Re: IP Masquerading Problems

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: tim hibbard: "Slow Ip Forwarding/routing??"
• Previous message: David Hamm: "Citrix and Linux"
• Next in thread: Jimmy Z. Stergiou: "Re: static ip address"
• Reply: Jimmy Z. Stergiou: "Re: static ip address"

> Hello Everyone,
>
> I'm trying to setup masquerading between a class B network 172.16.0.0, and
> the internet on a class C address.
>
> I manually set up all IN and OUT rules for each interface, following the
> IP-Masquearding HOWTO. I also setup each rule with "-o" for debugging
> purposes.
>
> After setting it all up, I am only seeing the loging for fw-in on the
> internal network. There is no message indicating a packet being
> masqueraded , or going OUT on the external interface.

Has IP forwarding been disabled (e.g. by your init scripts)? Type

cat /proc/sys/net/ipv4/ip_forward

to find out. 0 implies that forwarding is disabled. To enable it, use

echo 1 > /proc/sys/net/ipv4/ip_forward

To enable it permanently, remove any command in your init scripts
which disables it.

> First question: Will ipfwadm -F -a m return error if masq isn't working
> and configured in the kernel?

I'm not sure, but /proc/net/ip_masquerade will exist only if the
kernel was compiled with IP masquerading support.

> here is the script I use to setup ip masquerading:
>
> # input ipfwadm rules
> ipfwadm -I -f
> ipfwadm -I -p deny
> ipfwadm -I -a accept -V 172.16.13.17 -S 172.16.0.0/16 -D 0.0.0.0/0 -o
> ipfwadm -I -a deny -V Internet_IP -S 172.16.0.0/16 -D 0.0.0.0/0 -o
> ipfwadm -I -a accept -V Internet_IP -S 0.0.0.0/0 -D Internet_IP/32 -o
> ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 -o
> ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
> #output ipfwadm rules
> ipfwadm -O -f
> ipfwadm -O -p deny

> ipfwadm -O -a accept -V 172.16.13.17 -S 0.0.0.0/0 -D 172.16.0.0/32 -o

Huh? This accepts packets going to the internal interface whose
destination address is 172.16.0.0. This is either the broadcast
address (if your network uses all-zeroes a a broadcast address), or
(more likely) a mistake.

> ipfwadm -O -a deny -V Internet_IP -S 0.0.0.0/0 -D 172.16.0.0/32 -o

> ipfwadm -O -a deny -V Internet_IP -S 172.16.0.0/16 -D 0.0.0.0/0 -o

This rule prevents any packet with a local source address from leaving
the external interface.

> ipfwadm -O -a deny -V Internet_IP -S 0.0.0.0/0 -D 172.16.0.0/16 -o

This would appear to be redundant; packets with a local destination
address shouldn't be routed via the external interface.

> ipfwadm -O -a accept -V Internet_IP -S Internet_IP/32 -D 0.0.0.0/0 -o
> ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 -o
> ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
> # routing (masq) rules
> ipfwadm -F -f
> ipfwadm -F -p deny
> ipfwadm -F -a masquerade -V Internet_IP -S 172.16.0.0/16 -D 0.0.0.0/0 -o
> ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o

One other point: specifying -S 0.0.0.0/0 or -D 0.0.0.0/0 is redundant;
by default, a rule matches all packets; you only need -S or -D if you
wish to restrict which packets are matched. For clarity, you can also
use 0/0 instead.

-- 
Glynn Clements <glynn@sensei.co.uk>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu

• Next message: tim hibbard: "Slow Ip Forwarding/routing??"
• Previous message: David Hamm: "Citrix and Linux"
• Next in thread: Jimmy Z. Stergiou: "Re: static ip address"
• Reply: Jimmy Z. Stergiou: "Re: static ip address"