ipmasq problems with two internal nics

To: debian-firewall@lists.debian.org
Subject: ipmasq problems with two internal nics
From: Derek Hans <derekhans@gmx.net>
Date: Sun, 09 Mar 2003 23:21:05 -0500
Message-id: <[🔎] 3E6C12B1.5010406@gmx.net>

I have a router connected to the internet over pppoe - on eth0.

It masquarades two other computers, each connected to a seperateethernet card on the router -

eth1 (192.168.69.101) and
eth2 (192.168.69.102).

The corresponding addresses of those two computers are
192.168.69.201 and
192.168.69.202.

Using the simple iptable ruleset from the IP Masquerading Howto, thesetup works fine.

However, I also want the router to work as a firewall.

Using ipmasq, neither computer can donnect to the outside world. Fromthe logs I get on the screen of the router, I can see that paquets getsent to the nameserver, and a paquet comes back from the nameserver,addressed to the appropriate computer. However, the paquet never seemsto arrive at the masqued computer, as it tries again to contact thenameserver, indeffinitly. I can't figure out what is wrong.

(I have set the mtu on both the router and the other computers to 1412.)
(Is there a way of sticking the ipmasq error logs into a file?)









Here is the output from ifconfig:

eth0 Link encap:Ethernet HWaddr 00:00:C0:75:1F:75
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1841 errors:0 dropped:0 overruns:0 frame:0
TX packets:1699 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1225918 (1.1 MiB) TX bytes:255601 (249.6 KiB)
Interrupt:3 Base address:0x290 Memory:d0000-d4000

eth1 Link encap:Ethernet HWaddr 00:E0:29:7E:6D:CC
inet addr:192.168.69.101 Bcast:192.168.69.255 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:9 Base address:0xff80

eth2 Link encap:Ethernet HWaddr 02:60:8C:A6:F3:2E
inet addr:192.168.69.102 Bcast:192.168.69.255 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1481 errors:0 dropped:0 overruns:0 frame:0
TX packets:1453 errors:0 dropped:0 overruns:0 carrier:0
collisions:1 txqueuelen:100
RX bytes:232332 (226.8 KiB) TX bytes:1115117 (1.0 MiB)
Interrupt:4 Base address:0x300

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:504 (504.0 b) TX bytes:504 (504.0 b)

ppp0 Link encap:Point-to-Point Protocol
inet addr:67.68.86.38 P-t-P:67.68.86.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:1716 errors:0 dropped:0 overruns:0 frame:0
TX packets:1575 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:1180546 (1.1 MiB) TX bytes:213418 (208.4 KiB)





route: (Toronto-HSE-ppp is my IP)

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
Toronto-HSE-ppp * 255.255.255.255 UH 0 0 0 ppp0
192.168.69.202 * 255.255.255.255 UH 0 0 0 eth2
192.168.69.201 * 255.255.255.255 UH 0 0 0 eth1
default Toronto-HSE-ppp 0.0.0.0 UG 0 0 0 ppp0



And the iptables, as set up by ipmasq:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG all -- 127.0.0.0/8 anywhere LOG level warning
DROP all -- 127.0.0.0/8 anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- 192.168.69.101 anywhere
ACCEPT all -- 192.168.69.102 anywhere
ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
LOG all -- 192.168.69.101 anywhere LOG level warning
DROP all -- 192.168.69.101 anywhere
LOG all -- 192.168.69.102 anywhere LOG level warning
DROP all -- 192.168.69.102 anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere Toronto-HSE-ppp3745739.sympatico.ca
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.69.102 192.168.69.101
ACCEPT all -- 192.168.69.101 192.168.69.102
ACCEPT all -- 192.168.69.101 anywhere
ACCEPT all -- anywhere 192.168.69.101
ACCEPT all -- 192.168.69.102 anywhere
ACCEPT all -- anywhere 192.168.69.102
LOG all -- anywhere 192.168.69.101 LOG level warning
DROP all -- anywhere 192.168.69.101
LOG all -- anywhere 192.168.69.102 LOG level warning
DROP all -- anywhere 192.168.69.102
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere 192.168.69.101
ACCEPT all -- anywhere 192.168.69.102
ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
LOG all -- anywhere 192.168.69.101 LOG level warning
DROP all -- anywhere 192.168.69.101
LOG all -- anywhere 192.168.69.102 LOG level warning
DROP all -- anywhere 192.168.69.102
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- Toronto-HSE-ppp3745739.sympatico.ca anywhere
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere

Reply to:

Prev by Date: unsuscribe
Next by Date: Re: ip_conntrack: table full, dropping packet
Previous by thread: [Fwd: QoS]
Next by thread: TP_NAT: partial packet 57208380/21 in 57208401/57208401
Index(es):
- Date
- Thread