Route/Masquerade problem

spony · 01-01-2004, 04:05 PM

For the past week or so I've been trying to route my mac through my linux box.

I have the following setup:

Machine 1 - Debian 2.4.22 with 2 interfaces (eth0 and eth1)
Machine 2 - Mac with 1 interface (let's call it eth2)

The linux machine is connected to my cable modem via eth0 - this works fine
The linux machine is connected with a crosscable to my mac via eth1 - this works fine

I've set up the interfaces, like so:

Code:

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debian installation
auto eth0
iface eth0 inet dhcp

# Second network card - assign static ip to enable local dhcp server

auto eth1
iface eth1 inet static
address 192.168.1.5
netmask 255.255.255.0
broadcast 192.168.1.255

I've set up a DHCPd server on my linux machine, like so:

Code:

default-lease-time 36000;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.5;

subnet 192.168.1.0 netmask 255.255.255.0 {
   range 192.168.1.10 192.168.1.100;
}

When i startup the mac it recieves a correct ip# (192.168.1.11) and router (192.168.1.5), which is the ip# attached to eth1 on the linux machine. - So this works fine also

Finnaly as far as I can tell ip forwarding should be working fine as:

Code:

spony:/etc# cat /proc/sys/net/ipv4/ip_forward
1

Now the stuff that doesn't seem to be working fine:

When I'm on the mac I can ping the linux machine fine and the linux machine can ping the mac fine but I can't access the internet from the mac at all.

I've set up an extensive firewall using a program called firehol, this is my setup:

Code:

# Require release 5 of FireHOL configuration directives
version 5
	
# A space separated list of all the IPs on the internet, I trust
#office="my-office-pc.example.com"
	
# The IP address of this Linux and LAN for the rest of the world
#public_ip="1.2.3.4"
	
	
# My LAN. Everything is allowed here.
interface eth1 lan
policy accept	# The default is 'drop'.
	
	
# Make sure the traffic coming in, comes from valid Internet IPs,
# and that is targeting my public IP
interface eth0 internet src not "$UNROUTABLE_IPS"  #dst "$public_ip"
# Protect me from various kinds of attacks.
protection strong
		
# Public servers.
server smtp accept
server http accept
server ftp  accept
server ssh  accept #src "$office"
		
# Make sure idents do not timeout.
server ident reject with tcp-reset
		
# This is also a workstation.
client all  accept
		
	
# Route the LAN requests to the internet.
router lan2internet inface eth1 outface eth0
		
# Masquerading on outface.
masquerade
		
# Route all requests from inface to outface
# and their replies back.
route all  accept

Now as far as I can tell this should do the job. I'm beginning to think the problem has something to do with masquerading but i'm certain this is built into the kernel.

Any idea's folks? I'm about ready to smash something - thanks

spony · 01-01-2004, 06:49 PM

Hello again,

From my mac I just tried pinging a bunch of ip addresses and they actualy replied.... so apparently something is working. I also tried viewing webpages by supplying the ip instead of dns-name and some of them actualy showed (the ones that didn't came up with an error that the url couldn't be found, the funny thing though is I type for example the URL: "http://206.16.0.28" and it says: "http://www.apple.com could not be found". Is this strange or what?

Make sence to anyone? What am i missing?

JordanH · 01-01-2004, 07:26 PM

It sounds like your DNS addresses aren't being distributed to your Mac. Make sure the Mac is configured with the proper DNS addresses or if you are using DHCP to distribute the addresses, then make sure your dhcpd.conf file has the "option domain-name-servers aaa.aaa.aaa.aaa" line included.

Regards,
J.

spony · 01-01-2004, 07:41 PM

Thanks for the help J, it finnaly works.

Ironicaly enough I had just come to the same exact conclussion. Great to be back on the mac. Linux is great and all but this is the easy life

Now if i can just get VNC installed on both systems, i can stop unplugging my moniter from one to the other

JordanH · 01-05-2004, 04:30 PM

VNC is an easy task in Linux. Untar as root and away ya go!

Once it is untarred the fast path to getting a session going is this...
as the user (not root) type
vncserver :1
The first time only it'll ask a password... fill one in.

Voila! You are golden. VNC server running for your user on port 5901.
Cheers,
J.

spony · 01-06-2004, 09:59 AM

Aye it was quite easy to set up VNC on the linux box (also the mac for that matter) however the framerate was just ridiculous. I don't know if this had to do with running the server on the mac and the client on the linux box. Haven't tried the other way around but i asume it's about the same.

However I already had X-windows installed on the mac, and getting it to remote display the Linux machine only involved a few simple steps. My experiance is X-windows has a magnitude faster framerate then vnc. It worked great even when i started up games or loaded the entire KDE desktop.

Currently i'm trying to get my hands on panther so I can try out apple's XFree86 version. Reason is I'm hopeing they include a window manager which easialy shifts back and from rootless mode (ie for running KDE from my linux box unspoiled). Currently I have Xdarwin and the oroborOSX windowmanager which is great for running X-window applications seemlessly in OSX but not so great with entire desktop's.

This tiny LAN is quite a challenge (don't even get me started on the difficulties of getting NFS to work between a linux machine and an OSX machine). Keep saying tomorrow everything will be perfect