LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Problem with routing (https://www.linuxquestions.org/questions/linux-networking-3/problem-with-routing-34354/)

Shark 11-01-2002 02:24 PM
Problem with routing
 
I'm trying to set up routing on debian. I compiled kernel 2.4.19 with all necessary modules (iptables, maquarade...), but every boot I get an error: "MASQUERADE - command not found". I'm using the following script for routing (it's not mine, i got it):

Code:
#!/bin/sh

IPTABLES="/sbin/iptables"

EXTIF="eth0"  #external card
INTIF="eth1"    #internal card
INTNET="192.168.0.0"
INTMASK="255.255.255.0"
EXTIP="145.569.65.214"  #external ip

echo -n "Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo 'done.'

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo -n 'Internet Sharing'
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -d $INTNET/$INTMASK -m state \
--state ESTABLISHED,RELATED -j ACCEPT
echo -n '.'
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTNET/$INTMASK -j ACCEPT
echo -n '.'
$INTMASK -j \
MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTNET/$INTMASK -j SNAT \
--to-source $EXTIP
echo '.done.'

echo -n 'Allow incoming connections: '
# SSH, SMTP
echo -n 'SSH, SMTP'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
#echo -n ', FTP, FTP-data'
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j ACCEPT
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j ACCEPT
#echo -n ', HTTP, HTTPS'
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j ACCEPT
echo '. done.'

echo -n 'Drop other connections'
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
echo -n '.'
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
echo '.done.'
Shark

tarballedtux 11-01-2002 07:17 PM
OK, I see your problem. Several of the lines in the file were carried over to the next. It's easy to see which ones because at the end of the line before them is a "\", just backspace all wrapped-over lines to make the file correct. The problem was "MASQUERADE" was seen as a command because it was on a line by itself.


--tarballedtux

Shark 11-02-2002 02:11 AM
Thanks for help - i fixed the script and now it compiles without errors. But it doesn't work - i'm using Windows XP and i set gateway to 192.168.0.1 (IP of the router), but nothing - i always get error. What can I do?

Here's script:

Code:
#!/bin/sh

IPTABLES="/sbin/iptables"

EXTIF="eth0"  #Internet
INTIF="eth1"    #LAN
INTNET="192.168.0.0"
INTMASK="255.255.255.0"
EXTIP="134.256.412.146"  #internet ip

echo -n "Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo 'done.'

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo -n 'Internet Sharing'
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -d $INTNET/$INTMASK -m state --state ESTABLISHED,RELATED -j ACCEPT
echo -n '.'
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTNET/$INTMASK -j ACCEPT
echo -n '.'
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTNET/$INTMASK -j SNAT --to-source $EXTIP
echo '.done.'

echo -n 'Allow incoming connections: '
# SSH, SMTP
echo -n 'SSH, SMTP'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
echo -n ', FTP, FTP-data'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j ACCEPT
echo -n ', HTTP, HTTPS'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j ACCEPT
echo '. done.'

echo -n 'Drop other connections'
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
echo -n '.'
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
echo '.done.'
Thanks, Shark

Griffon26 11-02-2002 05:36 AM
For some reason, you threw out the line containing MASQUERADE.

What you should have done is look at the original file to see what the line should be.

The first attempt already contained only half of the line. There should be something before "$INTMASK -j MASQUERADE".

Shark 11-02-2002 07:14 AM
Okey, now i just left everything as it was - i fixed line breaks only...

Code:
#!/bin/sh

IPTABLES="/sbin/iptables"

EXTIF="eth0"  #internet
INTIF="eth1"    #lan
INTNET="192.168.0.0"
INTMASK="255.255.255.0"
EXTIP="322.435.432.324"  #internet IP

echo -n "Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo 'done.'

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo -n 'Internet Sharing'
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -d $INTNET/$INTMASK -m state --state ESTABLISHED,RELATED -j ACCEPT
echo -n '.'
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTNET $INTMASK -j ACCEPT
echo -n '.'
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTNET/$INTMASK -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s$INTNET/$INTMASK -j SNAT --to-source $EXTIP
echo '.done.'

echo -n 'Allow incoming connections: '
echo -n 'SSH, SMTP'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
echo -n ', FTP, FTP-data'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j ACCEPT
echo -n ', HTTP, HTTPS'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j ACCEPT
echo '. done.'

echo -n 'Drop other connections'
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
echo -n '.'
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
echo '.done.'
Shark

peter_robb 11-04-2002 04:03 PM
Add these lines...

$IPTABLES -I FORWARD 3 -i $EXTIF -o $INTIF -j LOG --log-prefix "FORWARD_no_state " --log-level 6
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j LOG --log-prefix "FORWARD_dropped " --log-level 6

and look for packets that are being dropped with "tail -f /var/log/messages"
There may be udp dns packets (port 53) etc being dropped unecessarily.
If they are, make a rule to ACCEPT them.

A quick check can be to change the FORWARD POLICY to ACCEPT.

Regards,
Peter


All times are GMT -5. The time now is 03:20 AM.