Mailinglist Archive: opensuse (4570 mails)
| < Previous | Next > |
Re: [SLE] SuSE 10.0 masquerade changes?
- From: Darryl Gregorash <raven@xxxxxxxxxxxxx>
- Date: Wed, 16 Nov 2005 01:36:31 +0000 (UTC)
- Message-id: <437A8D1B.3010006@xxxxxxxxxxxxx>
On 11/15/2005 02:54 PM, Peter A. Taylor wrote:
>On Monday 14 November 2005 18:16, Darryl Gregorash wrote:
>
>>On 11/14/2005 09:40 AM, Peter A. Taylor wrote:
>>
>>> I got simple masquerading working under SuSE 9.3 (sharing a modem), but
>>>I can't get it working under SuSE 10.0 . I can ping and ftp within my
>>>internal network, but the internal network can't see the internet. Has
>>>anything relevant changed between 9.3 and 10.0, or am I doing something
>>>stupid? Any ideas? Where do I look for clues?
>>>
>>Depending on how much firewall logging you've turned on, you might be
>>able to find some hints in /var/log/firewall.
>>
>
> Short version: "ifup eth0" tells me my default route is unreachable, but I
>don't understand why.
>
Because you don't have a default route on that interface. This isn't a
problem, because this is the internal interface. If it bothers you, see
"man 5 routes", the 3 paragraphs beginning "The fourth column gives
the name of the interface...." after the title "Syntax"
> Update: Now I'm really confused. I get the same error message from "ifup
>eth0" under SuSE 9.3, but masquerade works anyway. Under 10.0, my wife can't
>ping our ISP's ftp server via masquerade, but she at least seems to resolve
>the server's name.
>
I'm even more confused:
>Nov 15 09:05:49 athena kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0
>SRC=192.168.2.20 DST=64.243.71.82 LEN=73 TOS=0x00 PREC=0x00 TTL=127 ID=33119
>PROTO=UDP SPT=1027 DPT=53 LEN=53
>
This is a DNS lookup from "isis" that was just dropped, yet you say your
wife is able to resolve hostnames.
>Nov 15 09:09:34 athena kernel: SFW2-IN-ILL-TARGET IN=eth0 OUT= MAC=
>SRC=192.168.2.15 DST=224.0.0.251 LEN=74 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF
>PROTO=UDP SPT=5353 DPT=5353 LEN=54
>
Multicast DNS? Strange.. this is possibly "isis" doing a multicast
search for a name server, given the previous failure... but don't quote
me. But this is rejected as an illegal target.
>>egrep "^[^#]" /etc/sysconfig/SuSEfirewall2
>>
>
> Very nice. Thank you. I've added that to my crib sheet. :-)
>
man perlre :)
>18d17
>< USE_IPV6=yes
>
>
Not related to your immediate problem, but you should probably turn this
off unless you have explicit need (including tunnelling) to support ipv6.
> Here is the sorted output from the egrep command on the 10.0 SuSEfirewall2
>file:
>
><snip>
Maybe someone else will spot something, but I cannot immediately see any
problem. Perhaps posting the output of "iptables -L -n" will help (and
you will have to run that as root).
>On Monday 14 November 2005 18:16, Darryl Gregorash wrote:
>
>>On 11/14/2005 09:40 AM, Peter A. Taylor wrote:
>>
>>> I got simple masquerading working under SuSE 9.3 (sharing a modem), but
>>>I can't get it working under SuSE 10.0 . I can ping and ftp within my
>>>internal network, but the internal network can't see the internet. Has
>>>anything relevant changed between 9.3 and 10.0, or am I doing something
>>>stupid? Any ideas? Where do I look for clues?
>>>
>>Depending on how much firewall logging you've turned on, you might be
>>able to find some hints in /var/log/firewall.
>>
>
> Short version: "ifup eth0" tells me my default route is unreachable, but I
>don't understand why.
>
Because you don't have a default route on that interface. This isn't a
problem, because this is the internal interface. If it bothers you, see
"man 5 routes", the 3 paragraphs beginning "The fourth column gives
the name of the interface...." after the title "Syntax"
> Update: Now I'm really confused. I get the same error message from "ifup
>eth0" under SuSE 9.3, but masquerade works anyway. Under 10.0, my wife can't
>ping our ISP's ftp server via masquerade, but she at least seems to resolve
>the server's name.
>
I'm even more confused:
>Nov 15 09:05:49 athena kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0
>SRC=192.168.2.20 DST=64.243.71.82 LEN=73 TOS=0x00 PREC=0x00 TTL=127 ID=33119
>PROTO=UDP SPT=1027 DPT=53 LEN=53
>
This is a DNS lookup from "isis" that was just dropped, yet you say your
wife is able to resolve hostnames.
>Nov 15 09:09:34 athena kernel: SFW2-IN-ILL-TARGET IN=eth0 OUT= MAC=
>SRC=192.168.2.15 DST=224.0.0.251 LEN=74 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF
>PROTO=UDP SPT=5353 DPT=5353 LEN=54
>
Multicast DNS? Strange.. this is possibly "isis" doing a multicast
search for a name server, given the previous failure... but don't quote
me. But this is rejected as an illegal target.
>>egrep "^[^#]" /etc/sysconfig/SuSEfirewall2
>>
>
> Very nice. Thank you. I've added that to my crib sheet. :-)
>
man perlre :)
>18d17
>< USE_IPV6=yes
>
>
Not related to your immediate problem, but you should probably turn this
off unless you have explicit need (including tunnelling) to support ipv6.
> Here is the sorted output from the egrep command on the 10.0 SuSEfirewall2
>file:
>
><snip>
Maybe someone else will spot something, but I cannot immediately see any
problem. Perhaps posting the output of "iptables -L -n" will help (and
you will have to run that as root).
| < Previous | Next > |