On Sun, 16 Mar 2003 12:47:35 -0800 (PST) Meph Istopheles <meph@xxxxxxxxxxxxxxxxxxx> wrote: > > > > As for accessing the internet from the private network alone, > > you don't need routing. Masquerade will do. Try adding this > > rule to your firewall and see if the private 'net can ping the > > internet (don't forget to configure the machines in the private > > net with 10.0.0.2 as default gateway): > > > ipchains -I forward -s 10.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j MASQ > > Whee! That works. Figures -- three obnoxious "gurus" told me > that I was wasting my time on masq & that I needed route, "Only > routed will allow you to route the packets through the Linux box > to the W98. I wonder, though, why can't I ping the Linux box > from W98 now? Well, the "guru" typing away right now has forgotten what it was all about initially and got entangled into the routing stuff - which is rather secondary for now. I should have given you the command above the moment you configured the one NIC to talk with both networks, which was about 137 mails ago. Sorry - that would have saved you some frustration. The gurus are wrong - if you want to access the internet from a private range network, you can't possibly do with routing only. The point in being a private address range is that it's not routable, full stop. A machine on the private range needs a "buddy" to go fetch packets for them (similarly as your side the pond do teenagers to get booze). That you can do only with masquerade (the masqing machine "fakes" the packets to look like it came from itself) or a proxy (a web-server that will fetch a site for you and distribute locally). What happens now is that you have a MASQ rule first in your forwarding chain, meaning that every packet is masqed, including the ping icmp-packets. What their fate is afterwards, I don't know. They either don't reach the interface, they're intended for, or the replies don't come back. If routing would function on your box, you'd need to insert rule(s) before the masqing one to "catch" packets intended for your private network and ACCEPT them, thus saving them from MASQing. Schematically, like this: ipchains -I forward -s <private IP's> -d <public IP's> -j ACCEPT ipchains -A forward -s <private IP's> -d <internet - 0.0.0.0> - j MASQ The precedence matters, in a chain, so a good choice whether to insert at the beginning (-I) or append (-A) to the chain is crucial. The masqing rules must come last. The gurus were also right - you need routed to route packets between the two networks, that is to make them communicate as if two networks were one. Masqing works for the internet, not in normal routing. Remeber to flush the masqing rule and set the policy of the forward chain to ACCEPT before experimenting with routed, to exclude it as a source of errors. > > > Hm - if I were you, I'd try to kick Rhiannon (the 10.0.0.3, > > right?) out of the routing tables. This route says that to > > reach Rhiannon, the machine has to send packets to 10.0.0.1 > > (that was Ra-Hoor, IIRC), which is clearly a nonsense. > > Hmm. Wonder where I did that. Know what file I'd edit -- > there have been so many I've opened & some I've edited, though > only one today ifcfg-eth0:1. You could grep for 1.0.0.3 recursively through your /etc, it might turn the right file up. > > > Otherwise, the table looks fine. The route #2 is, I think, > > unnecessary, but doesn't seem to disturb either. Your two > > subnets are covered by #3 and #4 (the local network is > > currently 10/8, the route will change when you change eth0:1 to > > 10.0.0/24, as this is IIRC what you want), and the default gw > > is the last route. > > If you mean to change the line in the eth0:1 file from 10.0.0.2 > to 10.0.0/24 I then bring eth0 down then up I get: > > # /sbin/ifup eth0 > /etc/sysconfig/network-scripts/ifup-aliases: > ipseen_10_0_0_0/24=ifcfg-eth0:1: No such file or directory > error in ifcfg-eth0:1: already seen ipaddr 10.0.0.0/24 in /24 > SIOCADDRT: Network is unreachable Nay, I'm just using CIDR notation to save me the typing of all those numbers. In the file, you'd put in the address 10.0.0.2 and netmask 255.255.255.0 Some commands accept the CIDR (ipchains, for instance), others don't, like this one. Cheers -- Horror Vacui Registered Linux user #257714 Go get yourself... counted: http://counter.li.org/ - and keep following the GNU. To unsubcribe send e-mail with the word unsubscribe in the body to: Linux-Anyway-Request@xxxxxxxxxxxxx?body=unsubscribe