Another won't work IP MASQ

Dear Sir,

Sorry for disturbing with very old question.

Please help me. I am masquarede'ing on RH8.0 with the following, but
why still NOT working perfectly(?).

RH8.0 box masquerede:
eth0 as external connection to ADSL, configured as dhcp on boot.
eth1 as internal with IP: 192.168.0.1, subnet-mask: 255.255.255.0,
default-GW: 192.168.0.1, on boot. Both are OK while booting.

Win2000 box connected with a HUB to RH8.0 box (on eth1):
Setting connection IP: 192.168.0.2, subnet-mask: 255.255.255.0,
default-GW: 192.168.0.1 and the DNS is set as found in
/etc/resolv.conf

I can ping from RH8.0 box to Win2000 and from Win2000 to RH8.0 box.
But I can't open any homepage site from Win2000. Also can't from RH8.0
box,
with the message "resolving home www.XXX.net".

I am using rc.firewall-2.4 standard for testing as following this
message.
Please help what wrong with the configurations. Thank you very much.

Note:
echo "1" > /proc/sys/net/ipv4/ip_forward... OK (it contents 1)
echo "1" > /proc/sys/net/ipv4/ip_dynaddr... OK (it contents 1)

sincerelly,
ss wenny.-


rc.firewall (in /etc/rc.d/rc.firewall*) that I am using:

#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.73
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this simple
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
#
#
#
# Log:
# 0.73 - REJECT is not a legal policy yet; back to DROP
# 0.72 - Changed the default block behavior to REJECT not DROP
# 0.71 - Added clarification that PPPoE users need to use
# "ppp0" instead of "eth0" for their external interface
# 0.70 - Added commented option for IRC nat module
# - Added additional use of environment variables
# - Added additional formatting
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that used eth0
# instead of $EXTIF
# 0.61 - Changed the firewall to use variables for the internal
# and external interfaces.
# 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
# all forwarded packets but it didn't have a rule to
ACCEPT
# any packets to be forwarded either
# - Load the ip_nat_ftp and ip_conntrack_ftp modules by
default
# 0.50 - Initial draft
#
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"

# The location of the iptables and kernel module programs
#
# If your Linux distribution came with a copy of iptables,
# most likely all the programs will be located in /sbin. If
# you manually compiled iptables, the default location will
# be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/sbin/iptables # found by command 'whereis iptables'
# IPTABLES=/usr/local/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod

#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
# If you are a PPPoE or analog modem user:
#
# EXTIF="ppp0"
#
#
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"

#================================================= =====================
#== No editing beyond this line is required for initial MASQ testing
==

echo -en " loading modules: "
# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
# With the new IPTABLES code, the core MASQ functionality is now
either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational
reasons.
# There is no reason to manual load these modules unless your
# kernel is either mis-configured or you intentionally disabled
# the kernel module autoloader.
#
# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented out from loading.
# ================================================== =============
echo "----------------------------------------------------------------------"
#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
$INSMOD ip_tables

#Load the IPTABLES filtering module - "iptable_filter"
# - Loaded automatically when filter policies are activated

#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the
"ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
$INSMOD ip_conntrack

#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
$INSMOD ip_conntrack_ftp

#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
$INSMOD ip_conntrack_irc

#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
$INSMOD iptable_nat

#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
$INSMOD ip_nat_ftp

#Loads the IRC NAT functionality into the core IPTABLES code
# Require to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
#echo -e "ip_nat_irc"
#$INSMOD ip_nat_irc
echo "----------------------------------------------------------------------"
# Just to be complete, here is a list of the remaining kernel modules
# and their function. Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# --------------------------------------------------------------------
#
# ipt_mark - this target marks a given packet for future
action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port
individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have
invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and
returns
# a configurable ICMP packet back to
the
# sender.
#
# iptable_mangle - this target allows for packets to be manipulated
# for things like the TCPMSS option, etc.
echo -e " Done loading modules.\n"

#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address
hacking
# which makes the life with Diald and similar programs much easier.
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Enable simple IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or
SNAT.
#
# NOTE #2: The following is an example for an internal LAN address
in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit
subnet mask
# connecting to the Internet on external interface "eth0".
This
# example will MASQ internal traffic out to the Internet
but not
# allow non-initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask, and
your
# *** Internet connection interface name to match your setup
#

#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
#
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related
ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nDone.\n"

Sitorus Wenny wrote:
>
> Dear Sir,
>
> Sorry for disturbing with very old question.
>
> Please help me. I am masquarede'ing on RH8.0 with the following, but
> why still NOT working perfectly(?).
>
> RH8.0 box masquerede:
> eth0 as external connection to ADSL, configured as dhcp on boot.
> eth1 as internal with IP: 192.168.0.1, subnet-mask: 255.255.255.0,
> default-GW: 192.168.0.1, on boot. Both are OK while booting.

