[NCLUG] I'm wearing my ball and ipchains. Please help.

Aaron D. Johnson adj at ccltd.com
Tue Feb 20 00:07:19 MST 2001 

> I cannot seem to figure out the right ipchains lines to get this
> masquerading working.  I only have a wee dialup feed but am trying
> to share it with some other computers in my house.  My computer is
> running Redhat 7 and has two ethernet cards and one is wireless.
> There is a Linksys router being used as a hub [H] stuck in there
> with address 192.168.1.1.

I thought you got the cable modem working.  :(

>                                                 +----+
>                                    192.168.1.3  |    |
>                                   +-------------|PC1 |
>                                  [H]            |Win |
>            +----+  192.168.1.2    |             |    |
>            |    |-----------------+             +----+
>       ppp0 |    | eth0 (100baseT)
>      ------|PC0 |
>            |RH7 | eth1 (wireless)
>            |    |-----------------+             +----+
>            +----+  192.168.2.1    |             |    |
>                                   | 192.168.2.2 |PC2 |
>                                   +-------------|RH7 |
>                                                 |    |
>                                                 +----+
> 
> I can get PC2 working fine through PC0 to the Internet but cannot get
> PC1 working.  PC1 has no trouble communicating with PC0.  Also PC2
> cannot ping PC1 and visa versa even though PC0 can ping anybody and
> anybody can ping PC0.  ifconfig and route table are below.

My first guess would have been that IP forwarding is turned off, but
if PC2's connection works, it must be turned on.  I find myself
refering to the ipchains howto on occasion, which has this helpful
little section:

  3.1.  Rusty's Three-Line Guide To Masquerading

    This assumes that your external interface is called `ppp0'.  Use
    ifconfig to find out, and adjust to taste.

       # ipchains -P forward DENY
       # ipchains -A forward -i ppp0 -j MASQ
       # echo 1 > /proc/sys/net/ipv4/ip_forward

> Can anybody help me?  I've tried everything I can think of.

The output of an "ipchains -L" would probably prove instructive.  And
as Sean pointed out recently, an explicit deny rule at the end will
get you helpful log messages.  Oh, and what Russ just said about
allowing traffic between the two 192.168 networks.

Also, what does this tell you?
  for chain in forward input output; do
    for interface in ppp0 eth0 eth1; do 
      for address in 192.168.1.3 192.168.2.2; do
        ipchains -v -C ${chain} -s ${address} 1024 -d www.yahoo.com 80 \
          -p tcp -i ${interface}
      done
    done
  done

You should see some difference between the 192.168.1.x and 192.168.2.x
networks.

HTH

Aaron
--
MTS, tummy.com, ltd.
Linux and UNIX Consulting and Software

More information about the NCLUG mailing list