Okay, I have a ppp net connection and two machines running Mandrake 10 Official. When I first set up ICS through MCC everything worked fine and I could access the net from both machines. The problems started when I uninstalled Shorewall and installed Guarddog, I did this because I find it easier to use. Guarddog would not work (worked fine in Mandrake 9.2), it just didn't do anything. So I uninstalled guarddog and reinstalled Shorewall. Now I can't access the net from the networked machine and Internet access on the host machine is very slow. I don't understand what is happening, I haven't changed any of the network configuration so its most likely a firewall issue but I don't know. Please help.

Cheers,
Matt

Note - I don't use shorewall - I write my own firewall scripts, so don't know what rules it writes as 'standard'.

Couple of things you need to have to share an internet connection under linux:

The file /proc/sys/net/ipv4/ip_forward should contain 1

Masquerading must be set up for your LAN in iptables - check with iptables -nL -t nat
Should contain something like this:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.0.0/24 0.0.0.0/0

This can be achieved with this command:
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -d 0/0 -j MASQUERADE
(Your network address may vary)
Then, as long as your firewall is not blocking anything (read with iptables -nvL) internet connection sharing should work...

Slow connection - possibly something to do with firewall rules - try turning off (no firewalling), and adding rules back one by one. Back up your existing config first. Post output of iptables -nvL here if unsure.

Also post contents of /etc/resolv.conf here - could slow connection down if you are making multiple queries to non-existant name servers, but unlikely if you haven't changed anything else.

See www.netfilter.org for tutorials on iptables if you have time/patience to learn.

Chris

Just to clarify my post above, netfilter is the underlying Linux firewalling system - shorewall and other firewall software will manipulate lists of rules (tables) within netfilter, which we can also manipulate ourselves with the iptables command (does that really clarify it?...)

Chris

Thanks for replying.

The file /proc/sys/net/ipv4/ip_forward should contain 1

Just to clarify this, you mean that this file should contain the character "1". My file is completely blank.



This is the output of the first command (it appears to be right):






Okay, I will try this now.

Here is my resolv.conf file (from the host machine). I don't know anything about DNS but the 192.168.1.2 address looks strange, I don't have that address on my network.








Yep, I get it. I didn't realise it was called netfilter though I thought it was called iptables, but thats just the command right?

>>The file /proc/sys/net/ipv4/ip_forward should contain 1

>>Just to clarify this, you mean that this file should contain the character "1". My file is completely blank.

Yes - just the number 1 and nothing else - this turns on packet forwarding (the process of your computer routing packets between interfaces - ppp0 and eth0 in this case). Without this ICS will not work.

Resolv.conf - the first 2 addresses are local - unless you have a nameserver running on your own network, remove them. What will happen is every time you try to connect to a new location by name, your PC will try getting (resolving) the numerical address from the first address listed in /etc/resolv.conf. If there is no nameserver running at that address ( 192.168.1.2 in this case) it will wait for it to timeout before trying the second and so on.

>>Yep, I get it. I didn't realise it was called netfilter though I thought it was called iptables, but thats just the command right?
Yes

The command 'iptables -nL -t nat' will tell us if you have the correct rule for Network Address Translation, or masquerading - please post output.

As it is, your firewall is accepting all input - bit dodgy...

Here is the output from 'iptables -nL -t nat'

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
loc_dnat all -- 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ppp0_masq all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain loc_dnat (1 references)
target prot opt source destination
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

Chain ppp0_masq (1 references)
target prot opt source destination
MASQUERADE all -- 192.168.1.0/24 0.0.0.0/0

/proc/sys/net/ipv4/ip_forward - I put 1 in the file, saved, then restarted the network. Still didn't work. When I opened the file again the 1 was gone??? I tried several times and it does the same thing. Although when I restart the network I always get a message about packet forwarding being enabled.

resolv.conf - I'm pretty sure I don't have a nameserver on my machine, so I will remove the first two entries. But what should be in the networked machines resolv.conf? It has the same thing as the other machine at the moment.

Problem solved!!

I added the isp's nameserver to the client machines resolv.conf and can reach the Internet again.

Thanks for all your help.

Just an observation but if you started off with the mandrake wizards the settings are likely fubar ... the network wizards do stuff in a very strange way and if it goes wrong it usually goes specatacularly wrong from creating the interface to the iptables.

streeter....
In other words dont presume ANY of the mandrake settings are what
you would think are sane. Better to deleter everything and start again in my experience....

You obviously know more about iptables than I do so Ill let you get on with but I have unfortunately had to recover from mandrake wizards before

Gowator - you are absolutely right - I (and others on this forum) have had many problems with Mandrake's networking wizards, and prefer to set things up manually - then you know it's your fault it doesn't work...
For example, I run a simple script containing a list of iptables rules from /etc/rc.d/init.d at boot time.

mdhowe - Glad it works now, but you really should do something about your firewall ASAP - read up about it. At the minimum, you should set your input and forwarding policies to DROP, then allow only trusted hosts and replies (established connections) from your requests on ppp0. You may need some other settings, depending on your individual requirements, but you will find that out when something stops working

Go along to http://grc.com/default.htm and run the shields up test - this will identify any holes in your firewall.

If you need help, start another thread here.

Chris

I havent had probs with wizards becuase I havent used the mandrake networking wizards in ages.

My experiences are VERY BAD... becuase when they have run cleaning everythinhg out is an absolute nightmare.
The insistance for instance to use vistural interfaces even when physical ones exist and the MASQ settings in shorewall. (I dont think shorewall is bad, just the way its implemented by Mandrake)

I also stopped helping people who use the networking wizards after I tell them not to because it always proves so much work and its because the wizards are so bad yet many people here seem to recommend people use the wizards.
I cant understand their use becuase they just mess things up and even when they work they over complicate everything. when they go wrong they go horribly wrong and the setup is so weird like using a eth0:9 ??? when you have a second NIC you wanted to route to?


I found the only way I can do this is to delete the interfaces, iptables rules and everything and start from scratch.

Every part of networking touched by the wizards is 'weird' ... its almost MS like (like the ICS)

anyway Im glad your here because handson IPTABLES experience has been lacking.... (since I ended up doing half the answers on this and I know I dont know much) - one day ill read the documentation though ) meanwhile it feels like a releif to have someone who obviously has already read it