[gentoo-user] Need help with routing

[gentoo-user] Need help with routing

[Florian Philipp]

Hi list!

I'm trying to set up my laptop as the router for my PC.

In the end it should look like this:

ppp0 - laptop - eth0 <--->  eth0 - PC

My problem: As soon as set up eth0 with "ifconfig 192.168.1.1 netmask 
255.255.255.0 eth0" ppp0 is no longer used.

I tried to follow this howto:
http://gentoo-wiki.com/HOWTO_quick_routing
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Need help with routing

[Dale]

Florian Philipp wrote:
> Hi list!
>
> I'm trying to set up my laptop as the router for my PC.
>
> In the end it should look like this:
>
> ppp0 - laptop - eth0 <--->  eth0 - PC
>
> My problem: As soon as set up eth0 with "ifconfig 192.168.1.1 netmask
> 255.255.255.0 eth0" ppp0 is no longer used.
>
> I tried to follow this howto:
> http://gentoo-wiki.com/HOWTO_quick_routing

I do this too and I have this in my /etc/conf.d/net file on the one that
connects to the internet.

gateway="ppp0"

You may want to try that.

Dale

:-)  :-)
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Need help with routing

[Florian Philipp]

Dan Farrell schrieb:
> On Sun, 02 Sep 2007 05:12:11 -0500
> Dale <dalek1967@bellsouth.net> wrote:
> 
>> Florian Philipp wrote:
>>> Hi list!
>>>
>>> I'm trying to set up my laptop as the router for my PC.
>>> ...
>>> My problem: As soon as set up eth0 with "ifconfig 192.168.1.1
>>> netmask 255.255.255.0 eth0" ppp0 is no longer used.
> 
>> I do this too and I have this in my /etc/conf.d/net file on the one
>> that connects to the internet.
>>
>> gateway="ppp0"
>>
>> You may want to try that.
>>
>> Dale
> 
> Yes, this is your problem Florian.  You need to make sure the default
> route is not set to eth0, which will probably be done automatically for
> eth0 when you bring it up.  
> 
> In other words, follow Dale's advice.  

Thanks! At least they can ping each other now but routing still doesn't
work: "Destination host unreachable".

Is there anything wrong with the server script in the howto? I've
already tried to deactivate ipv6 on the server.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Need help with routing

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1073 bytes --]

Florian Philipp schrieb:
> Dan Farrell schrieb:
>> On Sun, 02 Sep 2007 05:12:11 -0500
>> Dale <dalek1967@bellsouth.net> wrote:
>>
>>> Florian Philipp wrote:
>>>> Hi list!
>>>>
>>>> I'm trying to set up my laptop as the router for my PC.
>>>> ...
>>>> My problem: As soon as set up eth0 with "ifconfig 192.168.1.1
>>>> netmask 255.255.255.0 eth0" ppp0 is no longer used.
>>> I do this too and I have this in my /etc/conf.d/net file on the one
>>> that connects to the internet.
>>>
>>> gateway="ppp0"
>>>
>>> You may want to try that.
>>>
>>> Dale
>> Yes, this is your problem Florian.  You need to make sure the default
>> route is not set to eth0, which will probably be done automatically for
>> eth0 when you bring it up.  
>>
>> In other words, follow Dale's advice.  
> 
> Thanks! At least they can ping each other now but routing still doesn't
> work: "Destination host unreachable".
> 
> Is there anything wrong with the server script in the howto? I've
> already tried to deactivate ipv6 on the server.

I'll attach relevant ifconfig, route and iptables -L output.

[-- Attachment #2: ifconfig_client.txt --]
[-- Type: text/plain, Size: 1034 bytes --]

eth0      Protokoll:Ethernet  Hardware Adresse 00:1A:4D:7B:9F:1B  
          inet Adresse:10.8.0.2  Bcast:10.8.0.255  Maske:255.255.255.0
          inet6 Adresse: fe80::21a:4dff:fe7b:9f1b/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:192 errors:0 dropped:0 overruns:0 frame:0
          TX packets:538 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000 
          RX bytes:18818 (18.3 KiB)  TX bytes:53935 (52.6 KiB)
          Interrupt:21 Basisadresse:0xa000 

lo        Protokoll:Lokale Schleife  
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:55 errors:0 dropped:0 overruns:0 frame:0
          TX packets:55 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0 
          RX bytes:5221 (5.0 KiB)  TX bytes:5221 (5.0 KiB)


