# IPTables and Masquerade, masquerade not showing up.

## Decibels

Little help here if anyone knows this.

eth0 connected to cable modem, linux. 

eth1 connected to windows computer (LAN).   198.168.0.2

Windows computer 198.168.0.1

Without boring you with all the details:

Iptables-1.2.7a installed and  compile iptables in the kernel. Used some simple rules to start off with just to get the Internet Connection Sharing working. The Linux box is connected to the Internet cable modem (dhcp), the other computer is Windows98. They are networked, Samba works fine,......

So, everything is working, but just can't get the masquerading to work. Check his config file again and yes, all the options are there. The ones in particular that deal with masq:

cat /proc/sys/net/ipv4/ip_forward    returns "1"

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_TARGET_MASQUERADE=y

I don't know if this is because these are old commands but,

1) cat /proc/net/ip_masquerade     says no such file...

2) netstat -M    says: netstat: no support for `ip_masquerade' on this system.

locate masquerade doesn't return anything in the /proc folder either.

Don't know what is up with this. It should be working. Tried several other scripts I wrote and iptables working, just not the masq.

Used these rules:

# Generated by iptables-save v1.2.7a on Tue Nov 26 10:29:39 2002

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Tue Nov 26 10:29:39 2002

# Generated by iptables-save v1.2.7a on Tue Nov 26 10:29:39 2002

*mangle

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

COMMIT

# Completed on Tue Nov 26 10:29:39 2002

# Generated by iptables-save v1.2.7a on Tue Nov 26 10:29:39 2002

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i eth1 -o eth0 -j ACCEPT

COMMIT

# Completed on Tue Nov 26 10:29:39 2002

The only other problem I can possibly see that might be causing the ICS not to work, is that everytime he tries to enter the linux box IP as the gateway in the Windows computer it isn't there when he reboots, well, actually it doesn't ask him to reboot.

***But that shouldn't cause the no IP_MASQ on the linux box.****

FURTHER STUDY: I just found out that the netstat -M doesn't work on the newer iptables. You have to use cat /proc/net/ip_conntrack. Haven't got the report on that back if it worked or not. So looks like it might be the gateway not taking on the Windows system. He says something about a dll error popping up when starting IE to see if can ICS, but it goes away too quick.

When run conntrack get this for the LAN:

Active Connections according to /proc/net/ip_conntrack

Proto   Source Address           Remote Address           Service     State       Masq  Name Resolution

tcp     192.168.0.1:1031         192.168.0.2:139          netbios-ssn TIME_WAIT         UNRESOLVED! > UNRESOLVED!

udp     192.168.0.1:137          192.168.0.255:137        netbios-ns-netbios-ns         UNRESOLVED! > UNRESOLVED!

udp     192.168.0.2:137          192.168.0.1:137          netbios-ns-netbios-ns         UNRESOLVED! > UNRESOLVED!

This is a Gentoo1.2 system, vanilla-kernel-2.4.19.

Any ideas??

Thanks.

----------

## HogRider

Decibels,

First, is Full NAT & IP masquerade built into the kernel (It's actually split into several segments in make menuconfig, looks like you've got it)?

Second, is the iptables module loading? (cat /proc/modules)

Assuming the answer to both are yes, your rules look technically correct, although I've always had difficulty getting iptables to work properly via -i & -o.

Try using -s & -d

Here's a script I use for my standard config...

```
# Flush current ruleset

iptables -F

iptables -t nat -F

# Masquerade out any outbound traffic from the local LAN

iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -d 0.0.0.0 -j MASQUERADE

# Disallow NEW and INVALID incoming or forwarded packets from external interface.

iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP

iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

# Turn on IP forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

```

----------

## Decibels

Yes, there compiled. Not as modules though.

I am beginning to think it might be a mistake on his part. Doing this over IM.

When he said it didn't give him the option to restart windows after adding the linux box as the gateway. I went back to windows and it worked for me. He might not have clicked the ADD button, said he did, but it wasn't taking or something. So I am taking my time, providing pictures of exactly what to do. 

He gets his IP via dhcp with insightbb.com, but I am also providing pictures for the DNS and what to do, just incase the others don't work. He can always put it back. 

If that doesn't work, then I am going to script your file and have him run that to replace his current rules-save.  I will keep you posted. Thanks for the info.Last edited by Decibels on Wed Nov 27, 2002 1:07 am; edited 1 time in total

----------

## Decibels

Okay, working now.

Seems that a lot of people doing the masquerade with Windows as a client don't mention the DNS problem or fail to mention it. So just like the 

netstat -M.  I thought it it was a antiquated ordeal. I mean, the networking worked, Samba worked, /etc/resolv.conf was correct and working.

He finally got the Gateway entry in Windows to work. That didn't fix it though. 

Adding the nameservers and domain to Windows98 from /etc/resolv.conf was the final fix.  So he actually figured the last part of the equation out. 

So, their surfing the net right now on the Windows networked client.

Thanks for the help.

----------

## Decibels

What fitting way to finish, but with a tutorial and pictures.

http://webpages.charter.net/decibelshelp/LinuxHelp_IPtables.html#ip_masq

----------

