to get A & B talking to each other while A is on -> the net? If so, I assume I can masquarade B through A. Or am I going to -> have to get a second ethernet card for computer A? Get a second ethernet card for A. B will be insecure as long as it is on the same subnet as the cable modem. You should go as follows: /- Computer | | cable modem --- MASQ box --- hub --- Computer | | \- Computer All of this is laid out in detail in the masq HOW-TO, on the web site and in the archives for the mail list. -- -- C^2 No windows were crashed in the making of this email. Looking for fine software and/or web pages? http://w3.trib.com/~ccurley
Re: [expert] IP Masquerading, The ABCs of
David Nordlund wrote: > > Hi, I've got a system arrangement that goes something like this. > I have computer A(Mandrake 7) and computer B(Corel 1) connected to a hub. > Also connected to the hub is a cable modem, C. C is good friends with > A, but isn't really on speaking terms with B. > (The cable modem is set up for the MAC address in computer A) You should try resetting the cable modem (if it is a Motorola, there's a reset tab on the back) while it is connected to the hub. It should reacquaint itself with its new friend, the hub. Having said that, this is not a MAC address issue. I'm not surprised you're having problems, you've made some bad assumptions (and I suspect you're also making your cable ISP's network not very happy =) ). But I'm interrupting. > Each computer has one ethernet card. I can get A talking to B if > I ifconfig eth0 to a private network IP (192.168.0.1) but then it won't > talk to the cable. B won't talk to A if A is set to the IP address that > the cable modem gives it(via DHCP). *argh* This is bad (you are sending garbage private IP packets out onto the loop), and it won't work. Let's start from the beginning. Your cable ISP gives you *one* DHCP assigned IP address, and it passes you this IP address through the cable device. The network hardware on their end can be configured to pass multiple DHCP addresses to *one* cable device, but you're not paying for this and you didn't get it. What does this mean? You can only have *one* interface connected to the cable modem. Based on the scenario you described above, you have two. Survey says? *BT* Item two: Let us assume that it's even *possible* for you to assign a separate IP to B. Now you have put two machines which are on *different* IP networks (one on 192.168.0.0 and one on 24.0.0.0) on the same *physical* network. They will most definitely be ignoring each other, you can count on that. Survey says? *BZT* Enough Family Feud references -- let's fix this. > Is it possible to get A & B talking to each other while A is on > the net? If so, I assume I can masquarade B through A. Make sure you're clear about what masquerading is. In order to masquerade, you need a gateway machine (essentially a router) between your private network (192.168.0.0) and the public Internet (here in the form of network 24.0.0.0). This means that your hub *cannot* be on the public side! Only *gateway* devices can have a presence on the public network. In masquerading, the gateway machine will rewrite all the packet headers destined for the public network so that they have a valid, public IP address on them (this is, in your case, the IP that is assigned to you via DHCP), and will rewrite the returning packet headers with the appropriate private IP address before sending them out onto the local network. A possible scenario is this: Machine A has *two* (sorry) ethernet adapters, one *external* (we'll call this eth0, which you connect to the cable modem) and one *internal* (called eth1, which is connected to B using a crossover cable or connected to the hub, in which case you can add as many other machines as the hub will handle). Try to think in terms of interfaces. It is the interface that has the IP address. So here, eth0 has the IP address (on network 24.0.0.0) assigned to it via DHCP, and eth1 has a static address on the private network 192.168.0.0. It's usually wise to use 192.168.0.1, it cuts down on confusion. This is becomes the default gateway for the machines on your private network. The gateway machine will then forward packets as appropriate between the private and public networks, providing you have IP forwarding enable and ipchains configured properly. The machines on your network (based on our example) can have any address from 192.168.0.1 to 192.168.0.254. The terminating octets of 0 and 255 are reserved as network numbers and broadcast addresses respectively. So, to make a long answer short, yes, you will need an additional network card -- but if you are going to set up IP masquerading, you have some reading to do =). Start with the IPCHAINS how-to. You can find it at www.linuxdoc.org. -Stephen-
