ipchains: command not found

[root@Blue root]# ipchains -A forward -j MASQ -s 192.168.1.0/24 -d
0.0.0.0/0
-bash: ipchains: command not found
[root@Blue root]# echo $PATH
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin

I tried to locate ipchains and this command was not found. I'm
running Fedora Core 1, line-command only, (and want client IE6
browsers on the lan talking with squid.) No man pages on ipchains.
Is there an alternate (command) way?

Thanks (for helping a newbie)

On Mon, 16 Feb 2004 02:20:07 +0000, Phisherman wrote:

> I tried to locate ipchains and this command was not found. I'm
> running Fedora Core 1, line-command only, (and want client IE6
> browsers on the lan talking with squid.) No man pages on ipchains.
> Is there an alternate (command) way?

iptables (kernel > 2.4)

--
mvh
Joachim Mæland

If everything seems under control, you're just not going fast enough.
-Mario Andretti

On Mon, 16 Feb 2004 02:20:07 +0000, Phisherman wrote:

> [root@Blue root]# ipchains -A forward -j MASQ -s 192.168.1.0/24 -d
> 0.0.0.0/0
> -bash: ipchains: command not found
>
> ...
>
> I tried to locate ipchains and this command was not found. I'm
> running Fedora Core 1, line-command only, (and want client IE6
> browsers on the lan talking with squid.) No man pages on ipchains.
> Is there an alternate (command) way?
>
> Thanks (for helping a newbie)

You're looking for iptables. ipchains is deprecated. To do what you're
looking for:

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j
MASQUERADE

--
Some say the Wired doesn't have political borders like the real world,
but there are far too many nonsense-spouting anarchists or idiots who
think that pranks are a revolution.

On Mon, 16 Feb 2004 03:05:12 GMT, Owen Jacobson
<(E-Mail Removed)> wrote:

>On Mon, 16 Feb 2004 02:20:07 +0000, Phisherman wrote:
>
>> [root@Blue root]# ipchains -A forward -j MASQ -s 192.168.1.0/24 -d
>> 0.0.0.0/0
>> -bash: ipchains: command not found
>>
>> ...
>>
>> I tried to locate ipchains and this command was not found. I'm
>> running Fedora Core 1, line-command only, (and want client IE6
>> browsers on the lan talking with squid.) No man pages on ipchains.
>> Is there an alternate (command) way?
>>
>> Thanks (for helping a newbie)
>
>You're looking for iptables. ipchains is deprecated. To do what you're
>looking for:
>
>iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j
>MASQUERADE


Thanks Owen!
This allowed the Win machines on the hub to (finally) surf with IE6
(using port 3128 instead of 80) via Squid on the Linux box for the
first time!

The email, Usenet (Agent newsreader) and several other applications
do not work, however. I'm thinking about a (semi) transparent proxy
setup--but I have a lot to learn about iptables. This is more complex
than I had imagined, but I'm slowly getting there!

On Tue, 17 Feb 2004 00:41:03 +0000, Phisherman wrote:

> On Mon, 16 Feb 2004 03:05:12 GMT, Owen Jacobson
> <(E-Mail Removed)> wrote:
>
>>iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j
>>MASQUERADE
>
> [snip]
>
> The email, Usenet (Agent newsreader) and several other applications
> do not work, however. I'm thinking about a (semi) transparent proxy
> setup--but I have a lot to learn about iptables. This is more complex
> than I had imagined, but I'm slowly getting there!

More complex, but signifigantly more flexible.

WRT the issue with non-web applications: start from the ground up. Can
machines behind the NAT router ping, say, www.yahoo.com[1]? If not,
there're still network issues you might want to look into.


