Re: Forwarding and masquerading got broken

All of lore.kernel.org
 help / color / mirror / Atom feed

* Re: Forwarding and masquerading got broken
  2003-12-03  3:54 Forwarding and masquerading got broken Lawrence G. Hunsicker
@ 2003-12-02 15:19 ` Michael Gale
  0 siblings, 0 replies; 8+ messages in thread
From: Michael Gale @ 2003-12-02 15:19 UTC (permalink / raw)
  To: netfilter

Hello,

	Look the section"
--snip--
# --------( Sysctl Tuning - Recommended Parameters )--------

# Turn off IP forwarding by default
# (this will be enabled if you require masquerading)

if [ -e /proc/sys/net/ipv4/ip_forward ]; then
  echo 0 > /proc/sys/net/ipv4/ip_forward
fi
--snip--

The "echo 0" in the "/proc/sys/net/ipv4/ip_forward" is disabling ip_forwarding -- which is need to forward packets.

Change the "echo 0" to "echo 1"

:)

Michael.









On Tue, 02 Dec 2003 21:54:29 -0600
"Lawrence G. Hunsicker" <lhunsicker@mchsi.com> wrote:

> Hi, folks:
> 
> I have just used firestarter's wizard to allow access to my web server. 
>    This part of things worked correctly, but in the process my machine 
> has stopped forwarding and masquerading traffic from machines inside my 
> firewall to the outside world.  All of the interfaces themselves work 
> correctly.  I.e., from inside machines I can ping my server and from the 
> server I can see the outside world.  But I can't see the outside world 
> from the inside machines.  Is there someone out there that can tell me 
> what I have to do to get IP forwarding and masquerading working again?
> 
> I have attached a copy of my firewall.sh file.
> 
> Many thanks in advance for any help that you can give me.
> 
>   --
> Lawrence G. Hunsicker
> lhunsicker@mchsi.com
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Forwarding and masquerading got broken
@ 2003-12-03  3:54 Lawrence G. Hunsicker
  2003-12-02 15:19 ` Michael Gale
  0 siblings, 1 reply; 8+ messages in thread
From: Lawrence G. Hunsicker @ 2003-12-03  3:54 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 746 bytes --]

Hi, folks:

I have just used firestarter's wizard to allow access to my web server. 
   This part of things worked correctly, but in the process my machine 
has stopped forwarding and masquerading traffic from machines inside my 
firewall to the outside world.  All of the interfaces themselves work 
correctly.  I.e., from inside machines I can ping my server and from the 
server I can see the outside world.  But I can't see the outside world 
from the inside machines.  Is there someone out there that can tell me 
what I have to do to get IP forwarding and masquerading working again?

I have attached a copy of my firewall.sh file.

Many thanks in advance for any help that you can give me.

  --
Lawrence G. Hunsicker
lhunsicker@mchsi.com

[-- Attachment #2: firewall.sh --]
[-- Type: application/x-sh, Size: 24614 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Port Forwarding
  2003-12-04  5:43 Forwarding and masquerading got broken Lawrence G. Hunsicker
@ 2003-12-03  8:26 ` Remus
  2003-12-03  8:44   ` Rob Sterenborg
                     ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Remus @ 2003-12-03  8:26 UTC (permalink / raw)
  To: netfilter

Hi folks,

I have a PREROUTING rule:
iptables -t nat -A PREROUTING -d $EXTERNALIP_1 -s some_external_IP -p 47 -j
DNAT --to 192.168.0.19

How to add more source addresses which will be able to connect?


Thanks in advance

Remus



^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: Port Forwarding
  2003-12-03  8:26 ` Port Forwarding Remus
@ 2003-12-03  8:44   ` Rob Sterenborg
  2003-12-03  8:44   ` Ray Leach
  2003-12-03 16:27   ` Mark E. Donaldson
  2 siblings, 0 replies; 8+ messages in thread
From: Rob Sterenborg @ 2003-12-03  8:44 UTC (permalink / raw)
  To: netfilter

> iptables -t nat -A PREROUTING -d $EXTERNALIP_1 -s 
> some_external_IP -p 47 -j
> DNAT --to 192.168.0.19
> 
> How to add more source addresses which will be able to connect?