Default gateway pointing to your internal interface? You should be
getting your default gateway from DHCP. Can you confirm this with the
output of "netstat -rn"?

> Win2000 box connected with a HUB to RH8.0 box (on eth1):
> Setting connection IP: 192.168.0.2, subnet-mask: 255.255.255.0,
> default-GW: 192.168.0.1 and the DNS is set as found in
> /etc/resolv.conf

And what is in /etc/resolv.conf?

> I can ping from RH8.0 box to Win2000 and from Win2000 to RH8.0 box.
> But I can't open any homepage site from Win2000. Also can't from RH8.0
> box,
> with the message "resolving home www.XXX.net".

So your Linux network connection isn't working. Get that working first
before trying to masquerade.

Can you ping 18.181.0.31? If not the problem is possibly the route as
above. If you can, your problem is probably DNS. Can you ping
www.mit.edu (which resolves to that address)?

> I am using rc.firewall-2.4 standard for testing as following this
> message.

> rc.firewall (in /etc/rc.d/rc.firewall*) that I am using:

(much snipped)

> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
> echo " FWD: Allow all connections OUT and only existing and related
> ones IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
> echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

That looks OK as far as it goes, and should work, except that you have a
policy of ACCEPT on the input chain, so although you are protecting your
masqueraded clients, you aren't protecting yourself! Change that to
DROP, and add:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INTIF -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A INPUT -j LOG

But maybe get it working first. Don't run for long with no protection
though.

Regards, Ian

Ian Northeast <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> Sitorus Wenny wrote:
> >
> > Dear Sir,
> >
> > Sorry for disturbing with very old question.
> >
> > Please help me. I am masquarede'ing on RH8.0 with the following, but
> > why still NOT working perfectly(?).
> >
> > RH8.0 box masquerede:
> > eth0 as external connection to ADSL, configured as dhcp on boot.
> > eth1 as internal with IP: 192.168.0.1, subnet-mask: 255.255.255.0,
> > default-GW: 192.168.0.1, on boot. Both are OK while booting.
>
> Default gateway pointing to your internal interface? You should be
> getting your default gateway from DHCP. Can you confirm this with the
> output of "netstat -rn"?

Thank you very much, Ian..
You are right. I tried to leave blank the default gateway and it seems
then point to the dhcp. Here the output of %netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
220.31.221.0 0.0.0.0 255.255.252.0 U 40 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 220.31.201.254 0.0.0.0 UG 40 0 0 eth0

Now it is working.

> > Win2000 box connected with a HUB to RH8.0 box (on eth1):
> > Setting connection IP: 192.168.0.2, subnet-mask: 255.255.255.0,
> > default-GW: 192.168.0.1 and the DNS is set as found in
> > /etc/resolv.conf
>
> And what is in /etc/resolv.conf?

These are the name-servers of the dynamics DNS that I am using.

> > I can ping from RH8.0 box to Win2000 and from Win2000 to RH8.0 box.
> > But I can't open any homepage site from Win2000. Also can't from RH8.0
> > box,
> > with the message "resolving home www.XXX.net".
>
> So your Linux network connection isn't working. Get that working first
> before trying to masquerade.
>
> Can you ping 18.181.0.31? If not the problem is possibly the route as
> above. If you can, your problem is probably DNS. Can you ping
> www.mit.edu (which resolves to that address)?
>
> > I am using rc.firewall-2.4 standard for testing as following this
> > message.
>
> > rc.firewall (in /etc/rc.d/rc.firewall*) that I am using:
>
> (much snipped)
>
> > $IPTABLES -P INPUT ACCEPT
> > $IPTABLES -F INPUT
> > $IPTABLES -P OUTPUT ACCEPT
> > $IPTABLES -F OUTPUT
> > $IPTABLES -P FORWARD DROP
> > $IPTABLES -F FORWARD
> > $IPTABLES -t nat -F
> > echo " FWD: Allow all connections OUT and only existing and related
> > ones IN"
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> > $IPTABLES -A FORWARD -j LOG
> > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> That looks OK as far as it goes, and should work, except that you have a
> policy of ACCEPT on the input chain, so although you are protecting your
> masqueraded clients, you aren't protecting yourself! Change that to
> DROP, and add:
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -i $INTIF -j ACCEPT
> iptables -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -A INPUT -j LOG
>
> But maybe get it working first. Don't run for long with no protection
> though.

Yes, right. Thank again, Ian.. I'll try on learning by doing.

>
> Regards, Ian

Best regards,
ss wenny.-