trying to set up ip forwarding and masqurading...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, i've tried this a number of times, and it just doesn't want to work... this is the situation: - - my computer is acting as the router - - 2 network cards, eth0 and eth1 - - eth0 connected to an adsl router, which is being used plainly as a modem (long and painful story), via pppoe as device dsl0 - - eth0 gets an ip address from the router - - my router is 10.0.0.2 - - my internal network uses 192.168.1.x (via dhcp) - - eth1 (internal) is 192.168.1.250 - - eth0 has router's ip as it's default route and ip forwarding set - - eth1 has none of those options set - - firewall has dsl0 set as external interface - - firewall has no internal interface set none of the other computers on the network can access the internet or e-mail or anything... anyone got any ideas? am i doing something wrong? - -- Raoul Snyman Saturn Laboratories Web: http://www.saturnlaboratories.co.za/ E-mail: raoul.snyman@saturnlaboratories.co.za Blog: http://blog.saturnlaboratories.co.za/ Linux User #333298 (http://counter.li.org/) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCW/8YdabIu5z4rwwRAvibAKCKa7sUqe7H5iKT1i2YLquVcE94HQCguuqX Wd3/ZM0XWnDNJsH7OCkOzMQ= =Nsiq -----END PGP SIGNATURE-----
none of the other computers on the network can access the internet or e-mail or anything... anyone got any ideas? am i doing something wrong?
raoul, i assume you CAN access the internet directly from the in-between suse box? 1. i'd make sure that routing is enabled... (echo "1" > /proc/sys/net/ipv4/ip_forward) 2. and that your firewall allows forwarding... (iptables -I FORWARD -i eth1 -j ACCEPT) knetknight
i've tried this a number of times, and it just doesn't want to work...
this is the situation: - my computer is acting as the router OK - 2 network cards, eth0 and eth1 good - eth0 connected to an adsl router, which is being used plainly as a modem (long and painful story), via pppoe as device dsl0 OK - eth0 gets an ip address from the router meaning adsl router I assume. Assuming this is correct, and therefore assuming the adsl router runs a dhcp server, which should not only give eth0 its IP, but also its gateway, subnet mask, and dns. - my router is 10.0.0.2 Meaning your computer? meaning eth0? assigned from the adsl router? - my internal network uses 192.168.1.x (via dhcp) You are also running a dhcp server. - eth1 (internal) is 192.168.1.250 OK, you have set this in Yast, and have should have configured your dhcp server to assign 192.168.1.250 as the "router", meaning the gateway for
Raoul Snyman wrote: this network.
- eth0 has router's ip as it's default route and ip forwarding set meaning adsl router's ip? ip forwarding set for the adsl router, or what do you mean here? - eth1 has none of those options set no default route? - firewall has dsl0 set as external interface should also have eth0 - firewall has no internal interface set
should have eth1
none of the other computers on the network can access the internet or e-mail or anything... anyone got any ideas? am i doing something wrong? sounds like you haven't configured things in your firewall for masquerading. It may be clearer to distinguish your terminology since you are dealing with 2 routers. Can maybe help more with more info. What version of SuSE, as well as the above questions?
-- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Registered Linux user 231871
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joe Morris (NTM) wrote: | sounds like you haven't configured things in your firewall for | masquerading. It may be clearer to distinguish your terminology since | you are dealing with 2 routers. Can maybe help more with more info. | What version of SuSE, as well as the above questions? sorry, when i was talking of the router, i was talking only of the adsl router-modem... the adsl router has it's own dhcp server, operating in the 10.x.x.x range, and the adsl router's ip address is 10.0.0.2. the adsl connection on my computer (dsl0) is set as the default gateway. i'm using suse 9.2 - -- Raoul Snyman Saturn Laboratories Web: http://www.saturnlaboratories.co.za/ E-mail: raoul.snyman@saturnlaboratories.co.za Blog: http://blog.saturnlaboratories.co.za/ Linux User #333298 (http://counter.li.org/) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCXBqSdabIu5z4rwwRAgArAJ9WRHoChqqJ9D6ogvDNcJO3jv4apgCeIjCr CI2uQix4cmrMABwcmgPNfXY= =WPjN -----END PGP SIGNATURE-----
On Tue, 2005-04-12 at 20:59 +0200, Raoul Snyman wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Joe Morris (NTM) wrote: | sounds like you haven't configured things in your firewall for | masquerading. It may be clearer to distinguish your terminology since | you are dealing with 2 routers. Can maybe help more with more info. | What version of SuSE, as well as the above questions?
