# IP MASQUERADING IS NOW WORKING! (shouting)

## FINITE

Well I have never set up networking in Linux the "manual" way. I have given the client machines nic or eth0 the ipaddress 192.168.0.2 and its gateway is set to the ipaddress of the host machines internal nic eth1 which is 192.168.0.1. I have a test script taken from a website to test this setup and well it aint working. Not sure what is wrong. The one thing I do not understard in the script is this

```
INTNET="192.168.1.0/24"

INTIP="192.168.1.1/24"
```

.

Not sure if I need to change the addresses to anything or what. One thing I know for sure is that neither address there matches either address in either macine but I have tried doing it like this

```
INTNET="192.168.0.2/24"

INTIP="192.168.0.1/24"

```

which does not help the situation. I know I am doing something wrong here.  I have ALL required componets compiled as modules and do not get an errors when the modules are loaded by this script. I have cable internet and my address is assigned dynamically and the script I am using is supposed to take care of that. I have been trying for some time to get this working to no avail. Here is the script that I am using.

[/code]#!/bin/sh

#

# rc.firewall-2.4-stronger

FWVER=0.73s

#          An example of a stronger IPTABLES firewall with IP Masquerade 

#          support for 2.4.x kernels.  

#

# Log:

#   0.73s - Added comments in the output section that DHCPd is optional

#           and changed the default settings to disabled

#   0.72s - Changed the filter from the INTNET to the INTIP to be

#           stateful; moved the command VARs to the top and made the

#           rest of the script to use them

#   0.70s - Added a disabled examples for allowing internal DHCP  

#           and external WWW access to the server

#   0.63s - Added support for the IRC module

#   0.62s - Initial version based upon the basic 2.4.x rc.firewall

echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"

# The location of various iptables and other shell programs

#

#   If your Linux distribution came with a copy of iptables, most

#   likely it is located in /sbin.  If you manually compiled 

#   iptables, the default location is in /usr/local/sbin

#

# ** Please use the "whereis iptables" command to figure out 

# ** where your copy is and change the path below to reflect 

# ** your setup

#

#IPTABLES=/sbin/iptables

IPTABLES=/usr/local/sbin/iptables

#

LSMOD=/sbin/lsmod

DEPMOD=/sbin/depmod

INSMOD=/sbin/insmod

GREP=/bin/grep

AWK=/bin/awk

SED=/bin/sed

IFCONFIG=/sbin/ifconfig

#Setting the EXTERNAL and INTERNAL interfaces for the network

#

#  Each IP Masquerade network needs to have at least one

#  external and one internal network.  The external network

#  is where the natting will occur and the internal network

#  should preferably be addressed with a RFC1918 private address

#  scheme.

#

#  For this example, "eth0" is external and "eth1" is internal"

#

#  NOTE:  If this doesnt EXACTLY fit your configuration, you must 

#         change the EXTIF or INTIF variables above. For example: 

#

#               EXTIF="ppp0" 

#

#            if you are a modem user.

#

EXTIF="eth0"

INTIF="eth1"

echo "  External Interface:  $EXTIF"

echo "  Internal Interface:  $INTIF"

echo "  ---"

