[Linux-Anyway] Re: Uh-oh -- what have I done?

• From: horrorvacui@xxxxxxx
• To: Linux-Anyway@xxxxxxxxxxxxx
• Date: Sun, 16 Mar 2003 23:05:16 +0100

On Sun, 16 Mar 2003 12:47:35 -0800 (PST)
Meph Istopheles <meph@xxxxxxxxxxxxxxxxxxx> wrote:

> 
> 
> > As for accessing the internet from the private network alone,
> > you don't need routing. Masquerade will do. Try adding this
> > rule to your firewall and see if the private 'net can ping the
> > internet (don't forget to configure the machines in the private
> > net with 10.0.0.2 as default gateway):
> 
> > ipchains -I forward -s 10.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j MASQ
> 
>   Whee!  That works.  Figures -- three obnoxious "gurus" told me 
> that I was wasting my time on masq & that I needed route, "Only 
> routed will allow you to route the packets through the Linux box 
> to the W98.  I wonder, though, why can't I ping the Linux box 
> from W98 now?

Well, the "guru" typing away right now has forgotten what it was all about
initially and got entangled into the routing stuff - which is rather
secondary for now. I should have given you the command above the moment
you configured the one NIC to talk with both networks, which was about 137
mails ago. Sorry - that would have saved you some frustration.

The gurus are wrong - if you want to access the internet from a private
range network, you can't possibly do with routing only. The point in being
a private address range is that it's not routable, full stop. A machine on
the private range needs a "buddy" to go fetch packets for them (similarly
as your side the pond do teenagers to get booze). That you can do only
with masquerade (the masqing machine "fakes" the packets to look like it
came from itself) or a proxy (a web-server that will fetch a site for you
and distribute locally).

What happens now is that you have a MASQ rule first in your forwarding
chain, meaning that every packet is masqed, including the ping
icmp-packets. What their fate is afterwards, I don't know. They either
don't reach the interface, they're intended for, or the replies don't come
back. If routing would function on your box, you'd need to insert rule(s)
before the masqing one to "catch" packets intended for your private
network and ACCEPT them, thus saving them from MASQing. Schematically,
like this:
ipchains -I forward -s <private IP's> -d <public IP's> -j ACCEPT
ipchains -A forward -s <private IP's> -d <internet - 0.0.0.0> - j MASQ
The precedence matters, in a chain, so a good choice whether to insert at
the beginning (-I) or append (-A) to the chain is crucial. The masqing
rules must come last.

The gurus were also right - you need routed to route packets between the
two networks, that is to make them communicate as if two networks were
one. Masqing works for the internet, not in normal routing. Remeber to
flush the masqing rule and set the policy of the forward chain to ACCEPT
before experimenting with routed, to exclude it as a source of errors.

> 
> > Hm - if I were you, I'd try to kick Rhiannon (the 10.0.0.3,
> > right?) out of the routing tables. This route says that to
> > reach Rhiannon, the machine has to send packets to 10.0.0.1
> > (that was Ra-Hoor, IIRC), which is clearly a nonsense.
> 
>   Hmm.  Wonder where I did that.  Know what file I'd edit -- 
> there have been so many I've opened & some I've edited, though 
> only one today ifcfg-eth0:1.

You could grep for 1.0.0.3 recursively through your /etc, it might turn
the right file up.

> 
> > Otherwise, the table looks fine. The route #2 is, I think,
> > unnecessary, but doesn't seem to disturb either. Your two
> > subnets are covered by #3 and #4 (the local network is
> > currently 10/8, the route will change when you change eth0:1 to
> > 10.0.0/24, as this is IIRC what you want), and the default gw
> > is the last route.
> 
>   If you mean to change the line in the eth0:1 file from 10.0.0.2 
> to 10.0.0/24 I then bring eth0 down then up I get:
> 
> # /sbin/ifup eth0
> /etc/sysconfig/network-scripts/ifup-aliases: 
> ipseen_10_0_0_0/24=ifcfg-eth0:1: No such file or directory
> error in ifcfg-eth0:1: already seen ipaddr 10.0.0.0/24 in /24
> SIOCADDRT: Network is unreachable

Nay, I'm just using CIDR notation to save me the typing of all those
numbers. In the file, you'd put in the address 10.0.0.2 and netmask
255.255.255.0
Some commands accept the CIDR (ipchains, for instance), others don't, like
this one.

Cheers

-- 
Horror Vacui

Registered Linux user #257714

Go get yourself... counted: http://counter.li.org/
- and keep following the GNU.
To unsubcribe send e-mail with the word unsubscribe in the body to:   
Linux-Anyway-Request@xxxxxxxxxxxxx?body=unsubscribe

• Follow-Ups:
  • [Linux-Anyway] Re: Uh-oh -- what have I done?
    • From: Meph Istopheles

• References:
  • [Linux-Anyway] Uh-oh -- what have I done?
    • From: Meph Istopheles
  • [Linux-Anyway] Re: Uh-oh -- what have I done?
    • From: horrorvacui
  • [Linux-Anyway] Re: Uh-oh -- what have I done?
    • From: Meph Istopheles
  • [Linux-Anyway] Re: Uh-oh -- what have I done?
    • From: horrorvacui
  • [Linux-Anyway] Re: Uh-oh -- what have I done?
    • From: Meph Istopheles

Other related posts:

• » [Linux-Anyway] Uh-oh -- what have I done?
• » [Linux-Anyway] Re: Uh-oh -- what have I done?
• » [Linux-Anyway] Re: Uh-oh -- what have I done?
• » [Linux-Anyway] Re: Uh-oh -- what have I done?
• » [Linux-Anyway] Re: Uh-oh -- what have I done?
• » [Linux-Anyway] Re: Uh-oh -- what have I done?
• » [Linux-Anyway] Re: Uh-oh -- what have I done?
• » [Linux-Anyway] Re: Uh-oh -- what have I done?
• » [Linux-Anyway] Re: Uh-oh -- what have I done?

1. Home
2. linux-anyway
3. Archive
4. 03-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---