sorry, when i was talking of the router, i was talking only of the adsl router-modem... the adsl router has it's own dhcp server, operating in the 10.x.x.x range, and the adsl router's ip address is 10.0.0.2. the adsl connection on my computer (dsl0) is set as the default gateway. i'm using suse 9.2
Since the modem is -also- a router why not just use it and be done with it. It performs firewalling by using NAT and there is NO reason to connect to it with your linux box and use dsl0 as well. If you want further firewall protection with the linux box just use it a pass through device/router and eliminate the dsl0 device as it is NOT needed. This will simplify your setup a little. local lan - 192.168.1.x | linux router - 192.168.1.250 (eth1) | eth0 - 10.0.0.9 | DSL router/modem | internet Always try to keep it as simple as possible and you will have fewer problems. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken Schneider wrote: | Since the modem is -also- a router why not just use it and be done with | it. It performs firewalling by using NAT and there is NO reason to | connect to it with your linux box and use dsl0 as well. that's not going to work. as i said in my original post, that's a long and painful story. i'm dealing with a half-baked modem-router (from a half-baked telecoms company) that doesn't even look or do what the manual that comes with it says it does. i'm using ppp over ethernet, hence both eth0 and dsl0 (with dsl0 using eth0). - -- Raoul Snyman Saturn Laboratories Web: http://www.saturnlaboratories.co.za/ E-mail: raoul.snyman@saturnlaboratories.co.za Blog: http://blog.saturnlaboratories.co.za/ Linux User #333298 (http://counter.li.org/) - -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS/IT/MU d-(+) s(+):-(--) a- C++$ ULC(++++)>$ P+ L++(+++)>$ !E !W++@>$ N(+) !o K--? w(---)$ !O !M(+) !V !PS? !PE !Y PGP+(++)@ t+>$ 5+(++)>$ !X(-) !R tv--? b+@ DI(+) !D+ !G e++ h+() r y- - ------END GEEK CODE BLOCK------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCXCP/dabIu5z4rwwRAn/bAJwLu6biQzOS3gNsvtK8/laDRCP1BACfU8aR PFTe+FD/cZwt8gdYhjjD9R0= =jIrB -----END PGP SIGNATURE-----
On Tue, 2005-04-12 at 21:39 +0200, Raoul Snyman wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ken Schneider wrote: | Since the modem is -also- a router why not just use it and be done with | it. It performs firewalling by using NAT and there is NO reason to | connect to it with your linux box and use dsl0 as well. that's not going to work. as i said in my original post, that's a long and painful story. i'm dealing with a half-baked modem-router (from a half-baked telecoms company) that doesn't even look or do what the manual that comes with it says it does. i'm using ppp over ethernet, hence both eth0 and dsl0 (with dsl0 using eth0).
Can you afford a Linksys router ($20-30US)? They do pppoe, it's what I have been using for four years, and dhcp amongst other things. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken Schneider wrote: | Can you afford a Linksys router ($20-30US)? They do pppoe, it's what I | have been using for four years, and dhcp amongst other things. well, you see, i'm going to have to do this exact same thing again for when i get our server up and running... so why not get it right now, and have practice for when the server comes along...? ;-) - -- Raoul Snyman Saturn Laboratories Web: http://www.saturnlaboratories.co.za/ E-mail: raoul.snyman@saturnlaboratories.co.za Blog: http://blog.saturnlaboratories.co.za/ Linux User #333298 (http://counter.li.org/) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCXC3pdabIu5z4rwwRAlx5AJ9mbk0LVvyj9LLUtzEDrVskqdQOvwCcD11p ln1Ax0ecl3RUsdb0/LDAZOQ= =XlOG -----END PGP SIGNATURE-----
On Tue, 2005-04-12 at 22:22 +0200, Raoul Snyman wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ken Schneider wrote: | Can you afford a Linksys router ($20-30US)? They do pppoe, it's what I | have been using for four years, and dhcp amongst other things.
well, you see, i'm going to have to do this exact same thing again for when i get our server up and running... so why not get it right now, and have practice for when the server comes along...? ;-)
HUH!!! If you use the Linksys router there is -NO- need to use pppoe on the server or any other PC for that matter. It becomes the default route for all of the other networked gear. PPPOE performed by the Linksys router. It looks like you have very little networking experience and should learn a few more basics first. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken Schneider wrote: | HUH!!! | | If you use the Linksys router there is -NO- need to use pppoe on the | server or any other PC for that matter. It becomes the default route for | all of the other networked gear. PPPOE performed by the Linksys router. i WANT all the internet to go through the server for various reasons. one of them is that here in south africa we have a 2 gig cap on our line and i want to see how much bandwidth each person in the network is using, so that i can be forewarned about hitting our cap. | It looks like you have very little networking experience and should | learn a few more basics first. thank you for that insult. - -- Raoul Snyman Saturn Laboratories Web: http://www.saturnlaboratories.co.za/ E-mail: raoul.snyman@saturnlaboratories.co.za Blog: http://blog.saturnlaboratories.co.za/ Linux User #333298 (http://counter.li.org/) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCXLordabIu5z4rwwRAhPAAKCTLPrAcbZSQEhEB/VpQELgHwmGMwCdFB0k lZOHdW6zaU9IE5aqHy9QVEA= =nvpR -----END PGP SIGNATURE-----
Raoul If you cannot get any satisfaction from the list then wait a week and try again. There are many talented and helpful people on the list but often not available to help all the time. I know this to be true. If you still cannot get any satisfaction from the list email me and we start from scratch and I will try my best to help you. Depending upon the size of the list there is always one or two people that think helping someone means putting them through the same hardships of learning that they encountered. This is a fairly common thing. It never occurs to them that we all build on the experience of others. There is no shame in not knowing something. The shame is when someone knows something they are unwilling to share. This is strange behavior in the domain of Open and Free Software built by people who could support and collaborate with one another. Even the most brilliant and knowledgeable person has missing links of information. So don't let the insults take a toll on you. Don't give up. You have every right to ask any kind of SuSE related question especially if it relates to configuration issues. BTW. There are several ways you can go and some distributions (and I think SuSE 9.1 forward is one) do not allow the joint use of IP TABLES with IP CHAINS -- it has to be one or the other or conflicts develop -- when configuring the routing and firewalling of the network. But I would have to check this out to be sure. What you need is someone to give you copies of their appropriate config files and associated cmd line displays of network commands such as route, ifconfig, etc. It seems for some reason, the need for clear and relevant examples would be more commonplace but sadly not so. Every list has a few people that are so proud of their own achievements and technical skills that they find difficulty in really helping others attain to that achievement. Maybe they just get frustrated -- but that's no excuse to insult someone who is obviously trying. I don't know what they are really doing on a list such as this if they are not prepared to help everyone they can with what they have learned. If they cannot be respectful of others the least they can do is keep their mouthy attitudes to themselves. Thanks, TED Raoul Snyman wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ken Schneider wrote: | HUH!!! | | If you use the Linksys router there is -NO- need to use pppoe on the | server or any other PC for that matter. It becomes the default route for | all of the other networked gear. PPPOE performed by the Linksys router. i WANT all the internet to go through the server for various reasons. one of them is that here in south africa we have a 2 gig cap on our line and i want to see how much bandwidth each person in the network is using, so that i can be forewarned about hitting our cap.
| It looks like you have very little networking experience and should | learn a few more basics first. thank you for that insult.
