Re: Masquerade difficulties

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andrew Beekhof <beekhof@gmail.com>
To: Trevor Cordes <trevor@tecnopolis.ca>
Cc: netfilter@lists.netfilter.org
Subject: Re: Masquerade difficulties
Date: Sat, 8 Jan 2005 21:56:58 +0100	[thread overview]
Message-ID: <26ef5e70501081256335bfd02@mail.gmail.com> (raw)
In-Reply-To: <26ef5e7050108020312386f9c@mail.gmail.com>

Looks like there is something going awry when 2.6, ipsec/openswan and
iptables are combined.

With further tinkering I was able to get ipsec working and
masquerading working separately, however masquerading through ipsec
still wouldnt work.  Just to be clear, I used www.google.com instead
of BoxC in the tests for which masquerading worked.

Anyway, I've reverted to a 2.4 kernel now and everything seems to be
working nicely.

I dont mind running some tests with my 2.6 setup if anyone is
interested though...

Andrew

On Sat, 8 Jan 2005 11:03:22 +0100, Andrew Beekhof <beekhof@gmail.com> wrote:
> On Fri, 7 Jan 2005 16:12:38 -0600, Trevor Cordes <trevor@tecnopolis.ca> wrote:
> > > I'm having some difficulties getting masquerading to work and hoping
> > > for some pointers...
> >
> > I can try to help.  But you'll need to better describe your network
> > layout.  Can you draw a little diagram showing where A, B & C are?
> 
> Sure, A & B are connected directly to a netgear DSL modem/hub.  C is
> part of my company's network which I'm accessing over the internet
> with ipsec.  I've also tried replacing C with google.com (after
> specifying an appropriate routing rule) with no success.
> 
> Does that clear things up?
> 
> >
> > Are you sure that BoxC doesn't have some firewall on (XP SP2) that is
> > eating the ping packets?
> 
> XP? God no!  All the machines are linux boxes running either SLES9 or
> Gentoo :)  No firewall on B or C.
> 
> From what I can tell, the packets from BoxB are getting lost on BoxA.
> I just tried using telnet and tcpdump and although I get logs like
> this:
> 
> Jan  8 08:35:55 BoxA IN=eth0 OUT=eth0 SRC=192.168.9.22 DST=10.10.2.86
> LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48952 DF PROTO=TCP SPT=34452
> DPT=69 WINDOW=3840 RES=0x00 SYN URGP=0
> 
> ... the packets never actually arrive at BoxC (10.10.2.86).  I dont
> think they ever leave BoxA but I'm not sure I understand the tcpdump
> output enough to say for sure.
> 
> A dump of my iptables in case it helps...
> 
> mayo linux # iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> LOG        all  --  anywhere             anywhere            LOG level warning
> MASQUERADE  all  --  anywhere             anywhere
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> mayo linux # iptables -L -t filter
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> mayo linux # iptables -L -t mangle
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> LOG        all  --  anywhere             anywhere            LOG level debug
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
>

next prev parent reply	other threads:[~2005-01-08 20:56 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-07 22:12 Masquerade difficulties Trevor Cordes
2005-01-08 10:03 ` Andrew Beekhof
2005-01-08 20:56   ` Andrew Beekhof [this message]
  -- strict thread matches above, loose matches on Subject: below --
2005-01-07 21:42 Andrew Beekhof

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=26ef5e70501081256335bfd02@mail.gmail.com \
    --to=beekhof@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    --cc=trevor@tecnopolis.ca \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.