ICS (Internet connection sharing) problems

[Guest mdhowe]

Okay, I have a ppp net connection and two machines running Mandrake 10 Official. When I first set up ICS through MCC everything worked fine and I could access the net from both machines. The problems started when I uninstalled Shorewall and installed Guarddog, I did this because I find it easier to use. Guarddog would not work (worked fine in Mandrake 9.2), it just didn't do anything. So I uninstalled guarddog and reinstalled Shorewall. Now I can't access the net from the networked machine and Internet access on the host machine is very slow. I don't understand what is happening, I haven't changed any of the network configuration so its most likely a firewall issue but I don't know. Please help.

 

Cheers,

Matt

[streeter]

Note - I don't use shorewall - I write my own firewall scripts, so don't know what rules it writes as 'standard'.

 

Couple of things you need to have to share an internet connection under linux:

 

The file /proc/sys/net/ipv4/ip_forward should contain 1

 

Masquerading must be set up for your LAN in iptables - check with iptables -nL -t nat

Should contain something like this:

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

MASQUERADE all -- 192.168.0.0/24 0.0.0.0/0

 

This can be achieved with this command:

iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -d 0/0 -j MASQUERADE

(Your network address may vary)

Then, as long as your firewall is not blocking anything (read with iptables -nvL) internet connection sharing should work...

 

Slow connection - possibly something to do with firewall rules - try turning off (no firewalling), and adding rules back one by one. Back up your existing config first. Post output of iptables -nvL here if unsure.

 

Also post contents of /etc/resolv.conf here - could slow connection down if you are making multiple queries to non-existant name servers, but unlikely if you haven't changed anything else.

 

See www.netfilter.org for tutorials on iptables if you have time/patience to learn.

 

Chris

[streeter]

Just to clarify my post above, netfilter is the underlying Linux firewalling system - shorewall and other firewall software will manipulate lists of rules (tables) within netfilter, which we can also manipulate ourselves with the iptables command (does that really clarify it?...)

 

Chris

[Guest mdhowe]

Thanks for replying.

 

The file /proc/sys/net/ipv4/ip_forward should contain 1

 

Just to clarify this, you mean that this file should contain the character "1". My file is completely blank.

 

 

 

This is the output of the first command (it appears to be right):

 

[root@purple matt]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
loc_dnat   all  --  0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ppp0_masq  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain loc_dnat (1 references)
target     prot opt source               destination
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 3128

 

 

Slow connection - possibly something to do with firewall rules - try turning off (no firewalling), and adding rules back one by one. Back up your existing config first. Post output of iptables -nvL here if unsure.

 

Okay, I will try this now.

 

Here is my resolv.conf file (from the host machine). I don't know anything about DNS but the 192.168.1.2 address looks strange, I don't have that address on my network.

 

 

search lan
nameserver 192.168.1.2
nameserver 127.0.0.1
nameserver 203.194.56.150 # ppp temp entry
nameserver 203.194.27.57 # ppp temp entry
nameserver 203.194.56.150	#kppp temp entry
nameserver 203.194.27.57	#kppp temp entry

 

 

Just to clarify my post above, netfilter is the underlying Linux firewalling system - shorewall and other firewall software will manipulate lists of rules (tables) within netfilter, which we can also manipulate ourselves with the iptables command (does that really clarify it?...)

 

 

Yep, I get it. I didn't realise it was called netfilter though I thought it was called iptables, but thats just the command right?

[streeter]

>>The file /proc/sys/net/ipv4/ip_forward should contain 1

 

>>Just to clarify this, you mean that this file should contain the character "1". My file is completely blank.

 

Yes - just the number 1 and nothing else - this turns on packet forwarding (the process of your computer routing packets between interfaces - ppp0 and eth0 in this case). Without this ICS will not work.

 

Resolv.conf - the first 2 addresses are local - unless you have a nameserver running on your own network, remove them. What will happen is every time you try to connect to a new location by name, your PC will try getting (resolving) the numerical address from the first address listed in /etc/resolv.conf. If there is no nameserver running at that address ( 192.168.1.2 in this case) it will wait for it to timeout before trying the second and so on.

