IP Masquerading
Darrell Dieringer
netfilter@darrelldieringer.com
Mon, 2 Jul 2001 13:16:19 -0500
This is a multi-part message in MIME format.
------=_NextPart_000_0055_01C102F9.2E58FA60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
While it's not working, what does tcpdump tell you about the traffic on both
eth0 and eth1?
tcpdump -nnp -i eth0
I had a problem similar to this that I believe was a hardware / driver
problem. I wasn't sure if it had to do with a certain length of time or a
certain amount of traffic (ie 25KB), the network card with the problem
simply stopped listening to anything.
To test the problem, I had the suspect card (an ISA Intel EtherExpress Pro
10+ using eepro driver) serving the internal private LAN (eth1). I made one
of the private internal boxes ping another private internal box, and
verified with tcpdump (in promiscuous mode) that those packets were being
seen by eth1 (all private LAN machines are on the same hub - not switched).
Then, I made the masquerading break. (For me, it was just the opposite of
your problem - I could check mail all I wanted from the internal machines,
but web surfing broke almost immediately.) At the same time, tcpdump
stopped detecting the ping packets between the other two LAN machines, nor
anything else, even though the internal machines were quite successfully
pinging away.
However, web requests (and all other internet activity) worked properly
directly from the firewall / masquerader.
I couldn't consistently get the masquerading to work again, though sometimes
it would work in the brief fashion I described above after restarting
networking on the firewall / masquerader (brining both eth0 and eth1 down
and then up again).
So, I ditched the ISA card and got another PCI card to go with the PCI card
I was already running quite happily as eth0 (connected to a cable modem,
much like you).
I'd like to say that fixed the problem, but unfortunately, it hasn't.
Though my previous problem hasn't returned, I now can't get masquerading to
work at all. *sigh* I'm puzzled, but I haven't exhaused all my options
yet.
I can get each card to participate properly on its network (eth0 - an Intel
EtherExpress Pro 100 using eepro100 - on its real IP from my ISP, and eth1 -
a Linksys NC100 using tulip - on the private LAN), but I can't get the
masqueraded packets from eth1 to go out eth0. *bigger sigh* The routing is
the same as when I was using the aforementioned ISA card as eth1 - when I
was achieving limited success.
I have a wide open firewall script for the moment as well. It is much the
same as yours, with the exception of the following additional lines...
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
I really replied just to commiserate since the only solution I can propose
didn't really fix my problem, it just gave me a new one to solve. Advice
from anyone is quite welcome.
Anyway, good luck to you as well.
Darrell
-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of THamTech
Sent: Saturday, June 30, 2001 2:32 AM
To: netfilter@lists.samba.org
Subject: IP Masquerading
Hi
I had it working --partially. I could ping my external ip address from
an internal network machine. I could ping www.internic.net from an internal
network machine, for that matter. I could surf the web, use Yahoo
messenger, etc. But when I tried to check my email, I could not. The Linux
system just stopped forwarding or masquerading altogether, because after I
attempted to check my email, I could no longer even ping the external IP.
Nor do anything else on the internet, for that matter (from an internally
masq'd machine). The connection directly from the linux box continued to
work just fine. But wait, it gets even weirder (well, maybe not to all you
Linux guru's out there, but it seemed weird to me). After several minutes
of nothing, it just begins to work again. All of a sudden, I can ping the
external ip from inside the network. I can surf the web, get on yahoo
messenger, etc. BUT, I go to check my email, and the same thing happens all
over again. --??????????
My iptables are setup as follows (very simple):
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
(eth0 is my external interface, connected to the cable modem..........)
....and no, my email servers aren't down. I can switch over to my previous
routing/firewall system, and everything works fine.
As you can tell, I'm not too concerned with security at this point. I'll
get to that later, once I get it to masquerade properly. Then I'll plug it
up good.
So, in summary, masquerading seems to be working fine, until I try to
check my email (or send email). Masquerading stops for a short time. Then
seems to start back up on its own. I appreciate any comments or suggestions
(or questions, if you need to ask...).
Sorry its so long.....
Thanks!!
