[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Help a newbie to set up his gateway



Hi,  strange.

On Wed, Dec 26, 2001 at 11:50:19PM +0100, Charles de Miramon wrote:
> Hello,
> I'm trying to setup a Home-Lan so that several computers can access the
> Internet through one computer. For the moment the network is very simple.
> I've got :
> * The gateway (192.168.0.1) running Woody (kernel 2.2.19 with reiserfs
> patch) with a eth0 card connected to the DSL modem and a eth1 card connected
> to a local switchbox.
> * A client (192.168.0.2) running Mandrake 8.0
> 
> I've recompiled the kernel with all the options found in the IP-Masquerading
> Howto and installed the new kernel.
I would rather set up /etc/modules or run insmod with Debian default
kernel, but that is just my taste.  This should be good :)
> I've installed (apt-get install) the ipmasq package.
> I've created a new /etc/masq/rules/Z92timeouts.rul according to
> http://qref.sourceforge.net/quick/ch-gateway.html

Thank you :)  Z92timeout matters only for long connection.

> >From the client I can ping the outside world, I can open a ssh session on a
> distant server, but I can't open a web site in a browser or fetch my e-mail
> on my isp pop server, things that I can do from the gateway computer.
> I don't have a clue why it is not working...

Strange.

> On my gateway
> ipchains -L gives
So you run 2.2 kernel.
Maybe with -v, I have better idea...
Also with -n maybe easier...
> Chain input (policy DENY):
> target     prot opt     source                destination           ports
> ACCEPT     all  ------  anywhere             anywhere              n/a
> DENY       all  ----l-  127.0.0.0/8          anywhere              n/a
> ACCEPT     all  ------  anywhere             255.255.255.255       n/a
> ACCEPT     all  ------  localnet/24          anywhere              n/a
> ACCEPT    !tcp  ------  anywhere             BASE-ADDRESS.MCAST.NET/4
>  any ->   any
why /4???
> DENY       all  ----l-  localnet/24          anywhere              n/a
> ACCEPT     all  ------  anywhere             255.255.255.255       n/a
> ACCEPT     all  ------  anywhere
> aboukir-101-1-8-mvdlugt.adsl.nerim.net  n/a
> DENY       all  ----l-  anywhere             anywhere              n/a
> Chain forward (policy DENY):
> target     prot opt     source                destination           ports
> MASQ       all  ------  localnet/24          anywhere              n/a
Hmm, it looks good !!!
> DENY       all  ----l-  anywhere             anywhere              n/a
> Chain output (policy DENY):
> target     prot opt     source                destination           ports
> ACCEPT     all  ------  anywhere             anywhere              n/a
> ACCEPT     all  ------  anywhere             localnet/24           n/a
> ACCEPT    !tcp  ------  anywhere             BASE-ADDRESS.MCAST.NET/4
>  any ->   any
> DENY       all  ----l-  anywhere             localnet/24           n/a
> ACCEPT     all  ------  aboukir-101-1-8-mvdlugt.adsl.nerim.net anywhere
> n/a
> DENY       all  ----l-  anywhere             anywhere              n/a
> 
> ipmasq - v gives
> #: Interfaces found:
> #:   ppp0 62.212.96.246/255.255.255.255
> #:   eth1 192.168.0.1/255.255.255.0
> echo "0" > /proc/sys/net/ipv4/ip_forward
> echo "0" > /proc/sys/net/ipv4/ip_always_defrag

By the way, did you enble all related kernel functions by compiling in
those or activating by insmod (or ndirectly through /etc/modules)

> /sbin/ipchains -P input DENY
> /sbin/ipchains -P output DENY
> /sbin/ipchains --no-warnings -P forward DENY
> /sbin/ipchains -F input
> /sbin/ipchains -F output
> /sbin/ipchains --no-warnings -F forward
> /sbin/ipchains -A input -j ACCEPT -i lo
> /sbin/ipchains -A input -j DENY -i ! lo -s 127.0.0.1/255.0.0.0 -l
> /sbin/ipchains -A input -j ACCEPT -i eth1 -d 255.255.255.255/32
> /sbin/ipchains -A input -j ACCEPT -i eth1 -s 192.168.0.1/255.255.255.0
> /sbin/ipchains -A input -j ACCEPT -i eth1 -d 224.0.0.0/4 -p ! tcp
> /sbin/ipchains -A input -j DENY -i ppp0 -s 192.168.0.1/255.255.255.0 -l
> /sbin/ipchains -A input -j ACCEPT -i ppp0 -d 255.255.255.255/32
> /sbin/ipchains -A input -j ACCEPT -i ppp0 -d 62.212.96.246/32
> /sbin/ipchains --no-warnings -A forward -j MASQ -i ppp0 -s
> 192.168.0.1/255.255.255.0
> /sbin/ipchains -A output -j ACCEPT -i lo
> /sbin/ipchains -A output -j ACCEPT -i eth1 -d 192.168.0.1/255.255.255.0
> /sbin/ipchains -A output -j ACCEPT -i eth1 -d 224.0.0.0/4 -p ! tcp
> /sbin/ipchains -A output -j DENY -i ppp0 -d 192.168.0.1/255.255.255.0 -l
> /sbin/ipchains -A output -j ACCEPT -i ppp0 -s 62.212.96.246/32
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/ip_always_defrag
> /sbin/ipchains -M -S 86400 600 600
> /sbin/ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
> /sbin/ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
> /sbin/ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
> 
> and ipmasq -g gives
> #: /etc/ipmasq/rules/A00path.def
> #: /etc/ipmasq/rules/A00sanitycheck.def
> #: /etc/ipmasq/rules/A01interfaces.def
> #: /etc/ipmasq/rules/A01precompute.def
> #: /etc/ipmasq/rules/A02masqmethod.def
> #: /etc/ipmasq/rules/A02unkernelforward.def
> #: /etc/ipmasq/rules/A03flush.def
> #: /etc/ipmasq/rules/A04functions.def
> #: /etc/ipmasq/rules/F30internal.def
> #: /etc/ipmasq/rules/I10lo.def
> #: /etc/ipmasq/rules/I15lospoof.def
> #: /etc/ipmasq/rules/I30intbcast.def
> #: /etc/ipmasq/rules/I30internal.def
> #: /etc/ipmasq/rules/I32intmcast.def
> #: /etc/ipmasq/rules/I70masq.def
> #: /etc/ipmasq/rules/I90extbcast.def
> #: /etc/ipmasq/rules/I90external.def
> #: /etc/ipmasq/rules/M70masq.def
> #: /etc/ipmasq/rules/O10lo.def
> #: /etc/ipmasq/rules/O30internal.def
> #: /etc/ipmasq/rules/O32intmcast.def
> #: /etc/ipmasq/rules/O70masq.def
> #: /etc/ipmasq/rules/O90external.def
> #: /etc/ipmasq/rules/Z90kernelforward.def
> #: /etc/ipmasq/rules/Z92timeouts.rul
> #: /etc/ipmasq/rules/Z99ipmasqrules.def
> #: /etc/ipmasq/rules/ZZZdenyandlog.def

Now you need to post output of:
 # lsmod
 # cat /etc/modules
 # uname -a
 # cat /boot/config-your-kernel

-- 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+  Osamu Aoki <debian@aokiconsulting.com> @ Cupertino, CA USA         +
Come join http://qref.sf.net.quick



Reply to: