problems with (perhaps) IPMASQ

Hello

On Wed, Jan 23, 2008 at 10:13:42AM +0100, Carlos Enrique Carleos Artime wrote:
> Present situation:
[...]
> Ping from A to B 192.168.2.1 failed:
> knoppix@A:~$ ping 192.168.2.1
> PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
> ping: sendmsg: Operation not permitted
> ping: sendmsg: Operation not permitted

From host A you said ping 192.168.0.1 is ok but 192.168.2.1 does not work.
Have you tried both pings with the user "knoppix" or just the second one?

$ ls -l /bin/ping
-rws--x--x 1 root root 34628 3. Jdn 13:54 /bin/ping
^ perhaps your "ping" is not suid-root or
the "nosuid"-Flag is set on the "/"-Partition?

[...]

Is the following Correct?

Host A (eth1) Host B (rl0) Host B (ural0) Host C (ural0)
192.168.0.2/24 <--> 192.168.0.1/24 + 192.168.2.1/24 <--> 192.168.2.2/24

Host A (192.168.0.2/24)
ping 192.168.0.1 ok
ping 192.168.2.1 not ok <-- see above.
ping 192.168.2.2 <-- what about that?

Host B (192.168.0.1/24, 192.168.2.1/24)
ping 192.168.2.2 ok
ping 192.168.0.2 ok
ping anywhere_in_internet ok

Host C (192.168.2.2/24)
ping 192.168.2.1 ok
ping 192.168.0.1 ok
ping 192.168.0.2 not ok

What's the routing-Configuration from Host B?
Does it any NAT or just routing?
If there is any NAT-Configuration on B, then remove it.

Is IP-forwarding enabled on Host B as well?

> Many thanks for your time and help :-)
>

> root@A:~# iptables -L FORWARD
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT 0 -- 192.168.0.0/24 anywhere

ACCEPT 0 -- 192.168.2.0/24 anywhere <-- that is missing!

[...]

best regards

Koppensteiner Mario

Hello,

Carlos Enrique Carleos Artime a écrit :
>
> knoppix@A:~$ ping 192.168.2.1
> PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
> ping: sendmsg: Operation not permitted
> ping: sendmsg: Operation not permitted
>
> Does anybody know where the problem is?

This message means that iptables drops the outgoing packets to that
destination. I guess the ruleset allows communications on eth1 only with
the 192.168.0.0/24 range.

> root@A:~# iptables -L INPUT

The output of 'iptables -L' is incomplete (does not show interfaces and
the 'nat' table), confusing (numeric addresses are translated into
obscure names), bloated with irrelevant information and hard to read.
'iptables -nvL' is more complete and less confusing but still lacks the
'nat' table. Please use iptables-save instead.

--

At Linux, you may create bridges using network interfaces.
So, you could use the iterfaces of computer B to bridge between
computar A and C.
Something like:

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0

ifconfig br0 192.168.0.1

at C the address would be 192.168.0.3

--
Por mais que eu pinte um burro nas cores de uma zebra, um burro sempre
será um burro!

As most as I paint a donkey in the color of a zebra, a donkey will
always be a donkey

-- Dr. Sc. Antônio Ronaldo Garcia

Dnia Wed, 23 Jan 2008 10:13:42 +0100
Carlos Enrique Carleos Artime napisał(a):

> root@A:~# iptables -L INPUT
> root@A:~# iptables -L OUTPUT
> root@A:~# iptables -L FORWARD

Arghh. Please flush it, set default policy for accept. First make your's network useable,
and then configure firewall... (but i don't think that you need it, because you are behind NAT..)

--
Damian Ryszka aka Rychu
rychu(at)sileman.net.pl

Hi,

Dnia Wed, 23 Jan 2008 10:13:42 +0100
Carlos Enrique Carleos Artime napisał(a):

> I have a home network with three computers (A, B and C).