[expert] IP Masquerading, The ABCs of
Hi, I've got a system arrangement that goes something like this. I have computer A(Mandrake 7) and computer B(Corel 1) connected to a hub. Also connected to the hub is a cable modem, C. C is good friends with A, but isn't really on speaking terms with B. (The cable modem is set up for the MAC address in computer A) Each computer has one ethernet card. I can get A talking to B if I ifconfig eth0 to a private network IP (192.168.0.1) but then it won't talk to the cable. B won't talk to A if A is set to the IP address that the cable modem gives it(via DHCP). Is it possible to get A & B talking to each other while A is on the net? If so, I assume I can masquarade B through A. Or am I going to have to get a second ethernet card for computer A? Thanks, - Dave
Re: [expert] IP Masquerading
On Mon, 16 Aug 1999, you wrote: > diald woks nicely and I understand that the current incarnation of ppp has a >dial-on-demand feature. Anyone heard of masqdailer? I think it's website is at http://cpwright.villagenet.com/mserver/ I couldn't get it working... but I'd rather use that if I can get it to work!! -- Jeremy Lunn Melbourne, Australia ICQ: 19255837
Re: [expert] IP Masquerading
On Mon, 16 Aug 1999, you wrote: > This sets my net-connected Linux box (10.0.0.x) up to do forwarding to > LAN-connected windows clients. On the Windows box you should edit the > network settings so that your Linux box is the default gateway. > Configure the Windows DNS servers straight out of /etc/resolv.conf and > you're in business. Who said he was using a Windows Box himself? =) -- Jeremy Lunn Melbourne, Australia ICQ: 19255837
Re: [expert] IP Masquerading
Thanks very much! All my other settings were as per the IP-MASQ HOWTO, but it still didn't work. This was the final setting I needed! Now, to figure out how to run it on bootup Tony. Civileme wrote: > > G'day from the arctic. > > Try ipchains There is a HOWTO at > http://metalab.unc.edu/LDP/HOWTO/IPCHAINS-HOWTO-3.html#ss3.1 -- Is that an African or European swallow? UIN: 15557998 Boredom found at http://www.zipworld.com.au/~ned
Re: [expert] IP Masquerading
- Original Message - From: Bruce Endries <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, August 15, 1999 8:14 PM Subject: [expert] IP Masquerading > As a side note, I have been successful at getting the IP masq to > work, but have never been able to figure out how to make the > Mandrake box automatically dial out when another machine is > trying to access the net. > > Does anyone have any information on how to accomplish this part > of the puzzle? diald woks nicely and I understand that the current incarnation of ppp has a dial-on-demand feature. Hoyt
[expert] IP Masquerading
Date sent: Sun, 15 Aug 1999 15:08:50 + From: "Andrew Morton" <[EMAIL PROTECTED]> Organization: Nortel Networks (via modem) To: [EMAIL PROTECTED] Subject: Re: [expert] IP Masquerading Send reply to: [EMAIL PROTECTED] As a side note, I have been successful at getting the IP masq to work, but have never been able to figure out how to make the Mandrake box automatically dial out when another machine is trying to access the net. Does anyone have any information on how to accomplish this part of the puzzle? Bruce > kNIGits wrote: > > > > G'day from Australia! > > Me too. > > > Can someone tell me if the stock standard Mandrake 6.0 kernel can do IP > > masquerading? > > Yup. Here's the script I use: > > #!/bin/sh > echo 1 > /proc/sys/net/ipv4/ip_forward > ipchains -P forward DENY > ipchains -A forward -s 10.0.0.0/8 -j MASQ > > This sets my net-connected Linux box (10.0.0.x) up to do forwarding to > LAN-connected windows clients. On the Windows box you should edit the > network settings so that your Linux box is the default gateway. > Configure the Windows DNS servers straight out of /etc/resolv.conf and > you're in business. > Bruce Endries Bruce Endries Consulting (607) 433-2677
Re: [expert] IP Masquerading
kNIGits wrote: > > G'day from Australia! Me too. > Can someone tell me if the stock standard Mandrake 6.0 kernel can do IP > masquerading? Yup. Here's the script I use: #!/bin/sh echo 1 > /proc/sys/net/ipv4/ip_forward ipchains -P forward DENY ipchains -A forward -s 10.0.0.0/8 -j MASQ This sets my net-connected Linux box (10.0.0.x) up to do forwarding to LAN-connected windows clients. On the Windows box you should edit the network settings so that your Linux box is the default gateway. Configure the Windows DNS servers straight out of /etc/resolv.conf and you're in business.
