# Iptables masquerade not quite working

## kirill

Hello,

I'm using iptables and have very many problems with it.

first of all, this is how I enable it:

```

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

```

...thus ppp0 being my default gateway, ppp0 (a VPN-tunnel) has dynamic ip-address and is brought up *before* starting up iptables.

On my client machines:

1. I cant browse www-pages (HTTP request sent; waiting for response.)

2. I cant connect by ssh (it freezes after showing me 2-3 lines of remote box' MOTD)

3. I CAN connect to IRC and chat

4. I can ping, as well www.gentoo.org as my gateway

5. Cant access mail/news/rsync etc...

I've now set up a squid proxy as a temporary solution. It fixes some protocols (http) but not all of the  :Sad: 

Have any of you experienced such a behavior from iptables?  maby some threads on other forums/newsgroups  :Question: 

*PLEASE PLEASE* comment if you have any ideas or tips on what's going on!

thnx

----------

## rizzo

I also have:

```

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $INTIF -j ACCEPT

$IPT -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE

$IPT -P FORWARD ACCEPT

```

Where $IPT is the path to iptables, $INTIF is eth1 and $EXTIF is ppp0.  After that code I setup all my rules for allowing specific types of traffic (dns, ssh, www) along with my port-forwarding stuff, and then anything that I have specifically addressed I drop.

----------

## kirill

thanks for those lines, I will try your setup tomorrow. This will require me building new modules for iptables, but what the h*ll, I gotta get this working  :Very Happy: 

to be continued...

----------

## TuxFriend

 *kirill wrote:*   

> This will require me building new modules for iptables

 

Why do you have to build new modules?

TuxFriend

----------

## kirill

 *TuxFriend wrote:*   

>  *kirill wrote:*   This will require me building new modules for iptables 
> 
> Why do you have to build new modules?
> 
> 

 

Because I only have stuff needed for masquerade in my kernel (as modules):

```

[*] Network packet filtering (replaces ipchains) 

  IP: Netfilter Configuration  --->

  <M> Connection tracking (required for masq/NAT)

  <M> IP tables support (required for filtering/masq/NAT)

    <M>   Full NAT

    <M>     MASQUERADE target support 

```

and now I would need a lot of others to get FORWARD/state support  :Wink: 

----------

## TuxFriend

OK, Thanks

TuxFriend

----------

## kirill

Just a quick update:

last night my ppp0 hang up by itself and I had to reset it. After doing some more hand-resettings my client machines could again access the internet.

This issue naturally still doesn't remove the problem, cause i've seen this (odd fix ups) happening before and now im waiting when it will hang up again and my masquerading stop working  :Sad: 

----------

## kirill

This seems to be somehow related to the VPN itself.

I suspect it's due to some kind of another M$'s shitty compatibility implementation or some sort of stuff  :Smile: 

----------

## dingo

 *kirill wrote:*   

> Hello,
> 
> I'm using iptables and have very many problems with it.
> 
> first of all, this is how I enable it:
> ...

 

go back to the 'ol kernel compilng board:

look in networking options->Netfilter Configuration

press 'm' over the option "TCPMSS target support"

press 'h' over this module, also, it will tell you that it fixes the *exact* symptoms you have, and it will also tell you the ruleset to use with iptables to enable it.

hope it works. I dont think it has anything to do with M$ though.

----------

## kirill

 *dingo wrote:*   

> 
> 
> go back to the 'ol kernel compilng board:
> 
> look in networking options->Netfilter Configuration
> ...

 

Thanks for the tip!

I've also seen this line when reading the pptpclient diagnosis a few days ago.

I'll give the command a try!

BTW I need to admit that the connection has worked pretty fine for the last few days *without* that line. But I'll enable it just to be sure  :Smile: 

----------