# Specify your Static IP address here or let the script take care of it 

# for you.

#

#   If you prefer to use STATIC addresses in your firewalls, un-# out the

#   static example below and # out the dynamic line.  If you don't care,

#   just leave this section alone.

#

#   If you have a DYNAMIC IP address, the ruleset already takes care of

#   this for you.  Please note that the different single and double quote 

#   characters and the script MATTER.

#

#

#   DHCP users:

#   -----------

#   If you get your TCP/IP address via DHCP, **you will need ** to enable the 

#   #ed out command below underneath the PPP section AND replace the word 

#   "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0, 

#   etc) on the lines for "ppp-ip" and "extip".  You should also note that the 

#   DHCP server can and will change IP addresses on you.  To deal with this, 

#   users should configure their DHCP client to re-run the rc.firewall ruleset 

#   everytime the DHCP lease is renewed.

#

#     NOTE #1:  Some DHCP clients like the original "pump" (the newer

#               versions have been fixed) did NOT have the ability to run 

#               scripts after a lease-renew.  Because of this, you need to 

#               replace it with something like "dhcpcd" or "dhclient".

#

#     NOTE #2:  The syntax for "dhcpcd" has changed in recent versions.

#

#               Older versions used syntax like:

#                         dhcpcd -c /etc/rc.d/rc.firewall eth0

#

#               Newer versions execute a file called /etc/dhcpc/dhcpcd-eth0.exe

#

#     NOTE #3:  For Pump users, put the following line in /etc/pump.conf:

#

#                   script /etc/rc.d/rc.firewall

#

#   PPP users:

#   ----------

#   If you aren't already aware, the /etc/ppp/ip-up script is always run when 

#   a PPP connection comes up.  Because of this, we can make the ruleset go and 

#   get the new PPP IP address and update the strong firewall ruleset.

#

#   If the /etc/ppp/ip-up file already exists, you should edit it and add a line

#   containing "/etc/rc.d/rc.firewall" near the end of the file.

#

#   If you don't already have a /etc/ppp/ip-up sccript, you need to create the 

#   following link to run the /etc/rc.d/rc.firewall script.

#

#       ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up

#

#   * You then want to enable the #ed out shell command below *

#

#

# Determine the external IP automatically:

# ----------------------------------------

#

EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | \

$SED -e 's/.*://'`"

# For users who wish to use STATIC IP addresses:

#

#  # out the EXTIP line above and un-# out the EXTIP line below

#

#EXTIP="your.static.PPP.address"

echo "  External IP: $EXTIP"

echo "  ---"

# Assign the internal TCP/IP network and IP address

INTNET="192.168.1.0/24"

INTIP="192.168.1.1/24"

echo "  Internal Network: $INTNET"

echo "  Internal IP:      $INTIP"

echo "  ---"

# Setting a few other local variables

#

UNIVERSE="0.0.0.0/0"

#======================================================================

#== No editing beyond this line is required for initial MASQ testing ==

# Need to verify that all modules have all required dependencies

#

echo "  - Verifying that all kernel modules are ok"

$DEPMOD -a

echo -en "    Loading kernel modules: "

# With the new IPTABLES code, the core MASQ functionality is now either

# modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES

# options as MODULES.  If your kernel is compiled correctly, there is

# NO need to load the kernel modules manually.  

#

#  NOTE: The following items are listed ONLY for informational reasons.

#        There is no reason to manual load these modules unless your

#        kernel is either mis-configured or you intentionally disabled

#        the kernel module autoloader.

#

# Upon the commands of starting up IP Masq on the server, the

# following kernel modules will be automatically loaded:

#

# NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ 

#        modules are shown below but are commented out from loading.

# ===============================================================

#Load the main body of the IPTABLES module - "ip_tables"

#  - Loaded automatically when the "iptables" command is invoked

#

#  - Loaded manually to clean up kernel auto-loading timing issues

#

echo -en "ip_tables, "

#

#Verify the module isn't loaded.  If it is, skip it

#

if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then

   $INSMOD ip_tables

fi

#Load the IPTABLES filtering module - "iptable_filter" 

#

#  - Loaded automatically when filter policies are activated

#Load the stateful connection tracking framework - "ip_conntrack"

#

# The conntrack  module in itself does nothing without other specific 

# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"

# module

#

#  - This module is loaded automatically when MASQ functionality is 

#    enabled 

#

#  - Loaded manually to clean up kernel auto-loading timing issues

#

echo -en "ip_conntrack, "

#

#Verify the module isn't loaded.  If it is, skip it

#

if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then

   $INSMOD ip_conntrack

fi

#Load the FTP tracking mechanism for full FTP tracking

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

echo -e "ip_conntrack_ftp, "

#

#Verify the module isn't loaded.  If it is, skip it

#

if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then

   $INSMOD ip_conntrack_ftp

fi

#Load the IRC tracking mechanism for full IRC tracking

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

echo -en "                             ip_conntrack_irc, "

#

#Verify the module isn't loaded.  If it is, skip it

#

if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then

   $INSMOD ip_conntrack_irc

fi

#Load the general IPTABLES NAT code - "iptable_nat"

#  - Loaded automatically when MASQ functionality is turned on

# 

#  - Loaded manually to clean up kernel auto-loading timing issues

#

echo -en "iptable_nat, "

#

#Verify the module isn't loaded.  If it is, skip it

#

if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then

   $INSMOD iptable_nat

fi

#Loads the FTP NAT functionality into the core IPTABLES code

# Required to support non-PASV FTP.

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

echo -e "ip_nat_ftp"

#

#Verify the module isn't loaded.  If it is, skip it

#

if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then

   $INSMOD ip_nat_ftp

fi

echo "  ---"

