problems getting masquerade to work
Have my linux box with internal+external interfaces and trying to enable masquerading so that a win-machine on the internal side (192.168.3.0/24) gets packets forwarded back and forth through the linux box. This used to work some time ago, but hasn't worked since I lost my disks yr ago last April (since restored, but not everything is working). Have a script 'masquerade' I think derived from a suse RC script that produces output like:
IPV4 Forwarding: 1 Interface fwd eth2: 1 Interface fwd eth0: 1 Interface fwd eth5: 1 Interface fwd br0: 1 Chain FORWARD (policy ACCEPT) ..running ----- eth0+5 form an internal net 'br0'. That's the one I'm trying to forward out eth2. When I try to ping google.com from inside, I can see the packets going out of windows toward it, but nothing coming back is seen on the linux-router (or on the client). the linux machine can ping google just fine (same addr). Are there modules that need loading that perhaps I don't have loadeD? lsmod shows:
I have a bunch more modules that aren 't loaded: # modprobe Display all 478 possibilities? (y or n) 8021q acpi_configfs acpi_extlog acpi_ipmi acpi_pad acpi_tad act_bpf act_connmark act_ctinfo act_gate act_ife act_ipt act_meta_mark act_meta_skbprio act_meta_skbtcindex act_mirred act_nat act_pedit act_police act_sample act_skbedit act_skbmod act_tunnel_key act_vlan af_packet_diag ahci ahci_platform arc4 arp_tables arpt_mangle arptable_filter asn1_decoder at24 bareudp bcache bcm-phy-lib blake2b_generic blake2s-x86_64 bonding br_netfilter broadcom btrfs cachefiles ccm chacha-x86_64 cls_basic cls_bpf cls_cgroup cls_flow cls_flower cls_fw cls_matchall cls_route cls_rsvp cls_tcindex cls_u32 configfs cpufreq_powersave cpufreq_userspace crc16 crc64 ctr curve25519-x86_64 cuse custom_method dccp dccp_diag dccp_ipv4 deflate dell-smbios dell-wmi-descriptor dell_rbu des_generic dm-clone dm-log dm-mirror dm-region-hash dm-thin-pool dm-unstripe dm-writecache dmi-sysfs dptf_power drbg drivetemp ebt_802_3 ebt_among ebt_arp ebt_arpreply ebt_dnat ebt_ip ebt_limit ebt_log ebt_mark ebt_mark_m ebt_nflog ebt_pkttype ebt_redirect ebt_snat ebt_stp ebt_vlan ebtable_broute ebtable_nat ecb edd eeprom efi-pstore efibc efivarfs efivars em_ipset em_ipt em_meta em_nbyte em_text em_u32 exfat ext4 failover fan ff-memless firewire-core firewire-ohci firewire-sbp2 fou fuse gameport gcm geneve gf128mul ghash-generic gpio-aggregator gpio-generic gre hangcheck-timer hid-kensington hid-microsoft hid-steam i2c-algo-bit i2c-dev i2c-gpio i2c-i801 i2c-isch i2c-mux i2c-mux-gpio i2c-mux-pca9541 i2c-mux-pca954x i2c-nvidia-gpu i2c-scmi i2c-smbus i5500_temp i5k_amb iTCO_wdt ifb ife input-polldev intel-wmi-sbl-fw-update intel_pch_thermal ip_gre ip_set ip_set_bitmap_ip ip_set_bitmap_ipmac ip_set_bitmap_port ip_set_hash_ip ip_set_hash_ipmac ip_set_hash_ipmark ip_set_hash_ipport ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_mac ip_set_hash_net ip_set_hash_netiface ip_set_hash_netnet ip_set_hash_netport ip_set_hash_netportnet ip_set_list_set ip_tunnel ip_vti ipip ipmi_poweroff ipmi_watchdog ipt_ECN ipt_REJECT ipt_SYNPROXY ipt_rpfilter iptable_mangle iptable_raw ipvlan ipvtap iscsi_boot_sysfs iscsi_ibft iscsi_target_mod iscsi_tcp isofs jbd2 jitterentropy_rng kcm kheaders kyber-iosched l2tp_core l2tp_debugfs l2tp_eth l2tp_ip l2tp_netlink ledtrig-audio libahci libahci_platform libblake2s libblake2s-generic libchacha libchacha20poly1305 libcurve25519 libcurve25519-generic libiscsi libiscsi_tcp libpoly1305 llc2 lpc_sch lz4 lz4_compress lz4hc lz4hc_compress lzo_compress macvlan macvtap matroxfb_DAC1064 matroxfb_Ti3026 matroxfb_accel matroxfb_base matroxfb_misc mbcache mei mei-me mq-deadline msdos net_failover netconsole netlink_diag nf_conncount nf_conntrack_amanda nf_conntrack_bridge nf_conntrack_broadcast nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc nf_conntrack_netbios_ns nf_conntrack_netlink nf_conntrack_pptp nf_conntrack_sane nf_conntrack_sip nf_conntrack_snmp nf_conntrack_tftp nf_dup_ipv4 nf_log_arp nf_log_common nf_log_ipv4 nf_log_netdev nf_nat_amanda nf_nat_ftp nf_nat_h323 nf_nat_irc nf_nat_pptp nf_nat_sip nf_nat_snmp_basic nf_nat_tftp nf_reject_ipv4 nf_socket_ipv4 nf_synproxy_core nf_tproxy_ipv4 nfnetlink_acct nfnetlink_cthelper nfnetlink_cttimeout nfnetlink_osf nlmon nls_ascii ntfs nvme nvme-core overlay p8022 parport parport_pc pci-stub pktcdvd pmbus pmbus_core poly1305-x86_64 