- -- Raoul Snyman Saturn Laboratories Web: http://www.saturnlaboratories.co.za/ E-mail: raoul.snyman@saturnlaboratories.co.za Blog: http://blog.saturnlaboratories.co.za/ Linux User #333298 (http://counter.li.org/) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCXLordabIu5z4rwwRAhPAAKCTLPrAcbZSQEhEB/VpQELgHwmGMwCdFB0k lZOHdW6zaU9IE5aqHy9QVEA= =nvpR -----END PGP SIGNATURE-----
On Wed, 2005-04-13 at 16:16 -0600, Ted Hilts wrote:
Raoul
If you cannot get any satisfaction from the list then wait a week and try again. There are many talented and helpful people on the list but often not available to help all the time. I know this to be true.
If you still cannot get any satisfaction from the list email me and we start from scratch and I will try my best to help you.
And why did you wait until now to offer help and your own sarcasm? I was at least offering alternative methods of him getting his network up and running.
Raoul Snyman wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ken Schneider wrote: | HUH!!! | | If you use the Linksys router there is -NO- need to use pppoe on the | server or any other PC for that matter. It becomes the default route for | all of the other networked gear. PPPOE performed by the Linksys router. i WANT all the internet to go through the server for various reasons. one of them is that here in south africa we have a 2 gig cap on our line and i want to see how much bandwidth each person in the network is using, so that i can be forewarned about hitting our cap.
| It looks like you have very little networking experience and should | learn a few more basics first. thank you for that insult.
This was not meant as an insult. It was meant that more experience is needed before getting this deep into what you want to accomplish. It is far better to know what is being done then just someone telling you to click this and edit that without knowing the consequences and how to recover. You don't start to learn how to change the oil in an engine by first dis-assembling the engine. The best method for having all internet access go through a server is to set a proxy server which you can further setup to control access hours and more. The Linksys router can be setup to restrict all access except what you allow (hint - proxy server, network admin) forcing all others to use a proxy server. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i've got it working thanks. - -- Raoul Snyman Saturn Laboratories Web: http://www.saturnlaboratories.co.za/ E-mail: raoul.snyman@saturnlaboratories.co.za Blog: http://blog.saturnlaboratories.co.za/ Linux User #333298 (http://counter.li.org/) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCXiaDdabIu5z4rwwRAvagAJ9i4UhRyxnJE+wfGaTfeopamURpMQCgumG/ JnsKHm1yvTk36kVZbqdaqjY= =hNQj -----END PGP SIGNATURE-----
Raoul Snyman wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
i've got it working thanks.
Care to tell how and what you got working? (^-^) If you used my little script you should be aware that apart from the network address translation there no security features at all. The script was only meant to use as a test, bypassing the firewall rules of the SuseFirewall2. For a productive use you definitely need to add the according security rules Sandy
Raoul Snyman wrote:
none of the other computers on the network can access the internet or e-mail or anything... anyone got any ideas? am i doing something wrong?