 

>>Yep, I get it. I didn't realise it was called netfilter though I thought it was called iptables, but thats just the command right?

Yes

 

The command 'iptables -nL -t nat' will tell us if you have the correct rule for Network Address Translation, or masquerading - please post output.

 

As it is, your firewall is accepting all input - bit dodgy...

[Guest mdhowe]

Here is the output from 'iptables -nL -t nat'

 

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

loc_dnat all -- 0.0.0.0/0 0.0.0.0/0

 

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

ppp0_masq all -- 0.0.0.0/0 0.0.0.0/0

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

 

Chain loc_dnat (1 references)

target prot opt source destination

REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

 

Chain ppp0_masq (1 references)

target prot opt source destination

MASQUERADE all -- 192.168.1.0/24 0.0.0.0/0

[Guest mdhowe]

/proc/sys/net/ipv4/ip_forward - I put 1 in the file, saved, then restarted the network. Still didn't work. When I opened the file again the 1 was gone??? I tried several times and it does the same thing. Although when I restart the network I always get a message about packet forwarding being enabled.

 

resolv.conf - I'm pretty sure I don't have a nameserver on my machine, so I will remove the first two entries. But what should be in the networked machines resolv.conf? It has the same thing as the other machine at the moment.

[Guest mdhowe]

Problem solved!!

 

I added the isp's nameserver to the client machines resolv.conf and can reach the Internet again.

 

Thanks for all your help.

[Gowator]

Note - I don't use shorewall - I write my own firewall scripts, so don't know what rules it writes as 'standard'.

 

Just an observation but if you started off with the mandrake wizards the settings are likely fubar ... the network wizards do stuff in a very strange way and if it goes wrong it usually goes specatacularly wrong from creating the interface to the iptables.

 

streeter....

In other words dont presume ANY of the mandrake settings are what

you would think are sane. Better to deleter everything and start again in my experience....

 

You obviously know more about iptables than I do so Ill let you get on with but I have unfortunately had to recover from mandrake wizards before :D

[streeter]

Gowator - you are absolutely right - I (and others on this forum) have had many problems with Mandrake's networking wizards, and prefer to set things up manually - then you know it's your fault it doesn't work...

For example, I run a simple script containing a list of iptables rules from /etc/rc.d/init.d at boot time.

 

mdhowe - Glad it works now, but you really should do something about your firewall ASAP - read up about it. At the minimum, you should set your input and forwarding policies to DROP, then allow only trusted hosts and replies (established connections) from your requests on ppp0. You may need some other settings, depending on your individual requirements, but you will find that out when something stops working :D

 

Go along to http://grc.com/default.htm and run the shields up test - this will identify any holes in your firewall.

 

If you need help, start another thread here.

 

Chris

[Gowator]

I havent had probs with wizards becuase I havent used the mandrake networking wizards in ages.

 

My experiences are VERY BAD... becuase when they have run cleaning everythinhg out is an absolute nightmare.

The insistance for instance to use vistural interfaces even when physical ones exist and the MASQ settings in shorewall. (I dont think shorewall is bad, just the way its implemented by Mandrake)

 

I also stopped helping people who use the networking wizards after I tell them not to because it always proves so much work and its because the wizards are so bad yet many people here seem to recommend people use the wizards.

I cant understand their use becuase they just mess things up and even when they work they over complicate everything. when they go wrong they go horribly wrong and the setup is so weird like using a eth0:9 ??? when you have a second NIC you wanted to route to?

 

 

I found the only way I can do this is to delete the interfaces, iptables rules and everything and start from scratch.

 

Every part of networking touched by the wizards is 'weird' ... its almost MS like (like the ICS)

 

anyway Im glad your here because handson IPTABLES experience has been lacking.... (since I ended up doing half the answers on this and I know I dont know much) - one day ill read the documentation though :D) meanwhile it feels like a releif to have someone who obviously has already read it :D