The mask of 255.255.255.0 on the netaddress (192.168.250.0) was tried with
both -W and -V. No go. Sorry for no mentioning that.
>Huh... shutdown? What are you trying to say with this?
>What is the difference between the last two rules (use the -lne options
>to produce more extensive output)?
The shutdown is just a reboot of the server. :)
The difference between the Two tests was the -W and the -V parameters.
>Dependent on what you're asking, there are two answers:
>- You need to specify a mask for the source address (see test 2).
>- The "other" addresses don't have a route back and therefore will not
work
> (although the packets itself should be passed).
The question is why the netaddress does not work in the forward rules and
the specific address does.
- Yes, I did try the netmask with no success.
- That is why I am trying Masquerading :)
>Neither of them ;-). But I think the last one is a typo and you mean
>only 3 x 255. That one can be abbreviated as "24" (see test 2 above).
Yup, I am prone to ytping mistakes ;-)
Thanks for the shortcut, maybe this will work since 255.255.255.0 does not.
> This is strange. You say that -V works fine?
Yes, sir. -V works. -W does not. That is the difference between Test 2
and Test 3.
Thanks for the help.
----------
From: jos@xos.nl
To: ATPLACK@scj.com
Cc: linux-admin@vger.rutgers.edu; linux-kernel@vger.rutgers.edu
Subject: Re: Masquerading
Date: Sunday, September 22, 1996 8:25AM
Hi,
> BACKGROUND
> -----------------------
> My firewall machine is connected to my ISP via a PPP connection (just for
> now). For the sake of the document (however not really) the gateway
machine
> is 151.51.25.126 (class C). The address that they assign my interface is
> 151.51.25.X (DHCP group). My Ethernet has an address of 192.168.250.0.
> 192.168.250.150 is my gateway. pppd is started with defaultroute so that
> the default route for the gateway is ppp0. 198.168.250.153 is my host
box.
>
> >From the firewall, I can see the world and life is good. However, my ISP
is
> using IGRP which does me no good as far as routing goes (no RIP available)
> and I am using the private networks as specified in the RFC, therefore,
> masquerading is required. Thanks to all who saw the need for this and
have
> included it in the kernel.
>
> ISSUES
> --------------
> (defaults for all filters are accept)
>
> test1
> -------
> ipfwadm -F -f
> ipfwadm -I -f
> ipfwadm -O -f
>
> There are no errors in the command line.
> This forwards the packet from localnet to ppp0 as is. No problem,
> except that no router on 151.51.25.0 has a clue where 192.168.250.0 is.
No
> gated or routed does not fix it (see the notes above on IGRP). Therefore,
> there is no return route. Not a problem with masquerading right? These
> packets are visible with "tcpdump -i ppp0".
This all seems to be according to all specs.
> test 2
> --------
> ipfwadm -F -a accept -S 192.168.250.? -W ppp0 -m
>
> There are no errors in the command line.
> ? is any number between 0 and 255. Please note, I have tried both 0
> and a specific address like 153.
> tcpdump shows me that packets are being received by the gateway (on
> eth0) but there is no forwarding of the packets to ppp0 or lo ("tcpdump
-i"
> command verifies this). "ipfwadm -M -l" shows nothing in the masquerade
> tables.
> Changing the -W to -V and specifying the interface address makes no
> difference.
When specifying 0 for ?, you _should_ add a mask, like 192.168.250.0/24
(== 192.168.250.0/255.255.255.0).
It should work for a specific address, however.
> test 3
> --------
> ipfwadm -F -a accept -S 192.168.250.? -V 151.51.25.# -m
>
> There are no errors in the command line.
> This works for any given value of # that is returned by pppd and for
> any value of ? EXCEPT for 0 or 255. Here is an output of my "ipfwadm -F
> -ln" command:
>
> IP firewall forward rules, default policy: accept
> type prot source destination ports
> acc/m all 192.168.250.151 0.0.0.0/0 n/a
> acc/m all 192.168.250.153 0.0.0.0/0 n/a
> acc/m all 192.168.250.153 0.0.0.0/0 n/a
>
> Please note that this is not reliable. 1 out of every 3 (random)
> "shutdown -r now" attempts will not allow this to work.
Huh... shutdown? What are you trying to say with this?
What is the difference between the last two rules (use the -lne options
to produce more extensive output)?
> Problems
> -------------
> 1. Why does the forward gateway not allow any IP address on the net to be
> passed unless they are specifically specified in the forward gateways
list?
> ie Why does the localnet not work as a parameter?
Dependent on what you're asking, there are two answers:
- You need to specify a mask for the source address (see test 2).
- The "other" addresses don't have a route back and therefore will not work
(although the packets itself should be passed).
> 2. The documentation is not clear on the mask (that is why you do not see
me
> using it). Do I need 0.0.0.255 or 255.255.255.255.0 for all addresses on
> 192.168.250.0?
Neither of them ;-). But I think the last one is a typo and you mean
only 3 x 255. That one can be abbreviated as "24" (see test 2 above).
> 3. Why can I not specify -W with the command and have it work?
This is strange. You say that -V works fine?
--
-- Jos Vos <jos@xos.nl>
-- X/OS Experts in Open Systems BV | Phone: +31 20 6938364
-- Amsterdam, The Netherlands | Fax: +31 20 6948204