Re: Masquerading Problem

To: Jean-Francois JOLY <jfjoly@free.fr>, debian-firewall@lists.debian.org
Subject: Re: Masquerading Problem
From: Ray Olszewski <ray@comarre.com>
Date: Mon, 15 Jan 2001 18:11:41 -0800
Message-id: <2.2.32.20010116021141.00cdb638@[192.168.1.23]>

YOu need to explain what you want to do more clearly. You seem to be talking
about two different things.

First is getting your LAN workstations to access the Internet via NAT. The
ipchains example you provided looks like a rule designed to let LAN
workstations access outside Web servers (port 80), so it's not surprising
that it won't handle POP3 requests (port 110).

Second is providing a way for off-site workstations to access NAT'd servers
on your LAN. Port forwarding is the right solution for that, implemented
through ipmasqadm (combined with suitable ipchains rules - can't forward the
traffic if it gets DENYd by ipchains).

The man pages, plus the appropriate HowTos (IP Masquerading, Firewalling,
and Ipchains; maybe other) will give you the basics. For specific help, you
have to describe the actual setup; the individual forward-chain rules, or
even the entire forward-chain ruleset, aren't enough . Basic diagnostics are:

1. Complete output of "ifconfig -a".

2. Complete output of "netstat -nr".

3. Complete output of "ipchains -L -n -v" for whatever ruleset you want
comments on ("I've tried many different configuration and none seems to
work" is difficult to say anything helpful about).

4. A brief description of the LAN and the internal host you are testing from
(including what OS it runs).

5. The EXACT result of these ping tests:
        from the router to a LAN host
        from a LAN host to the router
        from the router to its own external IP address
        from the router to its (external) default gateway
        from a LAN host to the router's (external) default gateway
All pings should be by IP address, not hostname.

6. A description of what you have been trying to do that fails, and how it
fails.

7. Sample log output for DENYd packets, if appropriate.

At 09:13 AM 1/15/01 +0100, Jean-Francois JOLY wrote:
>I have a problem with IP Masquerading on a debian box,
>I just installed a FireWall based on Debian 2.2 on a ADSL link (French
provider 
>"Oleane") with a static IP.
>I run PPPoE to connect and it's just going smoothly.
>I've set up squid and client PC can surf perfectly but I can't manage to make 
>them access the net through masquerading. They can establish the connection
but 
>they can't receive any data.
>For example with POP3, I use:
>ipchains -A forward -p tcp -s localnet/24 -d 0/0 80 -j MASQ
>
>In fact, I've tried many different configuration and none seems to work.
>
>The main purpose is to make an internal lotus notes server be accessible from 
>the net with port forwarding.
>

--
------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA           	 	         ray@comarre.com        
----------------------------------------------------------------

Reply to:

Prev by Date: Re: kernel 2.4 and iptables netfilter
Next by Date: Configuration Question ??
Previous by thread: Re: Masquerading Problem
Next by thread: kernel 2.4 and iptables netfilter
Index(es):
- Date
- Thread