IP Masquarading is broken after 2.1.7?

Snow Cat (snowcat@netgate.net)
Sun, 15 Dec 1996 15:04:36 -0800 (PST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Paolo Supino: "Kernel Panic."
Previous message: Jason Burrell: "Font on a per-console basis"
Next in thread: Matt Cross: "Re: IP Masquarading is broken after 2.1.7?"
Maybe reply: Matt Cross: "Re: IP Masquarading is broken after 2.1.7?"

Hi,

I am unable to use IP masquarading since 2.1.8, has anyone else had/solved
this problem?

I am using ipfwadm 2.3.0 with the following rules:
(PPP Link<->192.42.172.1 (ariel)<->192.42.172.2 (earth)

ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
ipfwadm -F -p deny
# Accept everything from local host
ipfwadm -I -a accept -S localhost -D 0/0
# Masqarade the rest of the local network
ipfwadm -I -a accept -S 192.42.172.0/24 -D 0/0
ipfwadm -F -m -a accept -S 192.42.172.0/24 -D 0/0

I use other rules to setup a firewall and type of service, but the problem
happens either with or without additional rules.

UDP from 192.42.172.2 works fine, but TCP/IP connections time out. Here is
what happens on ariel when I try to ftp from this machine to ISP:

tcpdump -i eth0

tcpdump: listening on eth0
15:38:43.132153 earth.netgate.net.1041 > ng.netgate.net.ftp: S 537473698:537473698(0) win 8192 <mss 1460> (DF)
15:38:46.346015 earth.netgate.net.1041 > ng.netgate.net.ftp: S 537473698:537473698(0) win 8192 <mss 1460> (DF)

tcpdump -i ppp0

15:39:51.508394 d82.netgate.net.61021 > ng.netgate.net.ftp: S 537542106:537542106(0) win 8192 <mss 1460> (DF) [tos 0x10]
15:39:54.707217 d82.netgate.net.61021 > ng.netgate.net.ftp: S 537542106:537542106(0) win 8192 <mss 1460> (DF) [tos 0x10]
15:40:01.269227 d82.netgate.net.61021 > ng.netgate.net.ftp: S 537542106:537542106(0) win 8192 <mss 1460> (DF) [tos 0x10]
15:40:14.447095 d82.netgate.net.61021 > ng.netgate.net.ftp: S 537542106:537542106(0) win 8192 <mss 1460> (DF) [tos 0x10]

I can not see any response from ng.netgate.net, but I doubt the remote end is
the problem, because the same setup works fine under 2.1.7.
For reference though, ng is BSDI 2.1.

The above ftp connection generates a normal-looking masquerading entry:
tcp 09:30.95 earth.netgate.net ng.netgate.net 1042 (61021) -> ftp

Other information:
ariel:~> uname -a
Linux ariel 2.1.15 #3 Sun Dec 15 14:51:20 PST 1996 i586 unknown
ariel:~> netstat -r -n
Kernel routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
204.145.147.4 0.0.0.0 255.255.255.255 U 0 0 0 ppp0
204.145.147.4 0.0.0.0 255.255.255.255 U 32767 0 0 ppp0
192.42.172.0 0.0.0.0 255.255.255.0 U 32767 0 0 eth0
0.0.0.0 204.145.147.4 0.0.0.0 UG 0 0 0 ppp0

Kernel configuration:

#
# Automatically generated make config: don't edit
#

#
# Code maturity level options
#
CONFIG_EXPERIMENTAL=y

#
# Loadable module support
#
CONFIG_MODULES=y
CONFIG_MODVERSIONS=y
# CONFIG_KERNELD is not set

#
# General setup
#
# CONFIG_MATH_EMULATION is not set
CONFIG_NET=y
# CONFIG_MAX_16M is not set
CONFIG_PCI=y
CONFIG_PCI_OPTIMIZE=y
# CONFIG_MCA is not set
CONFIG_SYSVIPC=y
CONFIG_BINFMT_AOUT=y
CONFIG_BINFMT_ELF=y
CONFIG_BINFMT_JAVA=y
# CONFIG_M386 is not set
# CONFIG_M486 is not set
CONFIG_M586=y
# CONFIG_M686 is not set
CONFIG_VIDEO_SELECT=y

#
# Floppy, IDE, and other block devices
#
CONFIG_BLK_DEV_FD=y
CONFIG_BLK_DEV_IDE=y

#
# Please see Documentation/ide.txt for help/info on IDE drives
#
# CONFIG_BLK_DEV_HD_IDE is not set
CONFIG_BLK_DEV_IDEDISK=y
CONFIG_BLK_DEV_IDECD=y
# CONFIG_BLK_DEV_IDETAPE is not set
# CONFIG_BLK_DEV_IDEFLOPPY is not set
CONFIG_BLK_DEV_IDESCSI=y
# CONFIG_BLK_DEV_CMD640 is not set
# CONFIG_BLK_DEV_RZ1000 is not set
# CONFIG_BLK_DEV_TRITON is not set
# CONFIG_IDE_CHIPSETS is not set

#
# Additional Block Devices
#
CONFIG_BLK_DEV_LOOP=y
# CONFIG_BLK_DEV_MD is not set
CONFIG_BLK_DEV_RAM=y
CONFIG_BLK_DEV_INITRD=y
# CONFIG_BLK_DEV_XD is not set
# CONFIG_BLK_DEV_HD is not set

#
# Networking options
#
# CONFIG_NETLINK is not set
CONFIG_FIREWALL=y
CONFIG_NET_ALIAS=y
CONFIG_INET=y
CONFIG_IP_FORWARD=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_FIREWALL=y
# CONFIG_IP_FIREWALL_VERBOSE is not set
CONFIG_IP_MASQUERADE=y