Add more rules like these that allow it.
Or maybe you compiled a new kernel with netfilter iprange support.
http://www.netfilter.org/documentation/pomlist/pom-combined.html#iprange


Gr,
Rob



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Port Forwarding
  2003-12-03  8:26 ` Port Forwarding Remus
  2003-12-03  8:44   ` Rob Sterenborg
@ 2003-12-03  8:44   ` Ray Leach
  2003-12-03 16:27   ` Mark E. Donaldson
  2 siblings, 0 replies; 8+ messages in thread
From: Ray Leach @ 2003-12-03  8:44 UTC (permalink / raw)
  To: Netfilter Mailing List

[-- Attachment #1: Type: text/plain, Size: 628 bytes --]

On Wed, 2003-12-03 at 10:26, Remus wrote:
> Hi folks,
> 
> I have a PREROUTING rule:
> iptables -t nat -A PREROUTING -d $EXTERNALIP_1 -s some_external_IP -p 47 -j
> DNAT --to 192.168.0.19
> 
Just add more rules with different -s some_external_IP's

> How to add more source addresses which will be able to connect?
> 
> 
> Thanks in advance
> 
> Remus
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: Port Forwarding
  2003-12-03  8:26 ` Port Forwarding Remus
  2003-12-03  8:44   ` Rob Sterenborg
  2003-12-03  8:44   ` Ray Leach
@ 2003-12-03 16:27   ` Mark E. Donaldson
  2003-12-03 16:38     ` Rimas
  2 siblings, 1 reply; 8+ messages in thread
From: Mark E. Donaldson @ 2003-12-03 16:27 UTC (permalink / raw)
  To: 'Remus', netfilter

A method that works well for me, and I use it extensively, is to place all
your IP addresses in a text file, and feed the file to the script.  With
this method, all you need to do is update (edit) the text file as needed for
adding or deleting IP's.  For instance, if you wanted to sneak TFTP through
the firewall (which I don't really recommend), you could add this rule:

####################################################################
# TFTP
####################################################################
# if TFTP enabled redirect to port 69 on internal TFTP server
if [ "$TFTP_SERVER" = "1" ] ;
then
	while read TRUSTED;
	do
		$IPT -t nat -A PREROUTING -p udp -s $TRUSTED
--destination-port 69 -i $FW_INET_IFACE -j LOG --log-level $LOG_LEVEL
--log-prefix "DNAT IN TFTP OK: "
		$IPT -t nat -A PREROUTING -p udp -s $TRUSTED
--destination-port 69 -i $FW_INET_IFACE -j DNAT --to-destination
$INTERNAL_TFTP:69
	done < $TRUSTED_LIST
fi

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Remus
Sent: Wednesday, December 03, 2003 12:27 AM
To: netfilter@lists.netfilter.org
Subject: Port Forwarding 

Hi folks,

I have a PREROUTING rule:
iptables -t nat -A PREROUTING -d $EXTERNALIP_1 -s some_external_IP -p 47 -j
DNAT --to 192.168.0.19

How to add more source addresses which will be able to connect?


Thanks in advance

Remus





^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Port Forwarding
  2003-12-03 16:27   ` Mark E. Donaldson
@ 2003-12-03 16:38     ` Rimas
  0 siblings, 0 replies; 8+ messages in thread
From: Rimas @ 2003-12-03 16:38 UTC (permalink / raw)
  To: netfilter

Thanks guys for the help. It help me.