[-- Attachment #3: ifconfig_server.txt --]
[-- Type: text/plain, Size: 1207 bytes --]

eth0      Link encap:Ethernet  HWaddr 00:19:B9:7A:74:31  
          inet addr:10.8.0.1  Bcast:10.8.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:375 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:36156 (35.3 Kb)  TX bytes:1124 (1.0 Kb)
          Interrupt:17 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:10.129.141.215  P-t-P:10.64.64.64  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:7088 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6488 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:6071662 (5.7 Mb)  TX bytes:846226 (826.3 Kb)


[-- Attachment #4: iptables.txt --]
[-- Type: text/plain, Size: 461 bytes --]

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.8.0.1             anywhere            
ACCEPT     all  --  anywhere             10.8.0.1            
DROP       all  -- !10.8.0.1             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

[-- Attachment #5: route_client.txt --]
[-- Type: text/plain, Size: 410 bytes --]

Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
10.8.0.0        *               255.255.255.0   U     0      0        0 eth0
link-local      *               255.255.0.0     U     1000   0        0 eth0
default         HOMER-KUBUNTU64 0.0.0.0         UG    0      0        0 eth0
default         10.8.0.1        0.0.0.0         UG    0      0        0 eth0

[-- Attachment #6: route_server.txt --]
[-- Type: text/plain, Size: 408 bytes --]

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.64.64.64     *               255.255.255.255 UH    0      0        0 ppp0
10.8.0.0        *               255.255.255.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         10.64.64.64     0.0.0.0         UG    0      0        0 ppp0

Re: [gentoo-user] Need help with routing

[Dan Farrell]

On Mon, 10 Sep 2007 20:59:03 +0200
Florian Philipp <f.philipp@addcom.de> wrote:

> default     HOMER-KUBUNTU64 0.0.0.0         UG    0      0 0 eth0

What's this?

I do not know if this should be here.  
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Need help with routing

[Hans-Werner Hilse]

Hi,

On Mon, 10 Sep 2007 20:59:03 +0200
Florian Philipp <f.philipp@addcom.de> wrote:

> I'll attach relevant ifconfig, route and iptables -L output.

Hm, OK. This:
----snip----
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.8.0.1             anywhere            
ACCEPT     all  --  anywhere             10.8.0.1            
DROP       all  -- !10.8.0.1             anywhere            
----snip----

is on what computer? On the "server" (I guess it's the router) the last
line would effectively prevent routing for the client (but I don't know
why ICMP works...). I would suggest starting without it and then
setting up proper rules -- and then setting the chain's policy to DROP
(plus some REJECT rules for proper answers).

Dan's hint is also worth investigating.
BTW: use route/ifconfig/netstat/iptables' "-n" switch to make analysis
easier!

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Need help with routing

[Florian Philipp]

Hans-Werner Hilse schrieb:
> Hi,
> 
> On Mon, 10 Sep 2007 20:59:03 +0200
> Florian Philipp <f.philipp@addcom.de> wrote:
> 
>> I'll attach relevant ifconfig, route and iptables -L output.
> 
> Hm, OK. This:
> ----snip----
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
> ACCEPT     all  --  10.8.0.1             anywhere            
> ACCEPT     all  --  anywhere             10.8.0.1            
> DROP       all  -- !10.8.0.1             anywhere            
> ----snip----
> 
> is on what computer? On the "server" (I guess it's the router) the last
> line would effectively prevent routing for the client (but I don't know
> why ICMP works...). I would suggest starting without it and then
> setting up proper rules -- and then setting the chain's policy to DROP
> (plus some REJECT rules for proper answers).
> 
> Dan's hint is also worth investigating.
> BTW: use route/ifconfig/netstat/iptables' "-n" switch to make analysis
> easier!
> 
> -hwh

I followed the howto's nomenclature of "server" and "client".
I'm a bit puzzled right now. Is there anything essentially wrong with
the howto ( http://gentoo-wiki.com/HOWTO_quick_routing )? I followed it
word by word.
The drop rule is explained as "#prevent others ip from conecting to my eth0"
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Need help with routing

[Dan Farrell]

On Mon, 10 Sep 2007 22:48:20 +0200
Hans-Werner Hilse <hilse@web.de> wrote:

> is on what computer? On the "server" (I guess it's the router) the
> last line would effectively prevent routing for the client (but I
> don't know why ICMP works...). I would suggest starting without it
> and then setting up proper rules -- and then setting the chain's
> policy to DROP (plus some REJECT rules for proper answers).