My best advice is: "Keep it simple and do it step-by-step". Before you try any services like mail or www try a simple ping. I assume you can access the internet from your router. If so then there is a problem with your route or your set of firewall rules. Effectively you are trying to route the traffic of your 192.x.x.x network to your 10.x.x.x network. Then you want your dsl router to masquerade your traffic and connect to the internet? Step-by-step: 1 - Can you ping the internal ip 192.168.1.250 of your router from a client? 2 - Can you ping the external ip 10.0.0.2 of your router from a client? 3 - Can you ping the ip of an internet host like 193.99.144.85? 4 - Can you resolve dns names? ping www.heise.de? If you don't get to step 3 please post the result of the following commands (from a client and the router): ifconfig route -n cat /etc/resolv.conf iptables -t nat -n -v -L # (only the router) Sandy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | If you don't get to step 3 please post the result of the following | commands (from a client and the router): | | ifconfig ghana:~ # ifconfig dsl0 Link encap:Point-to-Point Protocol ~ inet addr:165.146.166.47 P-t-P:165.146.128.1 Mask:255.255.255.255 ~ UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 ~ RX packets:961 errors:0 dropped:0 overruns:0 frame:0 ~ TX packets:908 errors:0 dropped:0 overruns:0 carrier:0 ~ collisions:0 txqueuelen:3 ~ RX bytes:400239 (390.8 Kb) TX bytes:119748 (116.9 Kb) eth0 Link encap:Ethernet HWaddr 00:11:09:92:FE:D8 ~ inet addr:10.0.0.9 Bcast:255.255.255.255 Mask:255.0.0.0 ~ inet6 addr: fe80::211:9ff:fe92:fed8/64 Scope:Link ~ UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 ~ RX packets:1013 errors:0 dropped:0 overruns:0 frame:0 ~ TX packets:988 errors:0 dropped:0 overruns:0 carrier:0 ~ collisions:0 txqueuelen:1000 ~ RX bytes:425549 (415.5 Kb) TX bytes:145802 (142.3 Kb) ~ Interrupt:10 eth1 Link encap:Ethernet HWaddr 00:02:44:5A:82:83 ~ inet addr:192.168.1.250 Bcast:192.168.1.255 Mask:255.255.255.0 ~ inet6 addr: fe80::202:44ff:fe5a:8283/64 Scope:Link ~ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 ~ RX packets:70 errors:0 dropped:0 overruns:0 frame:0 ~ TX packets:38 errors:0 dropped:0 overruns:0 carrier:0 ~ collisions:0 txqueuelen:1000 ~ RX bytes:4797 (4.6 Kb) TX bytes:4709 (4.5 Kb) ~ Interrupt:5 Base address:0xc000 lo Link encap:Local Loopback ~ inet addr:127.0.0.1 Mask:255.0.0.0 ~ inet6 addr: ::1/128 Scope:Host ~ UP LOOPBACK RUNNING MTU:16436 Metric:1 ~ RX packets:804 errors:0 dropped:0 overruns:0 frame:0 ~ TX packets:804 errors:0 dropped:0 overruns:0 carrier:0 ~ collisions:0 txqueuelen:0 ~ RX bytes:48336 (47.2 Kb) TX bytes:48336 (47.2 Kb) | route -n ghana:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 165.146.128.1 0.0.0.0 255.255.255.255 UH 0 0 0 dsl0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 165.146.128.1 0.0.0.0 UG 0 0 0 dsl0 | cat /etc/resolv.conf ### BEGIN INFO # # Modified_by: pppd # Backup: /etc/resolv.conf.saved.by.pppd.dsl0 # Process: pppd # Process_id: 4182 # Script: /etc/ppp/ip-up # Saveto: # Info: This is a temporary resolv.conf created by service pppd. # The previous file has been saved and will be restored later. # # If you don't like your resolv.conf to be changed, you # can set MODIFY_{RESOLV,NAMED}_CONF_DYNAMICALLY=no. This # variables are placed in /etc/sysconfig/network/config. # # You can also configure service pppd not to modify it. # # If you do not want the pppd to change your nameserver # settings set MODIFYDNS=no in the config file for # this provider in /etc/sysconfig/network/providers/ # and ensure that the option usepeerdns is not set # in /etc/ppp/options. # ### END INFO search worldviewafrica.org nameserver 196.25.255.34 nameserver 196.25.255.3 | iptables -t nat -n -v -L # (only the router) ghana:~ # iptables -t nat -n -v -L Chain PREROUTING (policy ACCEPT 127 packets, 7408 bytes) ~ pkts bytes target prot opt in out source destination ~ 0 0 REDIRECT tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:80 redir ports 6588 ~ 0 0 REDIRECT tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:443 redir ports 6588 Chain POSTROUTING (policy ACCEPT 99 packets, 7214 bytes) ~ pkts bytes target prot opt in out source destination ~ 58 2648 MASQUERADE all -- * dsl0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) ~ pkts bytes target prot opt in out source destination - -- Raoul Snyman Saturn Laboratories Web: http://www.saturnlaboratories.co.za/ E-mail: raoul.snyman@saturnlaboratories.co.za Blog: http://blog.saturnlaboratories.co.za/ Linux User #333298 (http://counter.li.org/) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCXBtZdabIu5z4rwwRAvCPAKCEIrYtbJFv2+Nz54VK2OlvV2dhzACcCNiJ W4ysREie0pjzTRkiNP1cOZ0= =j3T9 -----END PGP SIGNATURE-----
Raoul Snyman wrote:
| route -n ghana:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 165.146.128.1 0.0.0.0 255.255.255.255 UH 0 0 0 dsl0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 165.146.128.1 0.0.0.0 UG 0 0 0 dsl0
Okay, that does seem to be correct. So, your 10.0.0.2 interface is actually an unused interface connected to no network at all. (^-^)
| cat /etc/resolv.conf ### BEGIN INFO # # Modified_by: pppd # Backup: /etc/resolv.conf.saved.by.pppd.dsl0 # Process: pppd # Process_id: 4182 # Script: /etc/ppp/ip-up # Saveto: # ### END INFO search worldviewafrica.org nameserver 196.25.255.34 nameserver 196.25.255.3
That one looks good also. Have you checked if your clients also have that nameserver? Or did you set up a local nameserver on your router?
| iptables -t nat -n -v -L # (only the router)
Chain POSTROUTING (policy ACCEPT 99 packets, 7214 bytes) ~ pkts bytes target prot opt in out source destination ~ 58 2648 MASQUERADE all -- * dsl0 0.0.0.0/0 0.0.0.0/0
This seems to indicate that you did set up masquerading. Strange. Okay, so let's start with one of your clients. Please set them up to have the same nameserver as the one in your router. The default gateway of your clients should be the internal ip of your router. /etc/resolv.conf search worldviewafrica.org nameserver 196.25.255.34 nameserver 196.25.255.3 default gateway: 192.168.1.250 Please check that you did actually set the correct gateway with the route -n output! If your client still can not ping to the internet, there is nothing left to try on the client side. If that doesn't work you need to set up the most simple masquerading rules possible: - deactivate and shut down the Susefirewall - reboot the router - execute the script below (after you are connected to the internet) masquerade.sh: # Forwarding activated echo 1 > /proc/sys/net/ipv4/ip_forward # Masquerading iptables -A POSTROUTING -t nat -o dsl0 -j MASQUERADE # Forwarding iptables -A FORWARD -i eth1 -o dsl0 -j ACCEPT Sandy
make this script which I call /bin/route.sh #/bin/sh PATH=/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome2/bin:/opt/gnome/bin:/opt/kde3/bin:/opt/kde2/bin:/usr/openwin/bin:/usr/lib/java/bin:/opt/gnome/bin export PATH /sbin/route add -net 127.0.0.0 /sbin/route add -host 10.0.0.5 dev eth0 #use your internal ethernet IP address /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 dev eth0 #use your internal network /sbin/route add default gw 64.97.122.137 dev eth1 #use your external address /sbin/route add 10.0.0.0 gw 10.0.0.5 dev eth1 #gateway for your internal setup ## MASQUERADING Rule ## /usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE Add it to /etc/rc.d/network -- __________________________ Brooklyn Linux Solutions So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://fairuse.nylxs.com http://www.mrbrklyn.com - Consulting http://www.inns.net <-- Happy Clients http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive or stories and articles from around the net http://www2.mrbrklyn.com/downtown.html - See the New Downtown Brooklyn....
participants (7)
-
Joe Morris (NTM)
-
Ken Schneider
-
mb1-knetdome
-
Raoul Snyman
-
Ruben Safir Secretary NYLXS
-
Sandy Drobic
-
Ted Hilts