On Monday 14 November 2005 18:16, Darryl Gregorash wrote:
On 11/14/2005 09:40 AM, Peter A. Taylor wrote:
I got simple masquerading working under SuSE 9.3 (sharing a modem), but I can't get it working under SuSE 10.0 . I can ping and ftp within my internal network, but the internal network can't see the internet. Has anything relevant changed between 9.3 and 10.0, or am I doing something stupid? Any ideas? Where do I look for clues?
Depending on how much firewall logging you've turned on, you might be able to find some hints in /var/log/firewall.
Short version: "ifup eth0" tells me my default route is unreachable, but I don't understand why. Update: Now I'm really confused. I get the same error message from "ifup eth0" under SuSE 9.3, but masquerade works anyway. Under 10.0, my wife can't ping our ISP's ftp server via masquerade, but she at least seems to resolve the server's name. Long version: In /var/log/firewall, I get stuff like the following (192.168.2.15 is my "athena" box with the modem. 192.168.2.20 is my wife's "isis", to which I want to give internet access. 192.168.2.1 is an SMC router.): Nov 15 09:05:49 athena kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.2.20 DST=64.243.71.82 LEN=73 TOS=0x00 PREC=0x00 TTL=127 ID=33119 PROTO=UDP SPT=1027 DPT=53 LEN=53 Nov 15 09:05:54 athena kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.2.20 DST=207.46.2.31 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=33122 DF PROTO=TCP SPT=1415 DPT=1863 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402) Nov 15 09:09:34 athena kernel: SFW2-IN-ILL-TARGET IN=eth0 OUT= MAC= SRC=192.168.2.15 DST=224.0.0.251 LEN=74 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=54
The firewall configuration variables are all stored in /etc/sysconfig/SuSEfirewall2.
egrep "^[^#]" /etc/sysconfig/SuSEfirewall2
Very nice. Thank you. I've added that to my crib sheet. :-) I will post the full output below, but the short version is that I did this to both the 9.3 and 10.0 SuSEfirewall2 files, sorted the output, and ran "diff". The result ("<" is 9.3, ">" is 10.0): 2,4c2,4 < FW_ALLOW_FW_BROADCAST_DMZ="no" < FW_ALLOW_FW_BROADCAST_EXT="no" < FW_ALLOW_FW_BROADCAST_INT="no" ---
FW_ALLOW_FW_BROADCAST_DMZ="" FW_ALLOW_FW_BROADCAST_EXT="" FW_ALLOW_FW_BROADCAST_INT="" 24a25 FW_LOAD_MODULES="" 37c38 < FW_ROUTE="yes" # PAT 11-1-2005.
FW_ROUTE="yes" 54a56 FW_USE_IPTABLES_BATCH=""
I "diff"ed some other files, too: /etc/host.conf identical /etc/hosts identical /etc/hosts.allow identical /etc/hosts.deny identical /etc/sysconfig/sysctl identical /etc/sysconfig/network/routes identical /etc/sysconfig/network/ifcfg-modem0 identical /etc/sysconfig/network/ifcfg-eth-id-00:07:95:37:98:b7 2c2 < BROADCAST='192.168.2.255' ---
BROADCAST='' 7c7 < NETWORK='192.168.2.0'
NETWORK=''
That looked interesting, so I renamed the 10.0 file and copied the 9.3 version ("<"), then ran "ifdown eth0" and "ifup eth0". Here's what I got: athena:/etc/sysconfig/network # ifup eth0 eth0 device: Silicon Integrated Systems [SiS] SiS900 PCI Fast Ethernet (rev 90) eth0 configuration: eth-id-00:07:95:37:98:b7 ERROR: Warning: Could not set up default route via interface Command ip route replace to default via 192.168.2.1 returned: . RTNETLINK answers: Network is unreachable Configuration line: default 192.168.2.1 - - This needs NOT to be AN ERROR if you set up multiple interfaces. See man 5 routes how to avoid this warning. But both the 9.3 and the 10.0 versions of ifcfg-eth-id-00:07:95:37:98:b7 produced the same result under 10.0 . I also compared /etc/sysconfig/network/config (egrep, sort, diff): 9d8 < FAILURE_ACTION=off 10a10
FORCE_PERSISTENT_NAMES=yes 13c13 < IFPLUGD_OPTIONS="-f -I -u 0 -d 10"
IFPLUGD_OPTIONS="-f -I" 18d17 < USE_IPV6=yes
I overlooked the FAILURE_ACTION variable, but played with the other three, which hod no apparent effect. Again, /etc/sysconfig/network/routes is identical to the 9.3 version that works. I'm thoroughly confused. Peter Taylor PS. Here is /etc/sysconfig/network/routes: 192.168.2.0 192.168.2.1 255.255.255.0 eth-id-00:07:95:37:98:b7 default 192.168.2.1 - - Here is the sorted output from the egrep command on the 10.0 SuSEfirewall2 file: FW_ALLOW_CLASS_ROUTING="" FW_ALLOW_FW_BROADCAST_DMZ="" FW_ALLOW_FW_BROADCAST_EXT="" FW_ALLOW_FW_BROADCAST_INT="" FW_ALLOW_FW_SOURCEQUENCH="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_PING_FW="yes" FW_CUSTOMRULES="" FW_DEV_DMZ="" FW_DEV_EXT="modem0" FW_DEV_INT="eth-id-00:07:95:37:98:b7" FW_FORWARD="" FW_FORWARD_MASQ="" FW_HTB_TUNE_DEV="" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IPSEC_TRUST="no" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="" FW_KERNEL_SECURITY="yes" FW_LOAD_MODULES="" FW_LOG="" FW_LOG_ACCEPT_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_DROP_CRIT="yes" FW_LOG_LIMIT="" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_MASQUERADE="yes" FW_PROTECT_FROM_INT="no" FW_REDIRECT="" FW_REJECT="" FW_ROUTE="yes" FW_SERVICES_ACCEPT_EXT="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DROP_EXT="" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_STOP_KEEP_ROUTING_STATE="no" FW_TRUSTED_NETS="" FW_USE_IPTABLES_BATCH="" FW_ZONES=""