Guest mdhowe Posted June 6, 2004 Report Share Posted June 6, 2004 Okay, I have a ppp net connection and two machines running Mandrake 10 Official. When I first set up ICS through MCC everything worked fine and I could access the net from both machines. The problems started when I uninstalled Shorewall and installed Guarddog, I did this because I find it easier to use. Guarddog would not work (worked fine in Mandrake 9.2), it just didn't do anything. So I uninstalled guarddog and reinstalled Shorewall. Now I can't access the net from the networked machine and Internet access on the host machine is very slow. I don't understand what is happening, I haven't changed any of the network configuration so its most likely a firewall issue but I don't know. Please help. Cheers, Matt Quote Link to comment Share on other sites More sharing options...
streeter Posted June 6, 2004 Report Share Posted June 6, 2004 Note - I don't use shorewall - I write my own firewall scripts, so don't know what rules it writes as 'standard'. Couple of things you need to have to share an internet connection under linux: The file /proc/sys/net/ipv4/ip_forward should contain 1 Masquerading must be set up for your LAN in iptables - check with iptables -nL -t nat Should contain something like this: Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.0.0/24 0.0.0.0/0 This can be achieved with this command: iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -d 0/0 -j MASQUERADE (Your network address may vary) Then, as long as your firewall is not blocking anything (read with iptables -nvL) internet connection sharing should work... Slow connection - possibly something to do with firewall rules - try turning off (no firewalling), and adding rules back one by one. Back up your existing config first. Post output of iptables -nvL here if unsure. Also post contents of /etc/resolv.conf here - could slow connection down if you are making multiple queries to non-existant name servers, but unlikely if you haven't changed anything else. See www.netfilter.org for tutorials on iptables if you have time/patience to learn. Chris Quote Link to comment Share on other sites More sharing options...
streeter Posted June 6, 2004 Report Share Posted June 6, 2004 Just to clarify my post above, netfilter is the underlying Linux firewalling system - shorewall and other firewall software will manipulate lists of rules (tables) within netfilter, which we can also manipulate ourselves with the iptables command (does that really clarify it?...) Chris Quote Link to comment Share on other sites More sharing options...
Guest mdhowe Posted June 7, 2004 Report Share Posted June 7, 2004 Thanks for replying. The file /proc/sys/net/ipv4/ip_forward should contain 1 Just to clarify this, you mean that this file should contain the character "1". My file is completely blank. This is the output of the first command (it appears to be right): [root@purple matt]# iptables -nL -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination loc_dnat all -- 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT) target prot opt source destination ppp0_masq all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain loc_dnat (1 references) target prot opt source destination REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 Slow connection - possibly something to do with firewall rules - try turning off (no firewalling), and adding rules back one by one. Back up your existing config first. Post output of iptables -nvL here if unsure. Okay, I will try this now. Here is my resolv.conf file (from the host machine). I don't know anything about DNS but the 192.168.1.2 address looks strange, I don't have that address on my network. search lan nameserver 192.168.1.2 nameserver 127.0.0.1 nameserver 203.194.56.150 # ppp temp entry nameserver 203.194.27.57 # ppp temp entry nameserver 203.194.56.150 #kppp temp entry nameserver 203.194.27.57 #kppp temp entry Just to clarify my post above, netfilter is the underlying Linux firewalling system - shorewall and other firewall software will manipulate lists of rules (tables) within netfilter, which we can also manipulate ourselves with the iptables command (does that really clarify it?...) Yep, I get it. I didn't realise it was called netfilter though I thought it was called iptables, but thats just the command right? Quote Link to comment Share on other sites More sharing options...
streeter Posted June 7, 2004 Report Share Posted June 7, 2004 >>The file /proc/sys/net/ipv4/ip_forward should contain 1 >>Just to clarify this, you mean that this file should contain the character "1". My file is completely blank. Yes - just the number 1 and nothing else - this turns on packet forwarding (the process of your computer routing packets between interfaces - ppp0 and eth0 in this case). Without this ICS will not work. Resolv.conf - the first 2 addresses are local - unless you have a nameserver running on your own network, remove them. What will happen is every time you try to connect to a new location by name, your PC will try getting (resolving) the numerical address from the first address listed in /etc/resolv.conf. If there is no nameserver running at that address ( 192.168.1.2 in this case) it will wait for it to timeout before trying the second and so on. >>Yep, I get it. I didn't realise it was called netfilter though I thought it was called iptables, but thats just the command right? Yes The command 'iptables -nL -t nat' will tell us if you have the correct rule for Network Address Translation, or masquerading - please post output. As it is, your firewall is accepting all input - bit dodgy... Quote Link to comment Share on other sites More sharing options...