# Just to be complete, here is a list of the remaining kernel modules 

# and their function.  Please note that several modules should be only

# loaded by the correct master kernel module for proper operation.

# --------------------------------------------------------------------

#

#    ipt_mark       - this target marks a given packet for future action.

#                     This automatically loads the ipt_MARK module

#

#    ipt_tcpmss     - this target allows to manipulate the TCP MSS

#                     option for braindead remote firewalls.

#                     This automatically loads the ipt_TCPMSS module

#

#    ipt_limit      - this target allows for packets to be limited to

#                     to many hits per sec/min/hr

#

#    ipt_multiport  - this match allows for targets within a range

#                     of port numbers vs. listing each port individually

#

#    ipt_state      - this match allows to catch packets with various

#                     IP and TCP flags set/unset

#

#    ipt_unclean    - this match allows to catch packets that have invalid

#                     IP/TCP flags set

#

#    iptable_filter - this module allows for packets to be DROPped, 

#                     REJECTed, or LOGged.  This module automatically 

#                     loads the following modules:

#

#                     ipt_LOG - this target allows for packets to be 

#                               logged

#

#                     ipt_REJECT - this target DROPs the packet and returns 

#                                  a configurable ICMP packet back to the 

#                                  sender.

# 

#    iptable_mangle - this target allows for packets to be manipulated

#                     for things like the TCPMSS option, etc.

#CRITICAL:  Enable IP forwarding since it is disabled by default since

#

#           Redhat Users:  you may try changing the options in

#                          /etc/sysconfig/network from:

#

#                       FORWARD_IPV4=false

#                             to

#                       FORWARD_IPV4=true

#

echo "  Enabling forwarding.."

echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:

#

#   If you get your IP address dynamically from SLIP, PPP, or DHCP, 

#   enable the following option.  This enables dynamic-address hacking

#   which makes the life with Diald and similar programs much easier.

#

echo "  Enabling DynamicAddr.."

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "  ---"

#############################################################################

#

# Enable Stronger IP forwarding and Masquerading

#

#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.

#

#  NOTE #2:  The following is an example for an internal LAN address in the

#            192.168.1.x network with a 255.255.255.0 or a "24" bit subnet 

#            mask connecting to the Internet on external interface "eth0".  

#            This example will MASQ internal traffic out to the Internet 

#            but not allow non-initiated traffic into your internal network.

#

#            

#         ** Please change the above network numbers, subnet mask, and your 

#         *** Internet connection interface name to match your setup

#         

#Clearing any previous configuration

#

#  Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP.

#

#    You CANNOT change this to REJECT as it isn't a vaild setting for a

#    policy.  If you want REJECT, you must explictly REJECT at the end

#    of a giving INPUT, OUTPUT, or FORWARD chain

#

echo "  Clearing any existing rules and setting default policy to DROP.."

$IPTABLES -P INPUT DROP  

$IPTABLES -F INPUT 

$IPTABLES -P OUTPUT DROP  

$IPTABLES -F OUTPUT 

$IPTABLES -P FORWARD DROP  

$IPTABLES -F FORWARD 

$IPTABLES -F -t nat

#Not needed and it will only load the unneeded kernel module

#$IPTABLES -F -t mangle

#

# Flush the user chain.. if it exists

if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then

   $IPTABLES -F drop-and-log-it

fi

#

# Delete all User-specified chains

$IPTABLES -X

#

# Reset all IPTABLES counters

$IPTABLES -Z

#Configuring specific CHAINS for later use in the ruleset

#

#  NOTE:  Some users prefer to have their firewall silently

#         "DROP" packets while others prefer to use "REJECT"

#         to send ICMP error messages back to the remote 

#         machine.  The default is "REJECT" but feel free to

#         change this below.

#

# NOTE: Without the --log-level set to "info", every single

#       firewall hit will goto ALL vtys.  This is a very big

#       pain.

#

echo "  Creating a DROP chain.."

