Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IP masquerade doesn't work! help!

0 views
Skip to first unread message

poko2

unread,
Dec 27, 2001, 10:54:37 AM12/27/01
to
i have recompile the kernel and run the iptables command as that in
http://www.linuxdoc.org/HOWTO/Masquerading-Simple-HOWTO/indepth.html

however, i still can't ping the outside internet (eg. ping
IMS DNS server) from inside the intranet. when i tail /var/log/messages, it
shows sth like IN=eth1 OUT=ppp0, i think it received the request but doesn't
forward out. but when i cat /proc/sys/net/ipv4/ip_forward, it shows 1,
how come i can't do IP masq? anybody can help me? thanks


Lurch

unread,
Dec 27, 2001, 11:13:18 AM12/27/01
to
poko2 wrote:

> however, i still can't ping the outside internet (eg. ping
> IMS DNS server) from inside the intranet. when i tail /var/log/messages,
> it shows sth like IN=eth1 OUT=ppp0, i think it received the request but
> doesn't forward out. but when i cat /proc/sys/net/ipv4/ip_forward, it
> shows 1, how come i can't do IP masq? anybody can help me? thanks

post the output for:
iptables -L

when you say you ping from the intranet, you mean you use a PC that is not
the linux box with the modem? Did you set the other box's gateway to the
linux box? DNS set up correctly?

--
Home: http://users.skynet.be/bk333466/
OS: RedHat Linux 7.2 (kernel 2.4.17)
X: KDE 2.2.2-1 (XFree86-4.1.0-3, QT-2.3.2-1)

poko2

unread,
Dec 28, 2001, 8:48:09 AM12/28/01
to
PREROUTING AND OUTPUT are empty(no rules)
for POSTROUTING( 1 rule only),
target prot opt source destination
MASQUERADE all -- anywhere anywhere

yes, what i mean "ping from the intranet" is some hosts behind the linux
box, i have set the other box's gateway to the linux box, but have set the
DNS of the other box to the DNS of IMS.... however, even i ping IP address,
it still can't ping...so i wonder this is not the problem of DNS.

"Lurch" <Lu...@You.Rang> ?????
news:3c2b496d$0$33501$ba62...@news.skynet.be...

poko2

unread,
Dec 28, 2001, 8:54:31 AM12/28/01
to
Sorry, last mail does not show the correct rules for iptables -L

it should be like that:
Chain INPUT and OUTPUT, empty (no rules)

Chain FORWARD,


target prot opt source destination

ACCEPT all -- anywhere anywhere state
RELATED, ESTABLISHED
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere log
level warning

"Lurch" <Lu...@You.Rang> ?????
news:3c2b496d$0$33501$ba62...@news.skynet.be...

Lurch

unread,
Dec 28, 2001, 11:37:07 AM12/28/01
to
poko2 wrote:

> it should be like that:
> Chain INPUT and OUTPUT, empty (no rules)
>
> Chain FORWARD,
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED, ESTABLISHED
> ACCEPT all -- anywhere anywhere
> LOG all -- anywhere anywhere
> log level warning

Please Copy & Paste the output. you didn't copy the policies for the
chains. Copy & paste the output for "iptables-save" instead (is a little
more descriptive)

Good Luck...

poko2

unread,
Dec 29, 2001, 12:35:45 PM12/29/01
to
Lurch wrote:

dump of iptables-save:


# Generated by iptables-save v1.2.1a on Sun Dec 30 01:29:03 2001
*nat
:PREROUTING ACCEPT [14:560]
:POSTROUTING ACCEPT [14:876]
:OUTPUT ACCEPT [14:876]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Dec 30 01:29:03 2001
# Generated by iptables-save v1.2.1a on Sun Dec 30 01:29:03 2001
*mangle
:PREROUTING ACCEPT [2226:2038973]
:OUTPUT ACCEPT [1325:75034]
COMMIT
# Completed on Sun Dec 30 01:29:03 2001
# Generated by iptables-save v1.2.1a on Sun Dec 30 01:29:03 2001
*filter
:INPUT ACCEPT [2220:2038553]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1319:74614]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -j LOG
COMMIT
# Completed on Sun Dec 30 01:29:03 2001

Lurch

unread,
Dec 29, 2001, 3:12:40 PM12/29/01
to

you said it your previous post that /var/log/messages had something like
IN=eth1 out=ppp0, so my guess would be to change all "eth0" in your rules
with "ppp+". Another idea is (if you have a small LAN) to specify which
computers will be masqueraded. Also, you don't block any incoming traffic?

give the folowing commands 1 by 1, This will allow the PC's with
IP-addresses 192.168.0.2 and 192.168.0.3 in your LAN to connect to the
Internet. Replace the IP-address with the effective addresses in your LAN:

iptables -F FORWARD
iptables -t nat -F POSTROUTING
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT lo -j ACCEPT
iptables -A INPUT eth1 -j ACCEPT
iptables -A INPUT ppp+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp+ -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth1 -m -state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j LOG
iptables -t nat -A POSTROUTING -o ppp+ -s 192.168.0.2/32 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp+ -s 192.168.0.3/32 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward

this might also help:
http://www.users.skynet.be/bk333466/eng/tips/networking/iptables.html

Hope this helped...

0 new messages