| View previous topic :: View next topic |
| Author |
Message |
Ravilj
Apprentice
Joined: 29 Jul 2004
Posts: 164
Location: ziig / #
|
 Posted: Mon Jun 13, 2005 11:51 pm Post subject: Ip Masquerading and NAT problems |
 |
|
Ok I have got an old P1 with gentoo 2005.0 installed. I am trying to get the internet shared so that the rest of the clients can use it. The only service of interest will be the rp-pppoe that runs at startup to bring up the connection. Servers hostname is o_O and all outputs shown is from the server.
Here is the output of ifconfig to show the current config on the server:
| Quote: | o_O init.d # ifconfig
eth0 Link encap:Ethernet HWaddr 00:08:A1:62:9A:F1
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10567 errors:0 dropped:0 overruns:0 frame:0
TX packets:7595 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:901621 (880.4 Kb) TX bytes:1662568 (1.5 Mb)
Interrupt:10 Base address:0xf800
eth1 Link encap:Ethernet HWaddr 00:06:4F:13:B2:08
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4910 errors:0 dropped:0 overruns:0 frame:0
TX packets:4353 errors:0 dropped:0 overruns:0 carrier:0
collisions:2 txqueuelen:1000
RX bytes:4297824 (4.0 Mb) TX bytes:356396 (348.0 Kb)
Interrupt:5 Base address:0xf400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ppp0 Link encap:Point-to-Point Protocol
inet addr:196.2.118.206 P-t-P:196.30.31.100 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1432 Metric:1
RX packets:1943 errors:0 dropped:0 overruns:0 frame:0
TX packets:1700 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:1485225 (1.4 Mb) TX bytes:112456 (109.8 Kb)
o_O init.d # |
Where:
eth0 is the lan connection
eth1 connects to the iburst modem
I started off with a simple iptables script to just get nat working without any firewall action:
| Code: | iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
# Set up IP FORWARDing and MASQUERADING
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward |
Yes I know that there is quicker way of typeing it out but this is to make sure I can see clearly what is going on.
Now that you know what is going on here is the problem at hand.
- I can browse quite happily and ping sites on the server without a problem, the server gets the DNS info when logging on.
- I can ping websites quite happily from the client pc's, the clients have their DNS set to a DNS server that works (I use it when using the connection shared through windows  )
- I cant browse the web on the client pc's
- I cant connect to IRC on the client pc's, it identifies the servers but doesnt get any further.
Well I think I have covered just about all the information that I cant find.
Now for information on the iptables set:
| Quote: | o_O / # iptables -v -L
Chain INPUT (policy ACCEPT 14886 packets, 4826K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 859 packets, 131K bytes)
pkts bytes target prot opt in out source destination
270 27023 ACCEPT all -- eth0 any anywhere anywhere
Chain OUTPUT (policy ACCEPT 11076 packets, 1735K bytes)
pkts bytes target prot opt in out source destination
o_O / # |
and
| Quote: | o_O / # iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 996 packets, 67535 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 91 packets, 5295 bytes)
pkts bytes target prot opt in out source destination
103 7639 MASQUERADE all -- any ppp0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 35 packets, 2392 bytes)
pkts bytes target prot opt in out source destination
o_O / # |
And lastely just incase you want to see what is compile in my kernel:
| Quote: | # Networking options
#
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
# CONFIG_NETLINK_DEV is not set
CONFIG_UNIX=y
# CONFIG_NET_KEY is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
# CONFIG_IP_ROUTE_MULTIPATH is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
CONFIG_SYN_COOKIES=y
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
CONFIG_INET_TUNNEL=y
CONFIG_IP_TCPDIAG=y
# CONFIG_IP_TCPDIAG_IPV6 is not set
#
# IP: Virtual Server Configuration
#
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
# CONFIG_IP_NF_CT_ACCT is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y
# CONFIG_IP_NF_MATCH_REALM is not set
# CONFIG_IP_NF_MATCH_SCTP is not set
CONFIG_IP_NF_MATCH_COMMENT=y
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_CLASSIFY=y
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_TARGET_NOTRACK=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
CONFIG_XFRM=y
# CONFIG_XFRM_USER is not set |
|
|
| Back to top |
|
 |
widan
Veteran
Joined: 07 Jun 2005
Posts: 1512
Location: Paris, France
|
| Posted: Tue Jun 14, 2005 1:13 am Post subject: |
|
|
Try this :
| Code: | | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
|
|
| Back to top |
|
|
Ravilj
Apprentice
Joined: 29 Jul 2004
Posts: 164
Location: ziig / #
|
| Posted: Tue Jun 14, 2005 7:53 am Post subject: |
|
|
| Ok I will, just for my understanding what does that do? |
|
| Back to top |
|
|
widan
Veteran
Joined: 07 Jun 2005
Posts: 1512
Location: Paris, France
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