$IPTABLES -N drop-and-log-it

$IPTABLES -A drop-and-log-it -j LOG --log-level info 

$IPTABLES -A drop-and-log-it -j DROP

echo -e "\n   - Loading INPUT rulesets"

#######################################################################

# INPUT: Incoming traffic from various interfaces.  All rulesets are 

#        already flushed and set to a default policy of DROP. 

#

# loopback interfaces are valid.

#

$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interface, local machines, going anywhere is valid

#

$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost

#

$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

# external interface, from any source, for ICMP traffic is valid

#

#  If you would like your machine to "ping" from the Internet, 

#  enable this next line

#

#$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT

# remote interface, any source, going to permanent PPP address is valid

#

#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

# Allow any related traffic coming back to the MASQ server in

#

$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \

ESTABLISHED,RELATED -j ACCEPT

# ----- Begin OPTIONAL Section -----

#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server

#

#$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT

#$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT

# HTTPd - Enable the following lines if you run an EXTERNAL WWW server

#

#echo -e "      - Allowing EXTERNAL access to the WWW server"

#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \

#-p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

#

# ----- End OPTIONAL Section -----

# Catch all rule, all other incoming is denied and logged. 

#

$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e "   - Loading OUTPUT rulesets"

#######################################################################

# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are 

#         already flushed and set to a default policy of DROP. 

#

# loopback interface is valid.

#

$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interfaces, any source going to local net is valid

#

$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

# local interface, any source going to local net is valid

#

$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny

#

$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

# anything else outgoing on remote interface is valid

#

$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

# ----- Begin OPTIONAL Section -----

#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server

#

#$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \

-d 255.255.255.255 --dport 68 -j ACCEPT

#$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \

-d 255.255.255.255 --dport 68 -j ACCEPT

#

# ----- End OPTIONAL Section -----

# Catch all rule, all other outgoing is denied and logged. 

#

$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e "   - Loading FORWARD rulesets"

#######################################################################

# FORWARD: Enable Forwarding and thus IPMASQ

#

echo "     - FWD: Allow all connections OUT and only existing/related IN"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \

-j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged. 

#

$IPTABLES -A FORWARD -j drop-and-log-it

echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"

#

#More liberal form

#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

#

#Stricter form

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

#######################################################################

echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"

<rc.firewall-2.4-stronger STOP>

As always any and all help is appreciated. Thanks.Last edited by FINITE on Thu Sep 05, 2002 9:51 pm; edited 3 times in total

----------

## FINITE

One thing I should have stated is that I am at work. I cannot run any command remotely at the moment because my ip address had changed and I did not write it down so I cannot ssh into my box today. When I had run route -n the destination of both eth1 in the host machine and eth0 in the cilent machine had a destination of 192.168.0.0 which does not seem right, though I do not really know enough about how to network in Linux to say for sure.

----------

## WarMachine

 *FINITE wrote:*   

> One thing I should have stated is that I am at work. I cannot run any command remotely at the moment because my ip address had changed and I did not write it down so I cannot ssh into my box today. 

 

www.noip.com can help resolve that problem

----------

## FINITE

Thanks for the link but Im not really worried about the external ip address here accept that I cannot ssh into my box at home right now. Actually I could call my GF at home and have her get it for me or just reboot the sysetm. The real problem is that I get from the client machine out to the internet. I cannot even ping the internal ip of the host box. Somebody please help. I have read the how-to's and that has gotten me to this point. If I try to ping the external ip of the host box from the client machine it fails. If I try to ping the client boxes ip it says that its not allowed. I said before that the destination ip of the client is 192.168.0.0 and I can ping that and the hosts internal nic seems to respond to that. I cannot anything else though from the client box.

----------

## FINITE

Here is something that stumped me, call me stupid if you want to but what does this mean (client box). 

```
#Set IPADDR to 192.168.0.x (1 < x < 255)
```

The part im talking about is (1 < x < 255). I had assumed that ment that the last octet of the ipaddress, 1, should be put in place of the "x" and all would be good but no matter what I did nothing worked accept not having (***) in there at all.  Well using worked isn't right. Not using it was the only way eth0 would come up on the client machine.[/code]

----------

## FINITE

Well I am at home and again have

tried everything that I can think

of to get this working. Everthing

is in place. It should be working.

Is it possible for an ISP keep  

someone from doing this? Prolly not

kinda reachin there. If I try and

ssh into my client box which is

running sshd and does not have a

firewall loaded I get an error "No

route to host". If I try and ping 

the client ip I get absolutely

nothing, zip, zilch, nada. If from

the host machine I try and ping the

the client machines ip I also get 

nothing. I am using a crossover

cable so that is not an issue. I 

need help here. If any more info is

needed please let me know.

----------

## nE0

Hmm. Not much reply's here..

The first thing you stumbled over was:

```
 

INTNET="192.168.1.0/24" 

INTIP="192.168.1.1/24" 

```

the differance here is: The internal Network = 192.168.1.0/24

Wich means as much as, the street your in, is 192.168.1.0, and there are 256 houses. (that is the /24 = 255.255.255.0)

And the internal IP adress is: 192.168.1.1 with a netmask of 255.255.255.0

This should ofcourse be set to the situation you're in..

