LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-03-2005, 04:42 AM   #1
zhex900
LQ Newbie
 
Registered: Nov 2004
Posts: 16

Rep: Reputation: 0
Angry Router Setup -IP Tables Masquerading


Hi guys:

I really hope there is someone can spare me some time to help me with this common problem (yet impossible for me).

Yes I have read & tried a few tutorials & threads on internet sharing and NAT. But for some reason it just doesn't work for me.

This is my current setup:

ISP -> Router->192.168.0.x eth0 Linux Router/Gateway eth1 192.168.1.1->clients

Router have ip: 192.168.0.1
eth0 is dhcp, which Router will allocate
eth1 is static ip: 192.168.1.1
clients will use 192.168.1.1 as gateway. For testing I will use static ip like 192.168.1.2

Right now my linux box can access internet. Also can ping other machines connected to the router. However when I have a cable connected from eth1 into a win box, no connection is detected.

Linux Box Config:
eth2 is not used.
both shorewall and squid are stopped.
even when I setup shorewall is not working either.
Code:
[root@TIGER sysconfig]# ipconfig
bash: ipconfig: command not found
[root@TIGER sysconfig]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:02:44:11:DD:24
          inet addr:192.168.0.5  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::202:44ff:fe11:dd24/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1933 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1863 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:991702 (968.4 Kb)  TX bytes:279811 (273.2 Kb)
          Interrupt:11

eth1      Link encap:Ethernet  HWaddr 00:02:44:11:DD:27
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::202:44ff:fe11:dd27/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
          TX packets:102 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22093 (21.5 Kb)  TX bytes:13503 (13.1 Kb)
          Interrupt:10 Base address:0x6400

eth2      Link encap:Ethernet  HWaddr 00:50:22:E9:8E:A4
          inet6 addr: fe80::250:22ff:fee9:8ea4/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:378 (378.0 b)
          Interrupt:9 Base address:0xc800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2669 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2669 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:452173 (441.5 Kb)  TX bytes:452173 (441.5 Kb)

sit0      Link encap:IPv6-in-IPv4
          inet6 addr: ::127.0.0.1/96 Scope:Unknown
          inet6 addr: ::192.168.0.5/96 Scope:Compat
          UP RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
Code:
[root@TIGER sysconfig]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
Code:
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

iptables -A FORWARD -i eth1 -o eth0
iptables -A FORWARD -i eth0 -o eth1

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE
Code:
[root@TIGER sysconfig]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
Code:
[root@TIGER sysconfig]# cat /etc/sysctl.conf
net.ipv4.ip_forward=1
I feel I am really close getting this thing working. But right now I have no idea what the problem is. Can someone please please drop some ideas. Or point me to a better tutorial.

Thanks heaps
 
Old 07-03-2005, 05:15 AM   #2
musicman_ace
Senior Member
 
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555

Rep: Reputation: 46
Ok, why is ETH0 on a 192.168.x.y network? That would mean your ISP is NAT'ing all their clients.
renew the IP for ETH0 and verify that it is set for DHCP in your distro's config file.
 
Old 07-03-2005, 05:44 AM   #3
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
To do masquerading, only 3 things are needed..

Default gateway on the linux box..
ip_forwarding =1
and MASQUERADING on the external interface..

Anything else is for better control/safety etc.. eg firewall rules.
Coz you have a 192.168.0.x numbering on your ISP's router, anyone wanting to force their way in would have to set up static routes to your network, so it's some extra protection.

Your iptables rules are DROPPING anything trying to pass through the FORWARD chain, unless you specifically ACCEPT it, and there are no ACCEPT rules in your list...

MASQUERADING should be only on the external interface, yours is eth0 not ethX

So I suggest you have a read of an iptables tutorial, eg http://iptables-tutorial.frozentux.n...-tutorial.html and see the difference between the INPUT and FORWARD chains. This tutorial also has ready to use scripts at the back.
 
Old 07-04-2005, 05:06 AM   #4
zhex900
LQ Newbie
 
Registered: Nov 2004
Posts: 16

Original Poster
Rep: Reputation: 0
Talking

Thanks for the reply I'll have a go at the iptable tutorial. I'll come back when I get stuck.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Router Setup -IP Tables Masquerading bk_bharani Linux - Networking 5 07-22-2005 09:42 AM
router not routing/masquerading. Why? Pcghost Linux - Networking 1 03-24-2003 10:30 AM
Can't use MS outlook through a linux router with IP masquerading jeffycli Linux - Networking 2 01-28-2002 06:48 AM
IP TABLES setup RecoilUK Linux - Networking 3 12-13-2001 03:04 AM
IP Tables setup help RecoilUK Linux - Networking 2 12-07-2001 08:17 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration