LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-01-2002, 02:24 PM   #1
Shark
LQ Newbie
 
Registered: Nov 2002
Posts: 17

Rep: Reputation: 0
Question Problem with routing


I'm trying to set up routing on debian. I compiled kernel 2.4.19 with all necessary modules (iptables, maquarade...), but every boot I get an error: "MASQUERADE - command not found". I'm using the following script for routing (it's not mine, i got it):

Code:
#!/bin/sh

IPTABLES="/sbin/iptables"

EXTIF="eth0"   #external card
INTIF="eth1"    #internal card
INTNET="192.168.0.0"
INTMASK="255.255.255.0"
EXTIP="145.569.65.214"  #external ip

echo -n "Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo 'done.'

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo -n 'Internet Sharing'
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -d $INTNET/$INTMASK -m state \
--state ESTABLISHED,RELATED -j ACCEPT
echo -n '.'
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTNET/$INTMASK -j ACCEPT
echo -n '.'
$INTMASK -j \
MASQUERADE 
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTNET/$INTMASK -j SNAT \
--to-source $EXTIP
echo '.done.'

echo -n 'Allow incoming connections: '
# SSH, SMTP
echo -n 'SSH, SMTP'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
#echo -n ', FTP, FTP-data'
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j ACCEPT
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j ACCEPT
#echo -n ', HTTP, HTTPS'
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j ACCEPT
echo '. done.'

echo -n 'Drop other connections'
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
echo -n '.'
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
echo '.done.'
Shark

Last edited by Shark; 11-02-2002 at 10:32 AM.
 
Old 11-01-2002, 07:17 PM   #2
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Rep: Reputation: 30
OK, I see your problem. Several of the lines in the file were carried over to the next. It's easy to see which ones because at the end of the line before them is a "\", just backspace all wrapped-over lines to make the file correct. The problem was "MASQUERADE" was seen as a command because it was on a line by itself.


--tarballedtux
 
Old 11-02-2002, 02:11 AM   #3
Shark
LQ Newbie
 
Registered: Nov 2002
Posts: 17

Original Poster
Rep: Reputation: 0
Thanks for help - i fixed the script and now it compiles without errors. But it doesn't work - i'm using Windows XP and i set gateway to 192.168.0.1 (IP of the router), but nothing - i always get error. What can I do?

Here's script:

Code:
#!/bin/sh

IPTABLES="/sbin/iptables"

EXTIF="eth0"  #Internet
INTIF="eth1"    #LAN
INTNET="192.168.0.0"
INTMASK="255.255.255.0"
EXTIP="134.256.412.146"  #internet ip

echo -n "Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo 'done.'

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo -n 'Internet Sharing'
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -d $INTNET/$INTMASK -m state --state ESTABLISHED,RELATED -j ACCEPT
echo -n '.'
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTNET/$INTMASK -j ACCEPT
echo -n '.'
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTNET/$INTMASK -j SNAT --to-source $EXTIP
echo '.done.'

echo -n 'Allow incoming connections: '
# SSH, SMTP
echo -n 'SSH, SMTP'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
echo -n ', FTP, FTP-data'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j ACCEPT
echo -n ', HTTP, HTTPS'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j ACCEPT
echo '. done.'

echo -n 'Drop other connections' 
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
echo -n '.'
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
echo '.done.'
Thanks, Shark
 
Old 11-02-2002, 05:36 AM   #4
Griffon26
Member
 
Registered: Sep 2001
Location: The Netherlands
Distribution: Gentoo, Debian, Mandrake, LFS
Posts: 182

Rep: Reputation: 30
For some reason, you threw out the line containing MASQUERADE.

What you should have done is look at the original file to see what the line should be.

The first attempt already contained only half of the line. There should be something before "$INTMASK -j MASQUERADE".
 
Old 11-02-2002, 07:14 AM   #5
Shark
LQ Newbie
 
Registered: Nov 2002
Posts: 17

Original Poster
Rep: Reputation: 0
Okey, now i just left everything as it was - i fixed line breaks only...

Code:
#!/bin/sh

IPTABLES="/sbin/iptables"

EXTIF="eth0"  #internet
INTIF="eth1"    #lan
INTNET="192.168.0.0"
INTMASK="255.255.255.0"
EXTIP="322.435.432.324"  #internet IP

echo -n "Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo 'done.'

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo -n 'Internet Sharing'
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -d $INTNET/$INTMASK -m state --state ESTABLISHED,RELATED -j ACCEPT
echo -n '.'
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTNET $INTMASK -j ACCEPT
echo -n '.'
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTNET/$INTMASK -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s$INTNET/$INTMASK -j SNAT --to-source $EXTIP
echo '.done.'

echo -n 'Allow incoming connections: '
echo -n 'SSH, SMTP'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
echo -n ', FTP, FTP-data'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j ACCEPT
echo -n ', HTTP, HTTPS'
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j ACCEPT
echo '. done.'

echo -n 'Drop other connections'
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
echo -n '.'
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
echo '.done.'
Shark
 
Old 11-04-2002, 04:03 PM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Add these lines...

$IPTABLES -I FORWARD 3 -i $EXTIF -o $INTIF -j LOG --log-prefix "FORWARD_no_state " --log-level 6
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j LOG --log-prefix "FORWARD_dropped " --log-level 6

and look for packets that are being dropped with "tail -f /var/log/messages"
There may be udp dns packets (port 53) etc being dropped unecessarily.
If they are, make a rule to ACCEPT them.

A quick check can be to change the FORWARD POLICY to ACCEPT.

Regards,
Peter
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
routing problem DRagonRage Debian 8 09-21-2005 03:29 PM
routing problem DRagonRage Linux - Networking 1 09-21-2005 01:02 PM
Routing problem Infernal211283 Linux - Networking 3 02-28-2005 02:59 AM
Another Routing problem Bambi Linux - Networking 2 06-03-2004 03:13 PM
routing problem nowonmai Linux - Networking 2 10-09-2003 07:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration