masquerading with DHCP

"Assuming external internet card is eth0, and external IP is
123.12.23.43 and the
internal network card is eth1, then:

$> modprobe ipt_MASQUERADE # If this fails, try continuing anyway
$> iptables -F; iptables -t nat -F; iptables -t mangle -F
$> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43
$> echo 1 > /proc/sys/net/ipv4/ip_forward"

<http://www.tldp.org/HOWTO/Masquerading-Simple-HOWTO/summary.html>

unfortunately, this assumption doesn't hold. I'm connecting to the
internet with
wi-fi, which is why I need the masquerading. the setup is:

internet => cable modem
cable modem => router
router => wi-fi adapter
wi-fi adapter => arrakis eth0
arrakis eth0 => arrakis eth1
arrakis eth1 => hub
hub => caladan

Arrakis and caladan are the names for two computers. The ISP uses
DHCP, so arrakis
eth0 is set to use DHCP, as shown by the following:


[root@arrakis init.d]#
[root@arrakis init.d]# date
Wed Jul 13 08:47:34 IST 2005
[root@arrakis init.d]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 eth1
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0
0 eth0
[root@arrakis init.d]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.2.0 * 255.255.255.0 U 0 0 0
eth0
192.168.0.0 * 255.255.255.0 U 0 0 0
eth1
169.254.0.0 * 255.255.0.0 U 0 0 0
eth1
default 192.168.2.1 0.0.0.0 UG 0 0 0
eth0
[root@arrakis init.d]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0A:E6:A0:24:27
inet addr:192.168.2.175 Bcast:192.168.2.255
Mask:255.255.255.0
inet6 addr: fe80::20a:e6ff:fea0:2427/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:829 errors:0 dropped:0 overruns:0 frame:0
TX packets:854 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:282660 (276.0 KiB) TX bytes:143385 (140.0 KiB)
Interrupt:5 Base address:0xd400

eth1 Link encap:Ethernet HWaddr 00:0D:88:37:FA:22
inet addr:192.168.0.1 Bcast:192.168.0.255
Mask:255.255.255.0
inet6 addr: fe80::20d:88ff:fe37:fa22/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:618 (618.0 b)
Interrupt:5 Base address:0xd000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:155 errors:0 dropped:0 overruns:0 frame:0
TX packets:155 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10715 (10.4 KiB) TX bytes:10715 (10.4 KiB)

[root@arrakis init.d]#



I don't see that I'd want to
$> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43

because there's no 123.12.23.43, that IP is a moving target. yes?



thanks,

Thufir

On 13 Jul 2005, (E-Mail Removed) <(E-Mail Removed)> wrote:
> "Assuming external internet card is eth0, and external IP is
> 123.12.23.43 and the
> internal network card is eth1, then:
>
> $> modprobe ipt_MASQUERADE # If this fails, try continuing anyway
> $> iptables -F; iptables -t nat -F; iptables -t mangle -F
> $> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43
> $> echo 1 > /proc/sys/net/ipv4/ip_forward"
>
><http://www.tldp.org/HOWTO/Masquerading-Simple-HOWTO/summary.html>
>
> unfortunately, this assumption doesn't hold. I'm connecting to the
> internet with
> wi-fi, which is why I need the masquerading. the setup is:
>
> internet => cable modem
> cable modem => router
> router => wi-fi adapter
> wi-fi adapter => arrakis eth0
> arrakis eth0 => arrakis eth1
> arrakis eth1 => hub
> hub => caladan
>
> Arrakis and caladan are the names for two computers. The ISP uses
> DHCP, so arrakis
> eth0 is set to use DHCP, as shown by the following:

You assume arrakis gets a DHCP IP from your ISP, when it is actually
behind an unknown (to us) router (is it broadband NAT router or regular
router?) and unknown (to us) wi-fi connection (is wi-fi from router an AP
or bridge or ad-hoc?). My guess is that arrakis gets a private DHCP IP
from the router, and the public IP you are attempting to masquerade as on
arrakis is not assigned to arrakis and would be rejected by the LAN side
of your router if it was. It appears that your public cable IP has
nothing at all to do with any interfaces or routing at arrakis. You
cannot masquerade as an IP not on that box.

What you should probably do is masquerade anything out eth0 of arrakis as
its eth0 IP (using interface name instead of IP if dynamic). That should
allow caladran to access the internet (since router will see it from
arrakis as a LAN IP it accepts).

Unfortunately my iptables knowledge is incomplete, because SuSEfirewall2
makes it all too easy by just setting variables.

David Efflandt wrote:
....
> What you should probably do is masquerade anything out eth0 of arrakis as
> its eth0 IP (using interface name instead of IP if dynamic). That should
> allow caladran to access the internet (since router will see it from
> arrakis as a LAN IP it accepts).
....

the router is a SMC7004VWBR, which is a regular router to my knowledge.
Pardon, I guess I didn't explain the the situation, but you've hit the
nail on the head, thanks

So, since the connection from arrakis eth0 to the wi-fi network adapter
to the router to the cable modem is dynamic then the masquerading
should use "eth0" and not a specific IP address.

I'm running Fedora Core 3 at the moment, not SuSE. However, I'll do
some looking for something like SuSEfirewall2, thanks for the tip

thanks,

Thufir