It is your internal IP adres.

the last thing you asked was:

```

#Set IPADDR to 192.168.0.x (1 < x < 255)

```

X = bigger than 1, but smaller than 255 (just simple math right  :Wink:  )

WIch basicly means: The IP adress for that specific client can be 192.168.0.2 - 192.168.0.254 with a netmask: 255.255.255.0

192.168.0.1 = your server

192.168.0.255 = your broadcast adres

set the default gw on your client to point to the internal IP adres of your server:

```

# route add default gw 192.168.0.1

```

and try pinging the server(192.168.0.1), to see if ip is setup corectly

Now try pinging the servers external Ip adres, to see if routing is setup correctly.

now try pinging a ip address of yet another host on the internet, to see if forwarding is ok.

now try pinging a DNS adres to see if resoving is setup okay..

And post your outcome..

Read the networking howto, if you want more info about networking.

----------

## sn1987a

 *FINITE wrote:*   

> If I try and
> 
> ssh into my client box which is
> 
> running sshd and does not have a
> ...

 

It also sounds like the route table on the gateway is not set properly. The routing table which should have a line for that network:

```
# netstat -nr

Destination   Gateway    Genmask      Flags    MSS   Window  irtt Iface

192.168.0.0   0.0.0.0   255.255.255.0  UG      40    0       0    eth1

```

if not try 

 *Quote:*   

> route add -net 192.168.0.0 netmask 255.255.255.0   dev eth1

 

If you still have problems please post the output of ifconfig and netstat -nr for both the client and the gateway.

good luck

----------

## FINITE

Thanks so much for the info. I will post the iformation that you requested as soon as I can assuming that what you just told me doesn't take care of the problem. Ill post it anyways actually incase others run into the same problem. Thanks again.

----------

## FINITE

Ok, bear with me im typing this from

within Lynx and its kinda strange.

Anywyas, I have tried what seems like

every possible combonation of options

to get this going. Different scripts which

all appear to work untill I start trying

to use the network. netstat -nr on the

host machine (the one im using now)

shows what I think is the correct information.

The destination of eth1 in this box (the host)

is 192.168.0.0 and the subnet mask is 255.255.255.0.

its the same on the client box for eth0.

I assigned the host mahines int nic an ipaddress of

192.168.0.1 the bcast address is 192.168.0.255 and

the subnet mask is 255.255.255.0. The client box is the same

accept for the ipaddress which again is 192.168.0.2.

the default gateway is 192.168.0.1.

With the script from the MASQ howto for 2.4.* series kernels (rc.firewall-2.4-stronger)

I assigned the INTNET=192.168.0.0/24

and INTIP=192.168.0.2. If I tried to ping

with it set like that then I would get "Operation not permitted" erros.

SSH would just sit there for ever if I let it.

With the information changed to anything else, and I do mean anything,

ping would just sit there for ever if I let it and

never get a return and ssh would say

"no route to host". I have tried with each configuration to

switch to my client box and try pinging, ssh, webbrowsing, and

nothing will work. I have to be missing something.

Well, im going to try a few more things

tonight and call it. I only have one monitor and KB

so its getting to be a real pain  :Smile: 

----------

## FINITE

Well I was agian up untill dawn tyring to get this working. Needless to say

I was not unsuccessfull. I have checked, double checked, and checked

again to make sure everything is set up the way it should be and

it still will not freaking work. I am on the verge

of trying a different distribution to see if its a Gentoo problem. If anyone has anyother ideas please let me know. Thanks for the help so far.

----------

## sn1987a

From your original note:

 *FINITE wrote:*   

>  Not sure what is wrong. The one thing I do not understard in the script is this
> 
> ```
> INTNET="192.168.1.0/24"
> 
> ...