Re: [expert] IP Masquerading
You've probably got it working - you just need to enable ip FORWARDING ... - i always forgot to start it till i stuck it in the init process =] Zak - Original Message - From: kNIGits <[EMAIL PROTECTED]> To: Mandrake Expert List <[EMAIL PROTECTED]> Sent: Saturday, August 14, 1999 10:29 AM Subject: [expert] IP Masquerading > G'day from Australia! > > Can someone tell me if the stock standard Mandrake 6.0 kernel can do IP > masquerading? I haven't been able to get it working yet. > > If it does support IP Masq out of the box, can someone explain to this > dummy why he can't get it to work? > > > Tony > > Melbourne > Australia > > -- > Is that an African or European swallow? > UIN: 15557998 > Boredom found at http://www.zipworld.com.au/~ned >
Re: [expert] IP Masquerading
IIRC, it's not called "masquerading" in Linux anymore...it's called "IP Chaining." *shrug* I have no idea whether it's included "out-of-the-box" tho but at least it's a place to start looking. :-) - Original Message - From: kNIGits <[EMAIL PROTECTED]> To: Mandrake Expert List <[EMAIL PROTECTED]> Sent: Friday, August 13, 1999 8:29 PM Subject: [expert] IP Masquerading > G'day from Australia! > > Can someone tell me if the stock standard Mandrake 6.0 kernel can do IP > masquerading? I haven't been able to get it working yet. > > If it does support IP Masq out of the box, can someone explain to this > dummy why he can't get it to work? > > > Tony > > Melbourne > Australia > > -- > Is that an African or European swallow? > UIN: 15557998 > Boredom found at http://www.zipworld.com.au/~ned >
Re: [expert] IP Masquerading
G'day from the arctic. Try ipchains There is a HOWTO at http://metalab.unc.edu/LDP/HOWTO/IPCHAINS-HOWTO-3.html#ss3.1 ipfwadm remained behind with release 2.0 .xx . ipchains is now the way to do masquerading and a LOT of other stuff. I use it to avoid adforce.imgis.com and doubleclick.net popups. Civileme kNIGits wrote: G'day from Australia! Can someone tell me if the stock standard Mandrake 6.0 kernel can do IP masquerading? I haven't been able to get it working yet. If it does support IP Masq out of the box, can someone explain to this dummy why he can't get it to work? Tony Melbourne Australia -- Is that an African or European swallow? UIN: 15557998 Boredom found at http://www.zipworld.com.au/~ned -- Civileme Say: "One who buys on leading edge soon know feeling of slide down razor blade of life."
Re: [expert] IP Masquerading
Mine does IP Masq out of the box. Make you install the ipchains package. For info on how to set it up see the ipchains howto. At 12:29 AM 8/14/99 +, kNIGits wrote: >G'day from Australia! > >Can someone tell me if the stock standard Mandrake 6.0 kernel can do IP >masquerading? I haven't been able to get it working yet. > >If it does support IP Masq out of the box, can someone explain to this >dummy why he can't get it to work? > > >Tony > >Melbourne >Australia > >-- >Is that an African or European swallow? >UIN: 15557998 >Boredom found at http://www.zipworld.com.au/~ned -- Jason Bodnar + Tivoli Systems = [EMAIL PROTECTED]
[expert] IP Masquerading
G'day from Australia! Can someone tell me if the stock standard Mandrake 6.0 kernel can do IP masquerading? I haven't been able to get it working yet. If it does support IP Masq out of the box, can someone explain to this dummy why he can't get it to work? Tony Melbourne Australia -- Is that an African or European swallow? UIN: 15557998 Boredom found at http://www.zipworld.com.au/~ned