Tyler
------=_NextPart_000_0055_01C102F9.2E58FA60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.3315.2870" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#c0c0c0>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D716004817-02072001>While=20
it's not working, what does tcpdump tell you about the traffic on both =
eth0 and=20
eth1?</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001> tcpdump -nnp -i=20
eth0</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D716004817-02072001>I had=20
a problem similar to this that I believe was a hardware / driver=20
problem. I wasn't sure if it had to do with a certain length of =
time or a=20
certain amount of traffic (ie 25KB), the network card with the problem =
simply=20
stopped listening to anything.</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001>To test the problem, I had the suspect =
card (an=20
ISA Intel EtherExpress Pro 10+ using eepro driver) serving the internal =
private=20
LAN (eth1). I made one of the private internal boxes ping another =
private=20
internal box, and verified with tcpdump (in promiscuous mode) that those =
packets=20
were being seen by eth1 (all private LAN machines are on the same hub - =
not=20
switched).</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D716004817-02072001>Then,=20
I made the masquerading break. (For me, it was just the opposite =
of your=20
problem - I could check mail all I wanted from the internal machines, =
but web=20
surfing broke almost immediately.) At the same=20
time, tcpdump stopped detecting the ping packets between the =
other two=20
LAN machines, nor anything else, even though the internal machines were =
quite=20
successfully pinging away.</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001>However, web requests (and all other internet =
activity)=20
worked properly directly from the firewall /=20
masquerader.<BR></SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D716004817-02072001>I=20
couldn't consistently get the masquerading to work again, though =
sometimes it=20
would work in the brief fashion I described above after restarting =
networking on=20
the firewall / masquerader (brining both eth0 and eth1 down and =
then up=20
again).</DIV></SPAN></FONT>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D716004817-02072001>So, I=20
ditched the ISA card and got another PCI card to go with the PCI card I =
was=20
already running quite happily as eth0 (connected to a cable modem, much =
like=20
you).</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D716004817-02072001>I'd=20
like to say that fixed the problem, but unfortunately, it hasn't. =
Though=20
my previous problem hasn't returned, I now can't get masquerading =
to work=20
at all. *sigh* I'm puzzled, but I haven't exhaused all my =
options=20
yet.</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D716004817-02072001>I can=20
get each card to participate properly on its network (eth0 - an =
Intel=20
EtherExpress Pro 100 using eepro100 - on its real IP from my ISP, and =
eth1 - a=20
Linksys NC100 using tulip - on the private LAN), but I can't get the =
masqueraded=20
packets from eth1 to go out eth0. *bigger sigh* The routing =
is the=20
same as when I was using the aforementioned ISA card as eth1 - when I =
was=20
achieving limited success.</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D716004817-02072001>I have=20
a wide open firewall script for the moment as well. It is much the =
same as=20
yours, with the exception of the following additional=20
lines...</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001> iptables -t nat -P =
PREROUTING=20
ACCEPT</SPAN></FONT></DIV>
<DIV><SPAN class=3D716004817-02072001>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001> iptables -t nat -P =
POSTROUTING=20
ACCEPT</SPAN></FONT></DIV>
<DIV><SPAN class=3D716004817-02072001></SPAN> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN =
class=3D716004817-02072001>I=20
really replied just to commiserate since the only solution I can propose =
didn't=20
really fix my problem, it just gave me a new one to solve. Advice =
from=20
anyone is quite welcome.</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001>Anyway, good luck to you as =
well.</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001><BR>Darrell</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D716004817-02072001></SPAN></FONT> </DIV></SPAN></DIV>
<BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px">
<DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B>=20
netfilter-admin@lists.samba.org =
[mailto:netfilter-admin@lists.samba.org]<B>On=20
Behalf Of </B>THamTech<BR><B>Sent:</B> Saturday, June 30, 2001 2:32=20
AM<BR><B>To:</B> netfilter@lists.samba.org<BR><B>Subject:</B> IP=20
Masquerading<BR><BR></DIV></FONT>
<DIV><FONT face=3DArial size=3D2>Hi</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I had it working =
--partially. I could=20
ping my external ip address from an internal =
network machine. I=20
could ping <A href=3D"http://www.internic.net">www.internic.net</A> =
from an=20
internal network machine, for that matter. I could surf the web, =
use=20
Yahoo messenger, etc. But when I tried to check my email, I =
could=20
not. The Linux system just stopped forwarding or masquerading=20
altogether, because after I attempted to check my email, I could no =
longer=20
even ping the external IP. Nor do anything else on the internet, for =
that=20
matter (from an internally masq'd machine). The connection =
directly from=20
the linux box continued to work just fine. But wait, it gets =
even=20
weirder (well, maybe not to all you Linux guru's out there, but it =
seemed=20
weird to me). After several minutes of nothing, it just begins =
to work=20
again. All of a sudden, I can ping the external ip from inside =
the=20
network. I can surf the web, get on yahoo messenger, etc. =
BUT, I=20
go to check my email, and the same thing happens all over=20
=
again. &=
nbsp; &n=
bsp; =20
--??????????</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>My iptables are setup as follows =
(very=20
simple):</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>iptables -P INPUT ACCEPT</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>iptables -P FORWARD =
ACCEPT</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>iptables -P OUTPUT =
ACCEPT</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>iptables -t nat -A POSTROUTING -o =
eth0 -j=20
MASQUERADE</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>(eth0 is my external interface, =
connected to the=20
cable modem..........)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>....and no, my email servers aren't =
down. I can=20
switch over to my previous routing/firewall system, and everything =
works=20
fine.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>As you can tell, I'm not too =
concerned with=20
security at this point. I'll get to that later, once I get it to =
masquerade properly. Then I'll plug it up good.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>So, in summary, masquerading seems to =
be working=20
fine, until I try to check my email (or send email). =
Masquerading stops=20
for a short time. Then seems to start back up on its own. =
I=20
appreciate any comments or suggestions (or questions, if you need to=20
ask...).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Sorry its so long.....</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Thanks!!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2>Tyler</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0055_01C102F9.2E58FA60--