From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stewart Smith Date: Wed, 26 Feb 2003 23:47:46 +0000 Subject: [LARTC] masquerading not working with iproute2? MIME-Version: 1 Content-Type: multipart/mixed; boundary="=-/MhQamQvl1r0c6GeOt77" Message-Id: List-Id: To: lartc@vger.kernel.org --=-/MhQamQvl1r0c6GeOt77 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable (i posted this in bugzilla, but was told to post it here - bug #52) i have two machines which are VERY similar (software wise). Both redhat 7.2, all updates, running 2.4.19-xfs (custom built) Linux version 2.4.19-xfs (root@omega) (gcc version 2.96 20000731 (Red Hat L= inux 7.2 2.96-108.7.2)) #3 SMP Mon Nov 11 17:52:11 EST 2002 Linux version 2.4.19-xfs (root@delta) (gcc version 2.96 20000731 (Red Hat L= inux 7.2 2.96-112.7.2)) #1 Mon Nov 25 15:36:03 EST 2002 omega has two connections to the internet (one is used for hosting our web = site and mail etc and the other for browsing the web, as it is cheaper). I have = an iproute2 script set up to acheive this (attached). Delta does not have this script (it is only connected to one internet connection). This is the only differnce that isn't hardware (maybe lynx isn't installed on delta... but t= hat's all.) I also have iptables-restore (via the redhat init.d script) setting up ipta= bles firewall. I am trying to enable masquerading for one IP in the outside worl= d (our freight company uses it or some such thing, and i can't proxy it - tha= t i know of). the iptables-restore script is attached. On Delta, this script works fine - and from my pc, i can connect to the rem= ote host (i found the FTP port open, and can telnet to it). However, if i set t= his up on omega, it doesn't (and yes, i change my gateway settings). client pc is Debian Sid Linux version 2.4.19-xfs (root@stewart) (gcc version 2.95.4 20011002 (Debia= n prerelease)) #4 Thu Nov 28 15:06:09 EST 2002 or Linux version 2.5.63 (stewart@stewart) (gcc version 3.2.3 20030210 (Debian = prerelease)) #1 SMP Wed Feb 26 12:48:18 EST 2003 using tcpdump, i found the following: on Omega (the machine with iproute2 enable) the packets come out on the wir= e without their address rewritten (i.e. it says 192.168.0.18 instead of the external address) on delta, it comes out on the wire with the address rewritten (i.e. correct= ) There are 3 ethernet interfaces eth0 - internet connection to (more) expensive ISP that does our hosting eth1 - intranet connection (local LAN) eth2 - internet connection to (less) expensive ISP that we use for web brow= sing etc because it's cheaper. the aim is to make sure all the connections that come in on eth0 are servic= ed through eth0 (i.e. all the hosting) and all new connections go through eth2= . there is no global NAT thing going on as I am forcing everyone to use the p= roxy. There is, however, one app that we use that does neet to have NAT to the on= e IP. This is what i'm trying to get going. ---- ROUTING SETUP SCRIPT ---- #!/bin/bash IF1=3Deth0 IF2=3Deth2 IP1=3D202.44.184.129 IP2=3D10.0.0.2 P1=3D202.44.184.134 P2=3D10.0.0.138 P1_NET=3D202.44.184.135 P2_NET=3D10.255.255.255 ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip route add default via $P2 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ---- IPTABLES SETUP SCRIPT ---- # Generated by iptables-save v1.2.5 on Wed Feb 19 12:53:31 2003 *nat :PREROUTING ACCEPT [99:6653] :POSTROUTING ACCEPT [18:1457] :OUTPUT ACCEPT [18:1457] [0:0] -A POSTROUTING -d 203.1.223.9 -o eth1 -j MASQUERADE=20 [0:0] -A POSTROUTING -d www.apple.com -o eth1 -j MASQUERADE COMMIT # Completed on Wed Feb 19 12:53:31 2003 # Generated by iptables-save v1.2.5 on Wed Feb 19 12:53:31 2003 *mangle :PREROUTING ACCEPT [1322:99920] :INPUT ACCEPT [28635:6719576] :FORWARD ACCEPT [1187:95014] :OUTPUT ACCEPT [1185:711578] :POSTROUTING ACCEPT [26447:11202088] COMMIT # Completed on Wed Feb 19 12:53:31 2003 # Generated by iptables-save v1.2.5 on Wed Feb 19 12:53:31 2003 *filter :INPUT ACCEPT [880:68811] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1185:711578] :block - [0:0] [315:22060] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 995 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p udp -m udp --dport 25 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p udp -m udp --dport 110 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p udp -m udp --dport 995 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p udp -m udp --dport 993 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT=20 [0:0] -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT=20 [74:5965] -A INPUT -j block=20 [0:0] -A FORWARD -j block=20 [68:5458] -A block -m state --state RELATED,ESTABLISHED -j ACCEPT=20 [6:507] -A block -i eth1 -m state --state NEW -j ACCEPT=20 [0:0] -A block -j DROP=20 COMMIT # Completed on Wed Feb 19 12:53:31 2003 --=20 Stewart Smith stewart@gammasolutions.com Programmer / UNIX Sys Admin Gamma Solutions Pty Ltd Monash Corporate Centre, Unit 11, 20 Duerdin Street, Clayton, Victoria 3168 Phone: +61 3 9562 7755 Fax: +61 3 9562 7766 Mobile: +61 4 3884 4332 --=-/MhQamQvl1r0c6GeOt77 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+XVIivzYOCEwIiI8RAjjjAKC1aLjvLiGZanN7S0pox9jcI7nHDACfU7wN F4pT3Dv3QFNdIsyjB3JivNU= =Bcm/ -----END PGP SIGNATURE----- --=-/MhQamQvl1r0c6GeOt77-- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/