#
# Protocol-specific masquerading support will be built as modules.
#
# CONFIG_IP_TRANSPARENT_PROXY is not set
CONFIG_IP_ALWAYS_DEFRAG=y
# CONFIG_IP_ACCT is not set
# CONFIG_IP_ROUTER is not set
# CONFIG_NET_IPIP is not set
# CONFIG_IP_MROUTE is not set
CONFIG_IP_ALIAS=y

#
# (it is safe to leave these untouched)
#
# CONFIG_INET_PCTCP is not set
# CONFIG_INET_RARP is not set
CONFIG_PATH_MTU_DISCOVERY=y
CONFIG_IP_NOSR=y
CONFIG_SKB_LARGE=y
# CONFIG_IPV6 is not set

#
#
#
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
# CONFIG_AX25 is not set
# CONFIG_BRIDGE is not set

#
# SCSI support
#
# CONFIG_SCSI is not set

#
# Network device support
#
CONFIG_NETDEVICES=y
# CONFIG_ARCNET is not set
# CONFIG_DUMMY is not set
# CONFIG_EQUALIZER is not set
CONFIG_NET_ETHERNET=y
# CONFIG_NET_VENDOR_3COM is not set
# CONFIG_LANCE is not set
# CONFIG_NET_VENDOR_SMC is not set
CONFIG_NET_ISA=y
# CONFIG_AT1700 is not set
# CONFIG_E2100 is not set
# CONFIG_DEPCA is not set
# CONFIG_EWRK3 is not set
# CONFIG_EEXPRESS is not set
# CONFIG_EEXPRESS_PRO is not set
# CONFIG_FMV18X is not set
# CONFIG_HPLAN_PLUS is not set
# CONFIG_HPLAN is not set
# CONFIG_HP100 is not set
# CONFIG_ETH16I is not set
CONFIG_NE2000=y
# CONFIG_NI52 is not set
# CONFIG_NI65 is not set
# CONFIG_SEEQ8005 is not set
# CONFIG_SK_G16 is not set
# CONFIG_NET_EISA is not set
# CONFIG_NET_POCKET is not set
# CONFIG_FDDI is not set
# CONFIG_DLCI is not set
# CONFIG_PLIP is not set
CONFIG_PPP=y

#
# CCP compressors for PPP are only built as modules.
#
# CONFIG_NET_RADIO is not set
# CONFIG_SLIP is not set
# CONFIG_TR is not set
CONFIG_SHAPER=y

#
# ISDN subsystem
#
# CONFIG_ISDN is not set

#
# CD-ROM drivers (not for SCSI or IDE/ATAPI drives)
#
# CONFIG_CD_NO_IDESCSI is not set

#
# Filesystems
#
# CONFIG_QUOTA is not set
# CONFIG_MINIX_FS is not set
# CONFIG_EXT_FS is not set
CONFIG_EXT2_FS=y
# CONFIG_XIA_FS is not set
CONFIG_FAT_FS=y
CONFIG_MSDOS_FS=y
CONFIG_VFAT_FS=y
# CONFIG_UMSDOS_FS is not set
CONFIG_PROC_FS=y
CONFIG_NFS_FS=y
# CONFIG_ROOT_NFS is not set
CONFIG_SMB_FS=y
CONFIG_SMB_WIN95=y
CONFIG_ISO9660_FS=y
# CONFIG_HPFS_FS is not set
# CONFIG_SYSV_FS is not set
# CONFIG_AFFS_FS is not set
CONFIG_UFS_FS=y
CONFIG_BSD_DISKLABEL=y
# CONFIG_SMD_DISKLABEL is not set

#
# Character devices
#
CONFIG_SERIAL=y
# CONFIG_DIGI is not set
# CONFIG_CYCLADES is not set
# CONFIG_STALDRV is not set
# CONFIG_RISCOM8 is not set
# CONFIG_ESP is not set
CONFIG_PRINTER=y
CONFIG_MOUSE=y
# CONFIG_ATIXL_BUSMOUSE is not set
# CONFIG_BUSMOUSE is not set
# CONFIG_MS_BUSMOUSE is not set
CONFIG_PSMOUSE=y
# CONFIG_82C710_MOUSE is not set
CONFIG_UMISC=y
# CONFIG_QIC02_TAPE is not set
# CONFIG_FTAPE is not set
# CONFIG_APM is not set
CONFIG_WATCHDOG=y
# CONFIG_WATCHDOG_NOWAYOUT is not set
# CONFIG_WDT is not set
CONFIG_SOFT_WATCHDOG=y
# CONFIG_PCWATCHDOG is not set
CONFIG_RTC=y

#
# Sound
#
CONFIG_SOUND=y
# CONFIG_LOWLEVEL_SOUND is not set

#
# Kernel hacking
#
# CONFIG_PROFILE is not set

-- 
 _.    	        _       .  
(_ ,_  _ ,  .  / ` _ _L	 | Email: Oleg Kibirev <snowcat@netgate.net>
._)| U(_)\/\/  \_,(_L/L  | Visit http://math.math.CSUFresno.EDU/~oleg/math.html
------------------------'  to get my programs + PGP public key

Next message: Paolo Supino: "Kernel Panic."
Previous message: Jason Burrell: "Font on a per-console basis"
Next in thread: Matt Cross: "Re: IP Masquarading is broken after 2.1.7?"
Maybe reply: Matt Cross: "Re: IP Masquarading is broken after 2.1.7?"