problems with ip masquerade
Hi!
I have configured a linux box as a router for my home LAN using
ip-masquerade but now I am having some problems.
My configuration:
* 486/100Mhz 16 Mbytes ram debian potato as a router
* 56 k modem ppp link (it works fine from the router)
* Kernel 2.2.17 recompiled according to IP-Masquerade-HOWTO
* rules configured using pmfirewall
they look like this: (62.83.136.124 here is a dynamic dialup ip)
Chain input (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
ACCEPT tcp !y---- 0.0.0.0/0 62.83.136.124 * ->
*
DENY all ------ 10.0.0.0/8 62.83.136.124 n/a
DENY all ------ 127.0.0.0/8 62.83.136.124 n/a
DENY all ------ 172.16.0.0/12 62.83.136.124 n/a
DENY all ------ 192.168.0.0/16 62.83.136.124 n/a
DENY tcp ----l- 0.0.0.0/0 62.83.136.124 * ->
31337
DENY udp ----l- 0.0.0.0/0 62.83.136.124 * ->
31337
DENY tcp ----l- 0.0.0.0/0 62.83.136.124 * ->
12345:12346
DENY udp ----l- 0.0.0.0/0 62.83.136.124 * ->
12345:12346
DENY tcp ----l- 0.0.0.0/0 62.83.136.124 * ->
1524
DENY tcp ----l- 0.0.0.0/0 62.83.136.124 * ->
27665
DENY udp ----l- 0.0.0.0/0 62.83.136.124 * ->
27444
DENY udp ----l- 0.0.0.0/0 62.83.136.124 * ->
31335
DENY all ------ 224.0.0.0/8 0.0.0.0/0 n/a
DENY all ------ 0.0.0.0/0 224.0.0.0/8 n/a
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * ->
67:68
ACCEPT tcp ------ 0.0.0.0/0 62.83.136.124 * ->
22
ACCEPT tcp ------ 0.0.0.0/0 62.83.136.124 * ->
25
ACCEPT tcp ------ 0.0.0.0/0 62.83.136.124 * ->
80
ACCEPT tcp ------ 192.168.10.0/24 62.83.136.124 * ->
110
ACCEPT tcp ------ 0.0.0.0/0 62.83.136.124 * ->
113
ACCEPT udp ------ 0.0.0.0/0 62.83.136.124 * ->
113
ACCEPT tcp ------ 0.0.0.0/0 62.83.136.124 * ->
123
ACCEPT udp ------ 0.0.0.0/0 62.83.136.124 * ->
123
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
137:139
DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * ->
137:139
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * ->
520
DENY tcp ----l- 0.0.0.0/0 0.0.0.0/0 * ->
2049
DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 * ->
2049
DENY tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
5999:6003
DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * ->
5999:6003
ACCEPT all ------ 192.168.10.0/24 0.0.0.0/0 n/a
ACCEPT icmp ------ 0.0.0.0/0 62.83.136.124 * ->
*
ACCEPT tcp ------ 0.0.0.0/0 62.83.136.124 * ->
1023:65535
ACCEPT udp ------ 0.0.0.0/0 62.83.136.124 * ->
1023:65535
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY):
target prot opt source destination ports
ACCEPT all ------ 192.168.10.0/24 192.168.10.0/24 n/a
ACCEPT all ------ 62.83.136.124 0.0.0.0/0 n/a
MASQ all ------ 192.168.10.0/24 0.0.0.0/0 n/a
Chain output (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
ACCEPT all ------ 192.168.10.0/24 0.0.0.0/0 n/a
- tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
80
- tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
22
- tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
23
- tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
21
- tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
110
- tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
25
- tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
20
ACCEPT icmp ------ 192.168.10.0/24 0.0.0.0/0 * ->
*
ACCEPT icmp ------ 62.83.136.124 0.0.0.0/0 * ->
*
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Well sorry it is long I know...
My problem is that although ip-masquerading is working I have timeouts for
both www and ftp now it is quite painfull to make an apt-upgrade from a
masqued machine (it works but with a lot of timeouts)
My mtu/mru is set to 1500.
the router linux box is an old 486/100Mhz 16 Mbytes ram I understood this
is enough (actully I am only masquing a couple of machines and this trials
where done with only a masqued machine using the link)
Results from apt-get upgrade (from a masqued machine):
3 packages upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
Need to get 1585kB of archives. After unpacking 643kB will be used.
Do you want to continue? [Y/n]
Get:1 http://security.debian.org stable/updates/main groff 1.15.2-2
[1165kB]
Err http://security.debian.org stable/updates/main groff 1.15.2-2
Connection timed out
Err http://security.debian.org stable/updates/main fetchmail 5.3.3-3
Connection failed
Get:2 http://security.debian.org stable/updates/main xloadimage
4.1-5potato1 [101kB]
Fetched 13.0kB in 9m16s (23B/s)
Failed to fetch
http://security.debian.org/dists/potato/updates/main/binary-i386/groff_1.15.2-2_i386.deb
Connection timed out
Failed to fetch
http://security.debian.org/dists/potato/updates/main/binary-i386/fetchmail_5.3.3-3_i386.deb
Connection failed
If I do apt-get upgrade from the router linux box (another debian
potato) the diul-up link is *fast* :????
Some help please?
Regards
Roberto
------------------------------------------------------------------------
Roberto Diaz <rdiazmartin@vivaldi.dhis.org>
http://vivaldi.dhis.org
Powered by GNU running on a Linux kernel.
Powered by Debian (The real wonder)
Concerto Grosso Op. 3/8 A minor
Antonio Vivaldi (so... do you need beautiful words?)
------------------------------------------------------------------------
Reply to: