Problem about IP Masquerading

[jeffycli]

Hi All,

I'm trying to use my linux box to act as an Internet gateway for my local lan. I have two ethernet cards in the linux box, which is eth0 and eth1.

The linux box access the Internet through a 1.5Mbps speed ADSL connected to eth1 and my local lan is connected at the interface eth0.

I use the application "adsl-setup" & "adsl-start" as my dial-up program to connect to the ADSL service provider.
When I dial, an additional interface PPP0 will appear in output of the "ifconfig -a"

I have referenced to the IP Masquerading Howto and following the example and type the following commands into a script file which will facilitate my linux box to perform IP masquerade.

Here are the commands:

/sbin/depmod -a
/sbin/modprobe ip_masq_ftp

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -A input -j ACCEPT -i eth1 -s 0/0 67 -d 0/0 68 -p udp

/sbin/ipchains -P forward DENY
/sbin/ipcahins -A forward -i eth0 -s 192.168.0.0/24 -j MASQ

I setup all of above and dial the connection and run the script. I try to ping the IP of the provider's DNS server from the PC which in the local lan other than the linux box.
And it can't ping the IP. Then I use the trace route in the client PC to verify the path. Here is the path:

1. From the client PC
2. to eth0
3. request timed out
4. request timed out
5. request timed out
6. request timed out

It seems that the network setting of my client PC is alright since it can go the interface eth0. However, there the trace is stop when it come to the interface eth0. Does my linux box will perform the IP forwarding when it received packet from the interface eth0 and the packet's destination is somewhere in Internet?

I don't know what's wrong with my setting. Anybody can give me some hints!

Thank you for your attention

Best Regards,
Jeff Li

 

[ifincham]

Hi,

Well, apart from the presumed typo on the MASQ line, it looks OK as long as you don't have anything contradictory in the INPUT or OUTPUT chains (presuambly they default to ACCEPT) and your other box(es) are on the 192.168.0.0 subnet. I'm not certain, as I don't use dsl personally, but if you have pppoe would you not masquerade out of the ppp0 interface ? Try that to see if it makes a difference.

Regards

 

[branflake]

Hi,
Basically I want to create a usergroup for one of the girls at work. I don't know the admin password, so am unable to do it. Is there any way of hacking in to find the administrator username / password.

This is very important. Thanks in advance!!

 

[ifincham]

Hi,





The only simple way is to reboot the machine and get to the lilo prompt (exit any graphical screens with control-x first). Then you type 'linux single' alongside the boot prompt and press enter.





boot: linux single


or maybe

boot: linux S (for Suse Linux)




The system then stops in super-user maintenance mode signed in as root. You can then use 'passwd' to set a new root password :





# passwd (prompts for password & confirmation)





then reboot and start normally :





# /sbin/shutdown -r now





After that you have the 'admin' user/password, i.e. 'root' (userid) and the new password you just set.





Regards

 

[benzino]

Hi,
I'm using folowing ipchains configuration with masquerading:


# Local Interface
# This is the interface that is your link to the world

LOCALIF="ppp0"

# Internal Interface
# This is the interface for your local network

INTERNALNET="192.168.0.0/255.255.0.0"
INTERNALIF="eth0"

IPCHAINS="/sbin/ipchains"

LOCALIP=`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
LOCALMASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
LOCALNET="$LOCALIP/$LOCALMASK"
REMOTENET="0/0"

#Flush all rules
$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward

#local connections
$IPCHAINS -A input -s $INTERNALNET -d $INTERNALNET -j ACCEPT
$IPCHAINS -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT

#loopback
$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT

#masquerade
# don't masquerade internal-internal traffic
$IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT

# don't Masquerade external interface direct
$IPCHAINS -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT

# masquerade all internal IP's going outside
$IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ

# set Default rule on MASQ chain to Deny
$IPCHAINS -P forward DENY

#Allow all connections from the network to the outside
$IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT

#set default rule for input and output
$IPCHAINS -P input DENY
$IPCHAINS -P output ACCEPT

I hope it helps.