Could you post _ALL_ ip addresses with subnet masks attached to your's interfaces, and
configured routing? (no need for A's eth0). Please use iproute2 packet.

ip a l - list interfaces
ip r l - list routing

BTW. Do you have ip_forward enabled on B?
--
Damian Ryszka aka Rychu
rychu(at)sileman.net.pl

Try on B:

cat 1 > /proc/sys/net/ipv4/ip_forward

;)

Sincerely,
wanderlust

У ср, 2008-01-23 у 10:13 +0100, Carlos Enrique Carleos Artime пише:
>
>
> Hello!
>
> I have a home network with three computers (A, B and C).
>
> Computer A has a direct connection to internet by a cable-modem.
> It has interfaces:
> - eth0 to internet, uses DHCP
> - eth1 to computer B, static IP-address: 192.168.0.2
> Its operating system is Debian etch, with default
> IPMASQ configuration. I added:
> route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.0.1 eth1
> to /etc/init.d/bootmisc.sh (first) and to /etc/init.d/ipmasq (then)
> (without that "route add" it does not work either).
>
> Computer B is connected to both A and C.
> Its interfaces:
> - rl0 to computer A, IP 192.168.0.1
> - ural0 to computer B, IP 192.168.2.1
> It runs FreeBSD 6.3, configured while install to be gateway (but no
> firewall).
>
> Computer C is connected to B. Interface:
> - ural0 to computer B, IP 192.168.2.2
> It has FreeBSD 6.3 and OpenBSD 4.0.
>
> =========================================================================
>
> Present situation:
>
> Ping from B to C 192.168.2.2 success.
> Ping from C to B 192.168.2.1 success.
> Ping from C to B 192.168.0.1 success.
> Ping from B to A 192.168.0.2 success.
> Ping from B to anywhere in internet success.
> Ping from A to B 192.168.0.1 success.
> Ping from C to A 192.168.0.2 failed (host is down).
> Ping from A to B 192.168.2.1 failed:
> knoppix@A:~$ ping 192.168.2.1
> PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
> ping: sendmsg: Operation not permitted
> ping: sendmsg: Operation not permitted
>
>
> Does anybody know where the problem is?
>
> The aim is for C to be able to connect to internet (for now, I run an
> X server in C, ssh from C to B, and run applications in B displaying
> in C).
>
> I read documents about IPmasq and IPtables, but understood not enough.
> I tried examples in /usr/share/doc/ipmasq/examples/basics but failed.
> I added the "route add" line after reading FreeBSD manual on routing.
>
> Many thanks for your time and help :-)
>
>
> ===================================================================
>
> Jen plia informo:
>
> knoppix@A:~$ /sbin/route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.2.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth1
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 85.152.88.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
> 0.0.0.0 85.152.88.254 0.0.0.0 UG 0 0 0 eth0
> root@A:~# iptables -L INPUT
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT 0 -- anywhere anywhere
> LOG 0 -- loopback/8 anywhere LOG level warning
> DROP 0 -- loopback/8 anywhere
> ACCEPT 0 -- anywhere 255.255.255.255
> ACCEPT 0 -- 192.168.0.0/24 anywhere
> ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
> LOG 0 -- 192.168.0.0/24 anywhere LOG level warning
> DROP 0 -- 192.168.0.0/24 anywhere
> ACCEPT 0 -- anywhere 255.255.255.255
> ACCEPT 0 -- anywhere cm-85-152-88-242.telecable.es
> ACCEPT 0 -- anywhere 85.152.91.255
> LOG 0 -- anywhere anywhere LOG level warning
> DROP 0 -- anywhere anywhere
> root@A:~# iptables -L OUTPUT
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> ACCEPT 0 -- anywhere anywhere
> ACCEPT 0 -- anywhere 255.255.255.255
> ACCEPT 0 -- anywhere 192.168.0.0/24
> ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
> LOG 0 -- anywhere 192.168.0.0/24 LOG level warning
> DROP 0 -- anywhere 192.168.0.0/24
> ACCEPT 0 -- anywhere 255.255.255.255
> ACCEPT 0 -- cm-85-152-88-242.telecable.es anywhere
> ACCEPT 0 -- 85.152.91.255 anywhere
> LOG 0 -- anywhere anywhere LOG level warning
> DROP 0 -- anywhere anywhere
> root@A:~# iptables -L FORWARD
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT 0 -- 192.168.0.0/24 anywhere
> ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
> LOG 0 -- anywhere 19
>
> ____________________________________________________________________________
>
> Carlos Enrique Carleos Artime FidoNet-poshto: 2:341/14.79
> Dep-to de Statistiko kaj Plejbonigo, Retposhto:
> kaj Matematika Didaktiko Telefono: +34 985 181 904
> Universitato Oviedo - Asturio Adreso: EUITIndus 33203 Hispanio
>
>
> __________________________________________________________________________
>
> Departemento pri Statistiko kaj Plejbonigo, kaj Matematika Didaktiko
> Universitato Oviedo - EUITIndus 33203 Hispanio - 2:341/14.79@fidonet
>
>

--