# IPMasq -- no errors, but not working

## HashBrown

Hi...

I'm having a peculiar problem.

The first time I set up IPMasq I got all sorts of version conflicts between my kernel and iptables.. so I updated both (i'm using the vanilla source now).  So I went through the howto again, and followed everything step by step and now everything seems to work.  I get no errors, but my internet connection isn't shared!

I have tried a multitude of firewall scripts.. and I tried all sorts of suggestions from #gentoo on irc.openprojects.net... but nothing works.

my client pcs can ping my server's internal IP, external IP, and external Gateway.. my server pc can ping the internal IPs (server and client) and it's external Gateway, but no external IPs (such as www.google.com's IP).

I don't know if all this info I've supplied will help... but i guess it can't hurt.

Has anyone encountered this kind of problem?  Does anyone know of any solutions?

(more info:

eth0 -- ne2kpci -- external satic IP

eth1 -- 8139too -- internal IP -- 192.168.0.1

)

----------

## autoxv6

flush all your rules

just run this to make sure you can do basic masq

iptables -t nat -A POSTROUTING -s 10.0.0.0/25 -o eth0 -j MASQUERADE

u might be blocking certain traffic you dont think you are. make sure forwarding is on.

----------

## HashBrown

I followed the suggestions above.. and they didn't work.

ipv4 forwarding is enabled.

i think this is a hardware problem with my motherboard.. it seems to work fine with one ethernet card, but as soon as I start using two, it jimmies up.

----------

## panserg

 *autoxv6 wrote:*   

> flush all your rules
> 
> just run this to make sure you can do basic masq
> 
> iptables -t nat -A POSTROUTING -s 10.0.0.0/25 -o eth0 -j MASQUERADE
> ...

 

And if doesn't work after that - what would be the next step to investigate the problem?

P.S. I have the same problem. Everything besides masq works fine in iptables. ipt_MASQUERADE modules is loaded. iptables has been compiled with the current kernel. No error messages in -j masq commands: iptables just ignores it silently.

----------

## axxackall

Hmm, same problem here...

Does anyone know why iptables would silently accept "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" and even show it in "iptables -L -t nat", but with no trace of possible routing from inside to outside? I even tried to flash all rules and try only masquarading ones - nothing.

The search in all gentoo forums and other linux mail-lists (as well all version of netfilter docs) shows that all needed kernel modules are loaded, all needed files in /proc/ipv4 have their "1", route tables ar ok, iptables re-emerged, all other rules in iptables (in, out, icmp, ftp) work just perfectly fine,  connections from the firewall host go everywhere fine if allowed, connections to firewall host go fine if allowed, proxy (like squid) services work fine if allowed. But MASUERADE doesn't work. Why?

Just give an advise where to dig, please.

----------

## panserg

Bumping, hoping to get an answer some day   :Rolling Eyes: 

----------

## antipop

 *panserg wrote:*   

> Bumping, hoping to get an answer some day  

 

If you're still struggling, here's my suggestion:

```
echo "1" > /proc/sys/net/ipv4/ip_forward
```

----------

## panserg

 *antipop wrote:*   

> here's my suggestion:
> 
> ```
> echo "1" > /proc/sys/net/ipv4/ip_forward
> ```
> ...

 

In my case it doesn't change a thing:

all masq rules are accepted, but I cannot open any connection with any IP outside of my LAN.

All troubleshooting docs discuss the situation when the kernel doesn't accept modules of iptables. In my case everything is compiled (and recompiled several times) fine, all modules are loaded fine, "1" is in /proc/sys/net/ipv4/ip_forward - and it still doesn't forward anything.

I feel that the solution is somewhere very close and simple. Otherwise, why no one else report the same strange problem?

----------

## FuzzeX

Since I was rebuilding my firewall/router this weekend and saw this post I thought I'd post some resources.

First some links (just in case you need them):

[1]http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html

[2]http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html

[3]http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap6

The basics:

Make sure your kernel is configured correctly and that /proc/sys/net/ipv4/ip_forward is echoed to 1 (everyone seems to have that already, just got to keep the ducks in their row).

The next step would be to write some kind of basic iptables script. If you use the example script in [3] make sure you have the procparam script also, and, if you have emerged iptables, make sure you do not have this set to startup (ie. if you have rc-update add firewall default then don't rc-update add iptables default, this gave me some problems). If you don't use the script from [3] you can write your iptables from the iptables script.

It sounds like everyone can ping from their router/firewall, which is good. If you can't then try something like:

```
$IPTABLES -P INPUT ACCEPT

$IPTABLES -F INPUT 

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F OUTPUT 

$IPTABLES -P FORWARD DROP

$IPTABLES -F FORWARD 

$IPTABLES -t nat -F

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j LOG
```

Once you can ping everywhere from the router/firewall you can try maquerading with either:

```
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
```

or

```
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
```

(I use the second over the first. There is more info in [1] and [2].)

I've used the strong script at the end of [2] and it works really well. I hacked the hell out of [3] to basically make it into [2] and it seems to work fine (had to change some values in the procparam script as appropriate, ie. /proc/sys/net/ipv4/ip_forward had to be changed from 0 to 1 in my case).

Once you're set make sure to set your default policies to drop and lock down as appropriate. Hope this sheds some light some people were missing.

----------