psample psnap qemu_fw_cfg raid6_pq ramoops rapl raw_diag rds rds_tcp reed_solomon regmap-i2c rpmsg_core sch_cake sch_cbq sch_cbs sch_choke sch_codel sch_drr sch_dsmark sch_etf sch_ets sch_fq sch_fq_codel sch_fq_pie sch_gred sch_hfsc sch_hhf sch_htb sch_ingress sch_mqprio sch_multiq sch_netem sch_pie sch_plug sch_prio sch_qfq sch_red sch_sfb sch_sfq sch_skbprio sch_taprio sch_tbf sch_teql scsi_transport_iscsi scsi_transport_spi scsi_transport_srp sctp sctp_diag seqiv serport sha1_generic softdog squashfs tap target_core_file target_core_iblock target_core_mod tcp_bbr tcp_bic tcp_cdg tcp_cubic tcp_dctcp tcp_hybla tcp_illinois tcp_nv tcp_vegas tcp_veno tcp_westwood tcp_yeah team team_mode_roundrobin thermal timeriomem-rng ts_bm ts_fsm ts_kmp ttynull tun tunnel4 udp_diag udp_tunnel uio usb-storage usbip-core usbip-host usbtouchscreen utf8-selftest uvesafb vboxguest vboxsf veth vga16fb vgastate vhci-hcd vhost vhost_iotlb vhost_net virtio virtio-rng virtio_balloon virtio_blk virtio_console virtio_input virtio_mmio virtio_net virtio_pci virtio_ring virtio_rpmsg_bus virtio_scsi virtiofs vmw_vmci vmxnet3 vrf vxlan wacom wacom_serial4 wacom_w8001 wireguard x86_pkg_temp_thermal xor xpad xt_AUDIT xt_CHECKSUM xt_CLASSIFY xt_CT xt_DSCP xt_HL xt_HMARK xt_IDLETIMER xt_LED xt_LOG xt_MASQUERADE xt_NETMAP xt_NFLOG xt_NFQUEUE xt_RATEEST xt_REDIRECT xt_TCPMSS xt_TCPOPTSTRIP xt_TEE xt_TPROXY xt_TRACE xt_addrtype xt_bpf xt_cgroup xt_cluster xt_comment xt_connbytes xt_connlabel xt_connlimit xt_connmark xt_conntrack xt_cpu xt_dccp xt_devgroup xt_dscp xt_ecn xt_esp xt_hashlimit xt_helper xt_hl xt_ipcomp xt_iprange xt_l2tp xt_length xt_limit xt_mac xt_mark xt_multiport xt_nat xt_nfacct xt_osf xt_owner xt_physdev xt_pkttype xt_policy xt_quota xt_rateest xt_realm xt_recent xt_sctp xt_set xt_socket xt_state xt_statistic xt_string xt_tcpmss xt_time xt_u32 xxhash_generic zlib_deflate zstd_compress ---------------- my modprobe complete only shows unloaded modules Any ideas? Thanks!
On 2021/07/11 21:21, Andrei Borzenkov wrote:
On 11.07.2021 23:02, L A Walsh wrote:
There are no masquerading rules
I ended up rebooting my computer to reset the network and start a new kernel (5.13.0) -- previous kernel had been up 42 days. Anyway, I didn't notice new modules loaded with the old script, but it has to ... When I ran the script this time, 6 new modules were auto-loaded to support masquerading...
hmm....Not sure why they didn't load prior to this, but good that the kernel is smart enough to auto-load them. Anyway, seems to be working now...that had been bugging me for a while. Maybe something changed in what triggers the kernel auto loading modules? and 1 or more needed ones weren't auto-loading before? I'm not even sure what triggers module auto loading in a case like this anyway (?)...but it seems to be working. Thanks for answering!
On 12. 07. 21, 15:59, L A Walsh wrote:
Is it possible that your booted kernel was uninstalled in the meantime? The autoloading should have been always working. The netfilter core simply loads modules as needed (depending on iptables parameters). Look for request_module in net/netfilter/ kernel sources.
I'm not even sure what triggers module auto loading in a case like this anyway (?)...but it seems to be working.
-- js suse labs
On 2021/07/12 08:39, Jiri Slaby wrote:
Ahh....Then it must have been something else. Just before I took down the kernel, I tried installing various random modules that weren't loaded ...upon loading 'nf_conn*' (any that started with nf_conn), the masquerading started working! Wondering what, exactly, did that, I unloaded the same pattern. Oop...network died (I was logged in remotely). Went back to server and poked a bit, and connection to my desktop machine was being troublesome, so just decided to reboot as I had a new kernel (5.13.0) I wanted to try, anyways. ... tho on that... Though the main thing I wanted to look at was my SMB xfer speed, though the test for that recently broke for no good reason that I've been able to tell (working for several years but recently stopped working due to a remote read from Windows of /dev/zero no longer producing a stream of zero's, but an immediate EOF. Very annoying. /dev/null in the same dir still works as an infinite write-sink, so it's not a dir-based limit restricting access to devices, but nothing I've tried will restore it.
participants (3)
-
Andrei Borzenkov
-
Jiri Slaby
-
L A Walsh