Please help...

Please help...

[Sam Loy]

If I sound a little frustrated, keep in mind I'm now on week 2 of my 
attempt to setup linux as a firewall router on my home network. I have 
installed 3 different versions of linux, read hundreds of pages, tried 
at least 5 different configurations 20 times each....but still I cannot 
seem to share my dsl connection with my other machines.

I have 2 NICs in a Linux 9 installation. One card connects to my lan 
with a static ip of 192.168.1.1. The other connects to my DSL provider 
which dynamically allocates the ip.

I did this:

modprobe iptable_nat

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


It does not work.  When I do a iptables -t nat  -n -L
It displays:

MASQUERADE all -- 0.0.0.0/0 		0.0.0.0/0

once for each time I've executed the above command. (now 7 times). I'm 
sorry, but this doesn't seem right. 0 to 0? don't think so. So I try 
different -o values - but always get the same.

Don't get it - Do I need to manually add a route? Completely befuttled 
and ready to throw in the towell.

Sam

Re: Please help...

[Antony Stone]

On Monday 28 June 2004 10:56 pm, Sam Loy wrote:

> I have 2 NICs in a Linux 9 installation.

Linux 9!?   Wow - I've only just upgraded to version 2.6 :)

> One card connects to my lan with a static ip of 192.168.1.1. The other
> connects to my DSL provider which dynamically allocates the ip.

Sounds pretty standard so far....

> I did this:
>
> modprobe iptable_nat
>
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
> It does not work.

How are you testing it?

>  When I do a iptables -t nat  -n -L It displays:
>
> MASQUERADE all -- 0.0.0.0/0 		0.0.0.0/0

A more useful command in this case would be "iptables -L -t nat -nvx", because 
the -v option shows you the interfaces applying to the rules as well.

> Don't get it - Do I need to manually add a route?

Probably not, but what does your routing table show anyway?

Here are some things to test - in order:

1. Can you access anything out on the Internet from the firewall machine 
itself?   (Ping, traceroute would be good tests - by IP address if you don't 
have DNS resolving hostnames yet)

2. Do you have any rules in the FORWARD chain (and what is the FORWARD default 
policy)?

3. If you try a traceroute from a machine inside your LAN to an address on the 
Internet, what is the result?

4. After whatever tests you are trying, what does "iptables -L -nvx; iptables 
-L -t nat -nvx" show for the packet/byte counters on the rules (and default 
policies)?

You can't be too far away from a working solution - it's a pretty standard 
setup.

Regards,

Antony.

-- 
There are only 10 types of people in the world:
those who understand binary notation,
and those who don't.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Please help...

[Marek Dohojda]

well 0/0 is exactly right. that just means the whole internet.

What are your other chains setup as?

Sam Loy wrote:
> If I sound a little frustrated, keep in mind I'm now on week 2 of my 
> attempt to setup linux as a firewall router on my home network. I have 
> installed 3 different versions of linux, read hundreds of pages, tried 
> at least 5 different configurations 20 times each....but still I cannot 
> seem to share my dsl connection with my other machines.
> 
> I have 2 NICs in a Linux 9 installation. One card connects to my lan 
> with a static ip of 192.168.1.1. The other connects to my DSL provider 
> which dynamically allocates the ip.
> 
> I did this:
> 
> modprobe iptable_nat
> 
> # In the NAT table (-t nat), Append a rule (-A) after routing
> # (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
> # MASQUERADE the connection (-j MASQUERADE).
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> 
> # Turn on IP forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> 
> It does not work.  When I do a iptables -t nat  -n -L
> It displays:
> 
> MASQUERADE all -- 0.0.0.0/0         0.0.0.0/0
> 
> once for each time I've executed the above command. (now 7 times). I'm 
> sorry, but this doesn't seem right. 0 to 0? don't think so. So I try 
> different -o values - but always get the same.
> 
> Don't get it - Do I need to manually add a route? Completely befuttled 
> and ready to throw in the towell.
> 
> Sam
> 
> 
> 

Re: Please help...

[Sam Loy]

Thanks everyone who has tried to help so far. I am confident I will get 
it working with all of your help.

Here is some more information:
Per Marek Dohoja's reply, I added a rule to my output chain:
iptables -A FORWARD -s 192.168.1.0 - j ACCEPT.

I also tried adding 192.168.1.1 as above, with still nothing.

As suggested by Antony, I have performed the following test:

I examined the bytecounts of iptables and discovered:

Chain PREROUTING policy has accepted 11331 packets , 1345868 bytes
Chain POSTROUTING  policy has accepted 12 packets, 665 bytes, but list 
detail in 2 of the rules
	pkts = 348, bytes=25416, target=MASQUERADE  out = pp0
	pkts = 3	 bytes=144, target=MASQUERADE out=eth0: (which is 192.168.1.1)
There are a total of  8 rules under POSTROUTING, only 2 have any stats. 
Is there anyway to clear all rules and start over?
Chain OUTPUT policy has accepted 178 packets, 7838 bytes.

ping and traceroute test:

 From the firewall machine:

Can ping and traceroute www.abcnews.com. traceroute does NOT show the 
route going through 192.168.1.1, but straight to the ip address 
currently assigned ppp0. Which brings me to another subject: I am sure 
I told adsl-setup to leave the connection up continuously, yet it drops 
and re-acquires a new ip every minute. This will make any attempt to 
access my LAN from outside futile. Any suggestions on how simply 
acquire an ip from my isp and hold it forever would be greatly 
appreciated.

 From a client machine, I can ping 192.168.1.1, I can also ping the ip 
assigned by my ISP (if I type fast! see above :-) When I do a 
traceroute from my client to the ISP ip, it DOES go through 
192.168.1.1.

HOWEVER - I CANNOT ping www.abcnews.com OR the ip it resolves 
to(199.181.132.250) from a client machine.

After I conduct ping/traceroute test, the byte counts from the -nvx 
command increase on the ppp0 MASQUERADE rule ONLY, not on the eth0 
rule...and ONLY when executed on the firewall machine. The byte counts 
do not change at all when test executed from the client machine.

Routing Table:
When ppp0 is up: (Again, ppp0 is reconnecting every 60 seconds...make 
it stop! :-()

Dest				GW			Mask				Iface
(ISP assigned IP)   0.0.0.0		255.255.255.255		ppp0
192.168.1.0	      0.0.0.0			255.255.255.0			eth0
169.254.0.0            0.0.0.0                   255.255.0.0			eth0
127.0.0.0		      0.0.0.0			255.0.0.0				lo
0.0.0.0		      (ISP assign IP)     0.0.0.0				ppp0

I hope this is enough information.

By the way, Dick St. Peters, I tried your suggestion and it had no 
effect.

Thank you all again.

Sincerely,

Sam Loy