[Linux-Anyway] Re: Uh-oh -- what have I done?
- From: Meph Istopheles <meph@xxxxxxxxxxxxxxxxxxx>
- To: Linux-Anyway@xxxxxxxxxxxxx
- Date: Sun, 16 Mar 2003 14:22:42 -0800 (PST)
> > > ipchains -I forward -s 10.0.0.0/255.0.0.0 -d
> > > 0.0.0.0/0.0.0.0 -j MASQ
> > Whee! That works. Figures -- three obnoxious "gurus" told
> > me that I was wasting my time on masq & that I needed route,
> > "Only routed will allow you to route the packets through the
> > Linux box to the W98. I wonder, though, why can't I ping the
> > Linux box from W98 now?
> Well, the "guru" typing away right now has forgotten what it
> was all about initially and got entangled into the routing
> stuff - which is rather secondary for now. I should have given
> you the command above the moment you configured the one NIC to
> talk with both networks, which was about 137 mails ago. Sorry -
> that would have saved you some frustration.
I'd meant to steer you back there, as I'd had a feeling, but
figured you'd know better;-).
> The gurus are wrong - if you want to access the internet from a
> private range network, you can't possibly do with routing only.
> The point in being a private address range is that it's not
> routable, full stop. A machine on the private range needs a
> "buddy" to go fetch packets for them (similarly as your side
> the pond do teenagers to get booze). That you can do only with
> masquerade (the masqing machine "fakes" the packets to look
> like it came from itself) or a proxy (a web-server that will
> fetch a site for you and distribute locally).
Which, under the circumstances, I'd figured was the case.
> What happens now is that you have a MASQ rule first in your
> forwarding chain, meaning that every packet is masqed,
> including the ping icmp-packets. What their fate is afterwards,
> I don't know. They either don't reach the interface, they're
> intended for, or the replies don't come back. If routing would
> function on your box, you'd need to insert rule(s) before the
> masqing one to "catch" packets intended for your private
> network and ACCEPT them, thus saving them from MASQing.
> Schematically, like this:
> ipchains -I forward -s <private IP's> -d <public IP's> -j ACCEPT
> ipchains -A forward -s <private IP's> -d <internet - 0.0.0.0> - j MASQ
> The precedence matters, in a chain, so a good choice whether to
> insert at the beginning (-I) or append (-A) to the chain is
> crucial. The masqing rules must come last.
Uh, I think you're talking here of setting this so that
whenever I reboot, it all comes back up without trouble...yes?
> The gurus were also right - you need routed to route packets
> between the two networks, that is to make them communicate as
> if two networks were one. Masqing works for the internet, not
> in normal routing. Remeber to flush the masqing rule and set
> the policy of the forward chain to ACCEPT before experimenting
> with routed, to exclude it as a source of errors.
Oh, I know, but what I'd meant was that every time I'd try
giving all of the pertinent info, they'd cut me off immediately &
go off about routing. Not one of them had all the info to really
give me any good advice -- other than you -- but I'd try setting
things as they'd suggest & go where that would lead. Each would
fail simply because my firewall wasn't alling mansq to do it's
thing. Had they been willing to hear me out, they too might have
realised that we could ignore routing for the moment, &
concentrate on masq.
> > > Hm - if I were you, I'd try to kick Rhiannon (the 10.0.0.3,
> > > right?) out of the routing tables. This route says that to
> > > reach Rhiannon, the machine has to send packets to 10.0.0.1
> > > (that was Ra-Hoor, IIRC), which is clearly a nonsense.
> > Hmm. Wonder where I did that. Know what file I'd edit --
> > there have been so many I've opened & some I've edited,
> > though only one today ifcfg-eth0:1.
> You could grep for 1.0.0.3 recursively through your /etc, it
> might turn the right file up.
Heh. Only thing which comes up is an ssl certificate;-).
So then, as I imply above, is there anything I have to do to
make sure this all works after my next boot?
--
In the Halls of Justice the only justice is in the halls.
-Lenny Bruce
To unsubcribe send e-mail with the word unsubscribe in the body to:
Linux-Anyway-Request@xxxxxxxxxxxxx?body=unsubscribe
Other related posts:
