Re: problems with IPMASQ
On Tue, Jan 22, 2008 at 11:52:58PM +0100, Carlos Enrique Carleos Artime wrote:
> > On Debian, you shouldn't have to do the rout add thing. ipmasq will
> > likly just work on its own, and you may just confuse it.
>
> I added it because without it, it does not work either.
That's because you need a gateway line in /etc/network/interfaces which
sets the default route.
>
> I will remove it, anyway.
>
> (Note that IPMASQ works fine for my 192.168.0.0 net, but does not
> for the 192.168.2.0 one.)
>
> > Give us your /etc/network/interfaces file on machine A.
>
> Here it is:
>
> knoppix@A:~$ cat /etc/network/interfaces
> # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
>
> # The loopback interface
> # automatically added when upgrading
> auto lo eth0 eth1
> iface lo inet loopback
>
> iface eth0 inet dhcp
>
> iface eth1 inet static
> address 192.168.0.2
> netmask 255.255.255.0
> network 192.168.0.0
> broadcast 192.168.0.255
>
Need gateway here.
> knoppix@A:~$
>
> > > I tried examples in /usr/share/doc/ipmasq/basic but failed.
>
> I must write instead: /usr/share/doc/ipmasq/examples/basics
>
> > The ipmasq package sets up a basic masquerading firewall based on the
> > 'net' being in the direction of the default route. If you want more
> > control of the firewall, install the shorewall-doc package, read it,
> > then remove ipmasq and install shorewall. While some people write raw
> > iptables firewalls themselves, most on this list (last I saw a poll) use
> > shorewall. If you know PF on BSD, yo?ll feel comfortable with
> > shorewall.
>
> Ok, I'll give it a try to shorewall. But before I wanted to check
> whether ipmasq had a default setup allowing all of several chained/sequential
> internal networks to access the internet. Till now I failed.
It relies on a default route to know what interface to masq.
>
> > You'll also need to turn on IP forwarding in /etc/sysctl.conf
>
> I think it is already on:
>
> knoppix@A:~$ /sbin/sysctl net.ipv4.conf.default.forwarding
> net.ipv4.conf.default.forwarding = 1
> knoppix@A:~$
>
> > In your example lines, I saw the word KNOPPIX. I thought that was a
> > live CD thingy. If you are using that, then my reply may not make sense
> > since KNOPPIX will set things up differently from Debian and you should
> > ask on a KNOPPIX list.
>
> The computer A was installed from a Knoppix, choosing the "Debian system"
> option. I think it was in the "woody" era. Since then, every Knoppix
> package has been removed or replaced during upgrades. I think there is
> nothing Knoppix-related in this issue, but I left the default user name
> "knoppix" just in case someone could suggest the opposite.
>
> I suppose in few days I will try shorewall.
Good luck.
Doug.
Reply to: