Masquerading unter Kernel 2.4
Hi folks, I seem to have a problem with getting my LAN into the net. I've set up a new 7.3-system (Kernel 2.4) which sould act as a router/proxy/firewall between the LAN and the internet (I don't like my users surfing in the net directly *g*). My own workstation should be able to connect to the net directly while the rest of the LAN has to use squid, so I have to activate Masquerading. But this won't work. I normally use: ipchains -P forward MASQ ipchains -A forward -s 192.168.0.110 -j MASQ But this won't work anymore. Is there a new syntax for it ? Second problem is, when opening a connection (ADSL) with rp-pppoed the connection is done, I get my dynamic IP, but can't connect to any host in the net. When trying a ping, I get "connection error" (or failure ? Don't know exactly as I'm at home again). I did everything as usually (adsl-setup, typing in the correct information, adsl-start) but there is some problem. As I said, the connection is "opened" and my dynIP is also given, but nothing else. Also traceroute won't work (lots of *, thats all). Routing seems to be okay (default 0.0.0.0 0.0.0.0 eth1, which is the network-card connected to the DSL-modem). Any hint, also if only an URL where I can find the infos, is greatly appreciated. ... First tries with Kernel 2.4 and nothing works :-) ... thx. Stephan
yes, many changes in the last years ;-) no connection, try: http://sdb.suse.de/de/sdb/html/thallma_smpppd_start.html ipchains is valid for Kernel 2.2. For the 2.4 series you need iptables. When you need a fast solution without firewall(!) read: http://bolug.uni-bonn.de/wissen/masquerading.html greetings harald Am Montag, 7. Januar 2002 15:11 schrieb OKDesign oHG Security Administrator:
Hi folks,
I seem to have a problem with getting my LAN into the net. I've set up a new 7.3-system (Kernel 2.4) which sould act as a router/proxy/firewall between the LAN and the internet (I don't like my users surfing in the net directly *g*). My own workstation should be able to connect to the net directly while the rest of the LAN has to use squid, so I have to activate Masquerading. But this won't work. I normally use:
ipchains -P forward MASQ ipchains -A forward -s 192.168.0.110 -j MASQ
But this won't work anymore. Is there a new syntax for it ?
Second problem is, when opening a connection (ADSL) with rp-pppoed the connection is done, I get my dynamic IP, but can't connect to any host in the net. When trying a ping, I get "connection error" (or failure ? Don't know exactly as I'm at home again). I did everything as usually (adsl-setup, typing in the correct information, adsl-start) but there is some problem. As I said, the connection is "opened" and my dynIP is also given, but nothing else. Also traceroute won't work (lots of *, thats all). Routing seems to be okay (default 0.0.0.0 0.0.0.0 eth1, which is the network-card connected to the DSL-modem).
Any hint, also if only an URL where I can find the infos, is greatly appreciated.
... First tries with Kernel 2.4 and nothing works :-) ...
thx. Stephan
Hi, On 7 Jan 2002 at 15:26, Harald Nikolisin wrote:
ipchains is valid for Kernel 2.2. For the 2.4 series you need iptables. When you need a fast solution without firewall(!) read:
there is also a ipchains compatibility option in the 2.4.x kernels. I do not know if they are set up by default, you might wish to try something like "insmod ipchains" to load the module and then just use the old ipchains rules. HTH mike
Stephan, you may also read an introduction to iptables and other articles at http://www.fruehbrodt.org/artikel/netfilter.html BTW, you can use ipchains even with the kernel 2.4. series. I wouldn't recommendthis since iptables is much easier to configure and it supports connection tracking, flexible SNAT, DNAT, Masquerading, Logging etc. etc.
I seem to have a problem with getting my LAN into the net. I've set up a new 7.3-system (Kernel 2.4) which sould act as a router/proxy/firewall between the LAN and the internet (I don't like my
--
Jörg Frühbrodt
On Mon, 7 Jan 2002, Harald Nikolisin wrote:
Am Montag, 7. Januar 2002 15:11 schrieb OKDesign oHG Security Administrator:
Hi folks,
But this won't work anymore. Is there a new syntax for it ?
Second problem is, when opening a connection (ADSL) with rp-pppoed the connection is done, I get my dynamic IP, but can't connect to any host in the net. When trying a ping, I get "connection error" (or failure ? Don't know exactly as I'm at home again). I did everything as usually (adsl-setup, typing in the correct information, adsl-start) but there is some problem. As I said, the connection is "opened" and my dynIP is also given, but nothing else. Also traceroute won't work (lots of *, thats all). Routing seems to be okay (default 0.0.0.0 0.0.0.0 eth1, which is the network-card connected to the DSL-modem). on upgrading from 6.2 to 7.2 two problems arose: (pptp is still the previous one, kernel 2.2.19)
ifconfig
1. pppd did not take the ip address ppp0 Protokoll:Punkt-zu-Punkt Verbindung inet Adresse:10.0.0.140 P-z-P:212.152.144.1 Maske:255.255.255.255 10.0.0.140 is wrong, the other one is the providers gateway (i think so) etc/ppp/options needed the entry "ipcp-accept-local" to get a real ip addr accepted. (actually i also specified "ipcp-accept-remote" but this should not be necessary.) 2. ifconfig respects the locale and SuSEfirewall checks for "addr:10.1.2.3" to get an interfaces ip address. which obviously does not work. It should work when startet by root (might also fail if ROOT_USES_LANG=yes) this is for SuSEfirewall 4.5 and 4.6 maybe marc has already fixed it. (maybe "unset $(locale|sed 's/=.*$//')" would do it.) cheers -- BINGO: next-generation Outsourcing --- Engelbert Gruber ----=~ SSG Fintl,Gruber,Lassnig A6410 Telfs Untermarkt 9 Tel. ++43-5262-64727 ----=~
On Monday 07 January 2002 14:11, you wrote:
I seem to have a problem with getting my LAN into the net. I've set up a new 7.3-system (Kernel 2.4) which sould act as a router/proxy/firewall between the LAN and the internet (I don't like my users surfing in the net directly *g*). My own workstation should be able to connect to the net directly while the rest of the LAN has to use squid, so I have to activate Masquerading. But this won't work. I normally use:
ipchains -P forward MASQ ipchains -A forward -s 192.168.0.110 -j MASQ
But this won't work anymore. Is there a new syntax for it ?
Yes! But if your users use squid you do not need to masquerade. Force them to use the squid proxy cache! Check out the squid docs, on how to automate the proxy settings for Nutscrape and Internet Exploiter. Then go to google.com/linux and search for 'netfilter iptables' and read a tutorial on it, you won't look back once you've got the hang of it, it's an improvement on ipchains in most respects. Rob
Second problem is, when opening a connection (ADSL) with rp-pppoed the connection is done, I get my dynamic IP, but can't connect to any host in No idea on this one, but maybe check that 'dynamic IP patch' is set in /etc/rc.config, and that the IP's given the interfaces don't clash with your internal network.
# # Do you want the "dynamic IP patch" to be enabled at bootup? (yes/no) # IP_DYNIP="yes" Rob
participants (6)
-
engelbert.gruber@ssg.co.at
-
Harald Nikolisin
-
Jörg Frühbrodt
-
OKDesign oHG Security Administrator
-
Robert Davies
-
Thomas Michael Wanka