hi.
ive been reading an ipmasq howto from the linux documentation project.

i have setted up the rc.firewall script loading successful at boot. its even possible to ping the external IP of my gateway from an internal MASQed computer.
but there is no way to ping hosts located on the internet, neither their direct ips nor their name like linuxnewbie.org

when i try to lynx to a specific site the following message pops up:
"looking up linuxnewbie.org first"
i edited the /etc/resolv.conf file with my two primary DNS servers, so whats the problem? :confused: (added these two to the server aswell to the client)

doesnt seem that i can make a direct connection to any website, or even any services like telnet. do i have to change anything with my client? i setted the server as gateway.

any help would be appreciated. :(

Make sure your default gateway is the server doing IP Masq.
Can you access the internet from the IP Masq box?

i have to tell you that im using slackware 8.1 and used netconfig to configure my network card, with gateway as 192.168.0.1 (host).

yes its possible to access the internet from the host, but not from the client.

thanks for your reply

I had a similar problem where my client pc could ping both interfaces on my IPMASQ box but not anything beyond it

These 3 lines from from LDP-Configuring IP Forwarding got me up and running...

(you must be root)

echo 1 > proc/sys/net/ipv4/ip_forward
ipchains -P forward DENY
ipchains -A forward 192.168.1.0/24 -j MASQ


(Note that 192.168.1.0 is the subnet my CLIENT pc is on . )

Hi,
I hope you've fixed your problem. Until a few minutes ago I had something very similar, I could ping to the external ethernet card but not to the Internet.

(My config: ADSL-Red Hat 8-XP).

If you using IPTABLES rather than CHAINS, you may want to try

#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

That was all I needed. (Thanks to the RH8 Linux Bible). FYI - I receive a dynamically assigned IP address on my ADSL. Apparently you should be using SNAT --to-source STATICIPADDRESS in place of MASQUERADE if you have a STATIC IP address.

Now, my XP machine can ping to the Internet and picks up its DNS from the ISP (from XP I can ping to www.yahoo.com and it resolves the IP address. SMTP also seems to work). I've still done something dumb with the Internet Explorer config 'cos I can't get that working. Any suggestions are most welcome.

first of all thanks for your replies.

i used the iptables command. but im getting a little confused by the device you specified.
is the eth0 device your external or internal? im using eth1 as EXT interface.
so i changed eth0 to eth1 but it doesnt seem to work :(

thanks
Originally posted by tokyonewbie
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Hi,

I'm also using eth1 as my external. Since the rest of the World seems to be using eth0 as their external, I left the example as eth0. Since, like me, you are using eth1 to the Internet you are CORRECT to change eth0 to eth1.

I wish I could help more. Given that you can PING the external Ethernet card, I would assume that you had ip forwarding working (this seems to be what all the literature says). On the off chance, though, you may want to check the two files below. Based on "Internet Gateway for a Home Network HOWTO", I have changed them as advised:

/etc/sysconfig/network (Ensure the following entries are present)
NETWORKING=yes
FORWARD_IPV4=yes

/etc/sysctl.conf (Ensure the following are present)
net.ipv4.ip_forward=1
net.ipv4.ip_always_defrag=1

Frustrating, eh? Good luck.

Originally posted by tokyonewbie
/etc/sysconfig/network (Ensure the following entries are present)
NETWORKING=yes
FORWARD_IPV4=yes

/etc/sysctl.conf (Ensure the following are present)
net.ipv4.ip_forward=1
net.ipv4.ip_always_defrag=1

since im using slackware as distro for my host i cant find the files you listed here. :confused:
thats because slackware uses BSD style.
its frustration because i dont want to switch over to redhat again. it cant be that hard to find the answer to this....

thank you

have you tried manually running the rc.firewall script from the prompt and watching the output to make sure there are no errors?

i started the rc.firewall script at startup, there were errors to notice.
the firewall script originated from an online tutorial i read about ip masquerading, but the problem persists.
next time ill try to load the script from the console and post the results and the whole source code here.

threadhead

here is the shellcode i used for my gateway.