I agree, I thought your firewall rules were a little wacky too.  These
rules only route to one host.  generally you'd want to route to a whole
network, not just one host. 

> (but I don't know why ICMP works...).

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Need help with routing

[Hans-Werner Hilse]

Hi,

On Tue, 11 Sep 2007 17:30:51 +0200 Florian Philipp
<f.philipp@addcom.de> wrote:

> > Hm, OK. This:
> > ----snip----
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination         
> > ACCEPT     all  --  10.8.0.1             anywhere            
> > ACCEPT     all  --  anywhere             10.8.0.1            
> > DROP       all  -- !10.8.0.1             anywhere            
> > ----snip----
> > 
> > is on what computer? On the "server" (I guess it's the router) the
> > last line would effectively prevent routing for the client (but I
> > don't know why ICMP works...). I would suggest starting without it
> > and then setting up proper rules -- and then setting the chain's
> > policy to DROP (plus some REJECT rules for proper answers).
> 
> I followed the howto's nomenclature of "server" and "client".
> I'm a bit puzzled right now. Is there anything essentially wrong with
> the howto ( http://gentoo-wiki.com/HOWTO_quick_routing )? I followed
> it word by word.
> The drop rule is explained as "#prevent others ip from conecting to
> my eth0"

Hm, judging from that the article on Routing uses a "Client" and
"Server" nomenclature, I consider the article being at least partly
crap ;-)

And yes, that guide really seems to be a bunch of BS (sorry, but that's
the way it seems to be). It is outright horrible. Personally I hate
discussing on Wikis' Discussion Pages, so, no, I won't correct it (but
looking at its discussion page, others considered it bad, too, and are
planning to correct/delete it).

That iptables setup is absolutely stupid. It accepts packets from and
to the machine itself (note that 10.8.0.1 is the router's IP), but will
drop any packet not originating from 10.8.0.1. The latter should be
true for all packets originating from the client (since it has the
address 10.8.0.2). So all the client's communication is dropped, and
that's it, end of story.

Better have a look at netfilter's set of HOWTOs, especially the NAT
howto. Better learn what you're doing... Otherwise, just take the hints
from my previous posting.

My suggestion for a proper setup would be

$ iptables -F FORWARD
$ iptables -P FORWARD DROP
$ iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
...plus rules allowing for forwarding designated ports, if any

You'll certainly want to keep this:
$ iptables -A POSTROUTING -o ppp0 -j MASQUERADE
in place, too.

Note that this trusts any box connecting via eth0, not just a single
client.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Need help with routing

[Florian Philipp]

Dan Farrell schrieb:
> On Mon, 10 Sep 2007 22:48:20 +0200
> Hans-Werner Hilse <hilse@web.de> wrote:
> 
>> is on what computer? On the "server" (I guess it's the router) the
>> last line would effectively prevent routing for the client (but I
>> don't know why ICMP works...). I would suggest starting without it
>> and then setting up proper rules -- and then setting the chain's
>> policy to DROP (plus some REJECT rules for proper answers).
> 
> I agree, I thought your firewall rules were a little wacky too.  These
> rules only route to one host.  generally you'd want to route to a whole
> network, not just one host. 
> 
>> (but I don't know why ICMP works...).
> 

Well, as I've written, they aren't "my" rules. I just copied and pasted
them.

I know just as much about iptables as I know about cars. I know the
theory, I've seen the building process from like 10 meters distance and
I use finished product.

I'd really appreciate if you could post the correct settings or config
file(s).
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Need help with routing

[Florian Philipp]