Guest mdhowe Posted June 7, 2004 Report Share Posted June 7, 2004 Here is the output from 'iptables -nL -t nat' Chain PREROUTING (policy ACCEPT) target prot opt source destination loc_dnat all -- 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT) target prot opt source destination ppp0_masq all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain loc_dnat (1 references) target prot opt source destination REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 Chain ppp0_masq (1 references) target prot opt source destination MASQUERADE all -- 192.168.1.0/24 0.0.0.0/0 Quote Link to comment Share on other sites More sharing options...
Guest mdhowe Posted June 7, 2004 Report Share Posted June 7, 2004 /proc/sys/net/ipv4/ip_forward - I put 1 in the file, saved, then restarted the network. Still didn't work. When I opened the file again the 1 was gone??? I tried several times and it does the same thing. Although when I restart the network I always get a message about packet forwarding being enabled. resolv.conf - I'm pretty sure I don't have a nameserver on my machine, so I will remove the first two entries. But what should be in the networked machines resolv.conf? It has the same thing as the other machine at the moment. Quote Link to comment Share on other sites More sharing options...
Guest mdhowe Posted June 7, 2004 Report Share Posted June 7, 2004 Problem solved!! I added the isp's nameserver to the client machines resolv.conf and can reach the Internet again. Thanks for all your help. Quote Link to comment Share on other sites More sharing options...
Gowator Posted June 7, 2004 Report Share Posted June 7, 2004 Note - I don't use shorewall - I write my own firewall scripts, so don't know what rules it writes as 'standard'. Just an observation but if you started off with the mandrake wizards the settings are likely fubar ... the network wizards do stuff in a very strange way and if it goes wrong it usually goes specatacularly wrong from creating the interface to the iptables. streeter.... In other words dont presume ANY of the mandrake settings are what you would think are sane. Better to deleter everything and start again in my experience.... You obviously know more about iptables than I do so Ill let you get on with but I have unfortunately had to recover from mandrake wizards before :D Quote Link to comment Share on other sites More sharing options...
streeter Posted June 7, 2004 Report Share Posted June 7, 2004 Gowator - you are absolutely right - I (and others on this forum) have had many problems with Mandrake's networking wizards, and prefer to set things up manually - then you know it's your fault it doesn't work... For example, I run a simple script containing a list of iptables rules from /etc/rc.d/init.d at boot time. mdhowe - Glad it works now, but you really should do something about your firewall ASAP - read up about it. At the minimum, you should set your input and forwarding policies to DROP, then allow only trusted hosts and replies (established connections) from your requests on ppp0. You may need some other settings, depending on your individual requirements, but you will find that out when something stops working :D Go along to http://grc.com/default.htm and run the shields up test - this will identify any holes in your firewall. If you need help, start another thread here. Chris Quote Link to comment Share on other sites More sharing options...
Gowator Posted June 7, 2004 Report Share Posted June 7, 2004 I havent had probs with wizards becuase I havent used the mandrake networking wizards in ages. My experiences are VERY BAD... becuase when they have run cleaning everythinhg out is an absolute nightmare. The insistance for instance to use vistural interfaces even when physical ones exist and the MASQ settings in shorewall. (I dont think shorewall is bad, just the way its implemented by Mandrake) I also stopped helping people who use the networking wizards after I tell them not to because it always proves so much work and its because the wizards are so bad yet many people here seem to recommend people use the wizards. I cant understand their use becuase they just mess things up and even when they work they over complicate everything. when they go wrong they go horribly wrong and the setup is so weird like using a eth0:9 ??? when you have a second NIC you wanted to route to? I found the only way I can do this is to delete the interfaces, iptables rules and everything and start from scratch. Every part of networking touched by the wizards is 'weird' ... its almost MS like (like the ICS) anyway Im glad your here because handson IPTABLES experience has been lacking.... (since I ended up doing half the answers on this and I know I dont know much) - one day ill read the documentation though :D) meanwhile it feels like a releif to have someone who obviously has already read it :D Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.