#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.70
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this simple
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
#
#
#
# Log:
# 0.70 - Added commented option for IRC nat module
# - Added additional use of environment variables
# - Added additional formatting
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that used eth0
# instead of $EXTIF
# 0.61 - Changed the firewall to use variables for the internal
# and external interfaces.
# 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
# all forwarded packets but it didn't have a rule to ACCEPT
# any packets to be forwarded either
# - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
# 0.50 - Initial draft
#

echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"


# The location of the iptables and kernel module programs
#
# If your Linux distribution came with a copy of iptables,
# most likely all the programs will be located in /sbin. If
# you manually compiled iptables, the default location will
# be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
#IPTABLES=/sbin/iptables
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod


#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
#EXTIF="ppp0"
#
# if you are a modem user.
#
EXTIF="eth1"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"


#================================================= =====================
#== No editing beyond this line is required for initial MASQ testing ==


echo -en " loading modules: "

# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a

# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational reasons.
# There is no reason to manual load these modules unless your
# kernel is either mis-configured or you intentionally disabled
# the kernel module autoloader.
#

# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented out from loading.
# ================================================== =============

echo "----------------------------------------------------------------------"

#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
$INSMOD ip_tables


#Load the IPTABLES filtering module - "iptable_filter"
# - Loaded automatically when filter policies are activated


#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
$INSMOD ip_conntrack


#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
$INSMOD ip_conntrack_ftp


#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
$INSMOD ip_conntrack_irc


#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
$INSMOD iptable_nat


#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
$INSMOD ip_nat_ftp


#Loads the IRC NAT functionality into the core IPTABLES code
# Require to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
#echo -e "ip_nat_irc"
#$INSMOD ip_nat_irc

echo "----------------------------------------------------------------------"

# Just to be complete, here is a list of the remaining kernel modules
# and their function. Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# --------------------------------------------------------------------
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#
# iptable_mangle - this target allows for packets to be manipulated
# for things like the TCPMSS option, etc.

echo ". Done loading modules."



#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo " enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Enable simple IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
# connecting to the Internet on external interface "eth0". This
# example will MASQ internal traffic out to the Internet but not
# allow non-initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask, and your
# *** Internet connection interface name to match your setup
#


#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP
#
echo " clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"


i hope this helps

thank you threadhead

finally i installed slackware 8.1 again to ensure that there was no error during the installtion.

as usual i can ping my external interface IP when online.
i added the nameservers in the /etc/resolv.conf file and wrote iptables rules for my external interface(eth1).

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward

i deleted the firewall script i posted above.

when i try to use lynx with my client ie like
lynx linuxnewbie.org
a message like:looking up url first
but when i try to lynx an IPaddress
a message like:making http connection to site
but nothing happens.

where is my problem?
is it maybe the client, or are the firewall rules not written correct?

please help me :(

Hi, have you had any luck with this?

I'm really repeating a previous post of mine so, if it's not relevant, apologies. I noticed that in your iptables rules you have eth0 for the output of POSTROUTING. But as you are using eth1 for your Internet connection the iptables entry should be ....POSTROUTING -o eth1 -j MASQUERADE.

Let us know when get this going.

i figured it out! :D

its an overwhelming feeling when you solve a problem, as you'd thought that you will never find the solution. that means thanks to all of you.

i will post the solution in here.

Threadhead -- I'm looking forward to your solution post!

:)

sorry dudes, was a little short of time the last few days. ;)

here is an extract of my firewall managing ip masquerading for interface eth0(external)


echo "deleting iptable rules"
iptables --flush
iptables --delete-chain
iptables --table nat --delete-chain

echo "activating ipmasq"
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables --append FORWARD --out-interface ppp0 -j ACCEPT


that code deletes all iptable rules, and then sets them up again.

please tell me when there is something wrong with this code.

peace threadhead

Thanks buddy, it got me going again.
I had been trying to do MASQ on eth0 instead of ppp0.
(doh):rolleyes:

so you got it running eh?

nice :D