I have another iptables setmark question.
This is a small part of my script:

The line below is OK
iptables -t mangle -A PREROUTING -i eth2 -s 10.105.105.0/24 -p tcp --dport
1723 -j MARK --set-mark 0x960

But how mark just IP port 47, because the line below does not I want.
iptables -t mangle -A PREROUTING -i eth2 -s 10.105.105.0/24 -p 47 -j
MARK --set-mark 0x960

ip rule add fwmark 0x960 table localvpn
ip route add default via $P2 dev eth0 table localvpn



Thanks in advance

Remus



----- Original Message ----- 
From: "Mark E. Donaldson" <markee@bandwidthco.com>
To: "'Remus'" <rmocius@auste.elnet.lt>; <netfilter@lists.netfilter.org>
Sent: Wednesday, December 03, 2003 4:27 PM
Subject: RE: Port Forwarding


> A method that works well for me, and I use it extensively, is to place all
> your IP addresses in a text file, and feed the file to the script.  With
> this method, all you need to do is update (edit) the text file as needed
for
> adding or deleting IP's.  For instance, if you wanted to sneak TFTP
through
> the firewall (which I don't really recommend), you could add this rule:
>
> ####################################################################
> # TFTP
> ####################################################################
> # if TFTP enabled redirect to port 69 on internal TFTP server
> if [ "$TFTP_SERVER" = "1" ] ;
> then
> while read TRUSTED;
> do
> $IPT -t nat -A PREROUTING -p udp -s $TRUSTED
> --destination-port 69 -i $FW_INET_IFACE -j LOG --log-level $LOG_LEVEL
> --log-prefix "DNAT IN TFTP OK: "
> $IPT -t nat -A PREROUTING -p udp -s $TRUSTED
> --destination-port 69 -i $FW_INET_IFACE -j DNAT --to-destination
> $INTERNAL_TFTP:69
> done < $TRUSTED_LIST
> fi
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Remus
> Sent: Wednesday, December 03, 2003 12:27 AM
> To: netfilter@lists.netfilter.org
> Subject: Port Forwarding
>
> Hi folks,
>
> I have a PREROUTING rule:
> iptables -t nat -A PREROUTING -d $EXTERNALIP_1 -s some_external_IP -p
47 -j
> DNAT --to 192.168.0.19
>
> How to add more source addresses which will be able to connect?
>
>
> Thanks in advance
>
> Remus
>
>
>



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re:  Forwarding and masquerading got broken
@ 2003-12-04  5:43 Lawrence G. Hunsicker
  2003-12-03  8:26 ` Port Forwarding Remus
  0 siblings, 1 reply; 8+ messages in thread
From: Lawrence G. Hunsicker @ 2003-12-04  5:43 UTC (permalink / raw)
  To: netfilter

Michael Gale said:

Hello,

	Look the section"
--snip--
# --------( Sysctl Tuning - Recommended Parameters )--------

# Turn off IP forwarding by default
# (this will be enabled if you require masquerading)

if [ -e /proc/sys/net/ipv4/ip_forward ]; then
   echo 0 > /proc/sys/net/ipv4/ip_forward
fi
--snip--

The "echo 0" in the "/proc/sys/net/ipv4/ip_forward" is disabling 
ip_forwarding -- which is need to forward packets.

Change the "echo 0" to "echo 1"

Mike:

Thanks for the suggestion.  Note, though, that further down in the file 
there is a parallel section cating 1 to the same address to turn on 
kernel forwarding.  I have checked the actual setting after boot up by 
lessing the address, and it is indeed already set to one.  I'll check 
changing this line, but I suspect that this is not where my problem is.

Any other suggestions?

-- 
Lawrence G. Hunsicker
lhunsicker@mchsi.com

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2003-12-04  5:43 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-12-04  5:43 Forwarding and masquerading got broken Lawrence G. Hunsicker
2003-12-03  8:26 ` Port Forwarding Remus
2003-12-03  8:44   ` Rob Sterenborg
2003-12-03  8:44   ` Ray Leach
2003-12-03 16:27   ` Mark E. Donaldson
2003-12-03 16:38     ` Rimas
  -- strict thread matches above, loose matches on Subject: below --
2003-12-03  3:54 Forwarding and masquerading got broken Lawrence G. Hunsicker
2003-12-02 15:19 ` Michael Gale

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.