 

I may have been concentrating on the wrong problem here.  Does the networking work without the firewall running?  If it doesn't the we need to focus on the basic networking between the two machines.  (you might want to try using tcpdump to see what is being pased on the wire)

If the basic networking is fine, then it is just a matter of the firewall rules.    Your change to INTNET and INTIP are definitely needed. They should match your internal network.  I would like to look at the actual firewall rules.   If it is easier to email a file, send me the iptables.out file from the following commands ( to sn1987a@altavista.net ) and I'll take a look at it for you.  (you should atleast be able to send it as an attachment from a webmail account)

```

echo 'Table: filter' > iptables.out

/sbin/iptables -L -n -v >> iptables.out

echo >> iptables.out

echo 'Table: nat' >> iptables.out

/sbin/iptables -t nat -L -n -v >> iptables.out

echo >> iptables.out

echo 'Table: mangle' >> iptables.out

/sbin/iptables -t mangle -L -n -v >> iptables.out

```

Let us know what you find

----------

## splooge

First of all I had some issues with that script you're using also.  =)

This is the very basics to get your internal network masquerading to the internet.

echo "1" > /proc/sys/net/ipv4/ip_forward  ## turns on ip forwarding in the kernel

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Change the ppp0 to your external network ineterface (eth0, eth1, etc)

Then, take a look at this firewall script, I had better luck with it:

http://projectfiles.com/firewall/

----------

## FINITE

DAMNIT!! I was typing another post and I hit something that cause me to loose it. Damn lynx browser.

Anyways, Its still not working. All suggestions have been tried. I went ahead and (without any iptables rules started) ran the comands

to have a basic masq setup. Ran iptables-save and then rebooted. Still the same problem.

With the basic rules started I ran the firewall (after configuring it properly) and then ran iptables-save again. Rebooted and still the same problem.

This is crazy! 

On the host box eth1 gateway to the client box I have net configured as fallows:

eth1 ipaddress=192.168.0.1 bcast address=192.168.0.255 netmask=255.255.255.0.

eth0 on the client box:

ipaddress=192.168.0.2 bcast address=192.168.0.255 netmask=255.255.255.0 gateway=192.168.0.1.

The script that I am currently using is http://projectfiles.com/firewall/ (rc.firewall-2.0rc4).

In that script I have "InternalInterfaces=eth1" and "DynamicInterfaces=eth0", nothing esle was modified.

Well, im going to go and beat my head aginst a brick wall for a little bit. Thanks again for helping out.

----------

## sn1987a

 *FINITE wrote:*   

> I went ahead and (without any iptables rules started) ran the comands
> 
> to have a basic masq setup.

 

There are two requirements before we can begin looking at masquerading.  It's not clear that they are satisfied.

1. The two machines can communicate normally.  It appears that your struggling with this, but everything I've seen so far has involved some iptables.  can the two machines talk to each other with no iptables in place?

```

 iptables -F

 iptables -X

 iptables -P ACCEPT

 iptables -n nat -F

 iptables -n nat -X

 iptables -n nat -P ACCEPT

 iptables -n mangle -F

 iptables -n mangle -X

 iptables -n mangle -P ACCEPT

```

will remove all rules and setup default ACCEPT policies. ( you may want to pull the plug to the cable box to test this)

2. The gate way box can talk to the internet.  It sounds like this is the case.  I am not familliar with cable setups.  Is your default route out eth0 to the cable box or is there a ppp0 involved?

If both of these are working then we can focus on the firewall script.  BTW do any of the dropped packets end up in /var/log/messages?

----------

## FINITE

AHAHAHAHAHAHAHAHHHHAAAAHAHAHAAAAA!!!!!!!!!!!!

Man this is wierd. Ok, I decided to move things arround, my nics that is.

In the host machine I had a Dlink 550 and a netgear whatever using the natsemi module.

In the client box I had a Dlink 530. I switched the nic in the client box with the natsemi nic in the host machine and recompiled the kernels. Well god damn it works!

The strangest thing is that the natsemi nic could not even work as the only card in the host machine as my internet connection. DHCPCD could NOT assign an address to it.

Man this has been a struggle. Its been hardware all along. WIERD!

Thanks for all of the help, seriously. The gentoo forums are the best 

linux dist forums out there. Shweeewwww.

----------

## FINITE

So this is how my post looks like in Mozilla. Shweeeeetttt! Damn nics.

Well Im at work now and I must have misconfigured the firewall. Can't ssh in get connection refused error. At least I can get out from te client box now though. I could have sworn that I had allowed port 22 though.  Im not sure which script I am going to end up using, i kinda like the monmotha script. Anyone heard of issues between natsemi nics and sundance nics/drivers. Strangest thing I have ever seen.  I have no idea what could have been causing the conflict.  I think I mentioned in the previous post that even with the Netgear (natsemi) nic by its self in the computer destined to be the masq server connected to my cable modem I could not access the internet, the card would not even get an ipaddress. Hmmm, well im out of here. Thanks again for all the help.

----------