[1] Any or all of these:
www.yahoo.com is an alias for www.yahoo.akadns.net.
www.yahoo.akadns.net has address 66.94.230.33
www.yahoo.akadns.net has address 66.94.230.35
www.yahoo.akadns.net has address 66.94.230.36
www.yahoo.akadns.net has address 66.94.230.37
www.yahoo.akadns.net has address 66.94.230.43
www.yahoo.akadns.net has address 66.94.230.44
www.yahoo.akadns.net has address 66.94.230.46
www.yahoo.akadns.net has address 66.94.230.32

--
Some say the Wired doesn't have political borders like the real world,
but there are far too many nonsense-spouting anarchists or idiots who
think that pranks are a revolution.

On Tue, 17 Feb 2004 00:58:02 GMT, Owen Jacobson
<(E-Mail Removed)> wrote:

>On Tue, 17 Feb 2004 00:41:03 +0000, Phisherman wrote:
>
>> On Mon, 16 Feb 2004 03:05:12 GMT, Owen Jacobson
>> <(E-Mail Removed)> wrote:
>>
>>>iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j
>>>MASQUERADE
>>
>> [snip]
>>
>> The email, Usenet (Agent newsreader) and several other applications
>> do not work, however. I'm thinking about a (semi) transparent proxy
>> setup--but I have a lot to learn about iptables. This is more complex
>> than I had imagined, but I'm slowly getting there!
>
>More complex, but signifigantly more flexible.
>
>WRT the issue with non-web applications: start from the ground up. Can
>machines behind the NAT router ping, say, www.yahoo.com[1]? If not,
>there're still network issues you might want to look into.
>
>
>[1] Any or all of these:
>www.yahoo.com is an alias for www.yahoo.akadns.net.
>www.yahoo.akadns.net has address 66.94.230.33
>www.yahoo.akadns.net has address 66.94.230.35
>www.yahoo.akadns.net has address 66.94.230.36
>www.yahoo.akadns.net has address 66.94.230.37
>www.yahoo.akadns.net has address 66.94.230.43
>www.yahoo.akadns.net has address 66.94.230.44
>www.yahoo.akadns.net has address 66.94.230.46
>www.yahoo.akadns.net has address 66.94.230.32


With one PC, I opened a DOS window and typed
ping www.usatoday.com
which did not work. Nor does pinging with an Internet IP address
work. Reading logs and turning on debugging modes has helped me hone
in on the problems. Users were (impatient and) complaining about
getting email and access to Usenet. Under pressure, I had to move
the proxy back to another Windows machine running ICS until I can read
a few books and figure all of this out. Now I understand why some
give up on Linux.
:-(

On Tue, 17 Feb 2004 03:41:10 +0000, Phisherman wrote:

> On Tue, 17 Feb 2004 00:58:02 GMT, Owen Jacobson
> <(E-Mail Removed)> wrote:
>
>>On Tue, 17 Feb 2004 00:41:03 +0000, Phisherman wrote:
>>>
>>> The email, Usenet (Agent newsreader) and several other applications
>>> do not work, however. I'm thinking about a (semi) transparent proxy
>>> setup--but I have a lot to learn about iptables. This is more complex
>>> than I had imagined, but I'm slowly getting there!
>>
>>WRT the issue with non-web applications: start from the ground up. Can
>>machines behind the NAT router ping, say, www.yahoo.com[1]? If not,
>>there're still network issues you might want to look into.
>
> With one PC, I opened a DOS window and typed
> ping www.usatoday.com
> which did not work. Nor does pinging with an Internet IP address
> work. Reading logs and turning on debugging modes has helped me hone
> in on the problems.

So, to recap, you cannot ping by IP or by name from the LAN. Did you turn
on routing (IP forwarding) on the NAT machine? Check that the file
/proc/sys/net/ipv4/ip_forward contains the numeral '1' (no quotes) and not
'0'. If it's a 0, echo 1 > /proc/sys/net/ipv4/ip_forward will set it
until the next time you reboot; the mechanism for permanently changing it
varies from distribution to distribution.

Can the NAT host itself ping internet hosts?

--
Some say the Wired doesn't have political borders like the real world,
but there are far too many nonsense-spouting anarchists or idiots who
think that pranks are a revolution.