Hans-Werner Hilse schrieb:
> Hi,
> 
> On Tue, 11 Sep 2007 17:30:51 +0200 Florian Philipp
> <f.philipp@addcom.de> wrote:
> 
>>> Hm, OK. This:
>>> ----snip----
>>> Chain FORWARD (policy ACCEPT)
>>> target     prot opt source               destination         
>>> ACCEPT     all  --  10.8.0.1             anywhere            
>>> ACCEPT     all  --  anywhere             10.8.0.1            
>>> DROP       all  -- !10.8.0.1             anywhere            
>>> ----snip----
>>>
>>> is on what computer? On the "server" (I guess it's the router) the
>>> last line would effectively prevent routing for the client (but I
>>> don't know why ICMP works...). I would suggest starting without it
>>> and then setting up proper rules -- and then setting the chain's
>>> policy to DROP (plus some REJECT rules for proper answers).
>> I followed the howto's nomenclature of "server" and "client".
>> I'm a bit puzzled right now. Is there anything essentially wrong with
>> the howto ( http://gentoo-wiki.com/HOWTO_quick_routing )? I followed
>> it word by word.
>> The drop rule is explained as "#prevent others ip from conecting to
>> my eth0"
> 
> Hm, judging from that the article on Routing uses a "Client" and
> "Server" nomenclature, I consider the article being at least partly
> crap ;-)
> 
> And yes, that guide really seems to be a bunch of BS (sorry, but that's
> the way it seems to be). It is outright horrible. Personally I hate
> discussing on Wikis' Discussion Pages, so, no, I won't correct it (but
> looking at its discussion page, others considered it bad, too, and are
> planning to correct/delete it).
> 
> That iptables setup is absolutely stupid. It accepts packets from and
> to the machine itself (note that 10.8.0.1 is the router's IP), but will
> drop any packet not originating from 10.8.0.1. The latter should be
> true for all packets originating from the client (since it has the
> address 10.8.0.2). So all the client's communication is dropped, and
> that's it, end of story.
> 
> Better have a look at netfilter's set of HOWTOs, especially the NAT
> howto. Better learn what you're doing... Otherwise, just take the hints
> from my previous posting.
> 
> My suggestion for a proper setup would be
> 
> $ iptables -F FORWARD
> $ iptables -P FORWARD DROP
> $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $ iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> ...plus rules allowing for forwarding designated ports, if any
> 
> You'll certainly want to keep this:
> $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE
> in place, too.
> 
> Note that this trusts any box connecting via eth0, not just a single
> client.
> 
> -hwh

Thanks!

In fact I'd really like to learn more about iptables but at the moment I
hardly find the time to do it.

When I try to apply the rules you've posted I get:

$ iptables -A FORWARD -i eth0 -o ppp0 -m state --state \
NEW,ESTABLISHED,RELATED -j ACCEPT

iptables: No chain/target/match by that name

A syntax error, maybe?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Need help with routing

[Hans-Werner Hilse]

Hi,

On Tue, 11 Sep 2007 18:50:52 +0200 Florian Philipp
<f.philipp@addcom.de> wrote:

> > My suggestion for a proper setup would be
> > 
> > $ iptables -F FORWARD
> > $ iptables -P FORWARD DROP
> > $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state
> > NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -o
> > eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ...plus rules
> > allowing for forwarding designated ports, if any
> > 
> > You'll certainly want to keep this:
> > $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE
> > in place, too.
> > 
> > Note that this trusts any box connecting via eth0, not just a single
> > client.
> [...]
> When I try to apply the rules you've posted I get:
> 
> $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state \
> NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> iptables: No chain/target/match by that name

Hm, you do not seem to have your kernel configured for connection state
matching.

Just start with basic rules:
$ iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
$ iptables -A FORWARD -o eth0 -i ppp0 -j ACCEPT

(instead of the "iptables -A" settings mentioned before)

But note that those would potentially allow inbound connections to get
routed to any desired machine (desired by the party outside your
network, that is). So make sure that either such requests aren't
getting forwarded to your router (and this is most probably already the
case for your setup -- DSL or cable, I guess?) or your LAN doesn't care
(i.e. is secured). Most PPP endpoints, however, would drop such traffic
anyway, so you should be secure if you trust your provider.

Basically I think this is what the Gentoo wiki guide *intended* to do.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Need help with routing

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 2320 bytes --]

Hans-Werner Hilse schrieb:
> Hi,
> 
> On Tue, 11 Sep 2007 18:50:52 +0200 Florian Philipp
> <f.philipp@addcom.de> wrote:
> 
>>> My suggestion for a proper setup would be
>>>
>>> $ iptables -F FORWARD
>>> $ iptables -P FORWARD DROP
>>> $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state
>>> NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -o
>>> eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ...plus rules
>>> allowing for forwarding designated ports, if any
>>>
>>> You'll certainly want to keep this:
>>> $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE
>>> in place, too.
>>>
>>> Note that this trusts any box connecting via eth0, not just a single
>>> client.
>> [...]
>> When I try to apply the rules you've posted I get:
>>
>> $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state \
>> NEW,ESTABLISHED,RELATED -j ACCEPT
>>
>> iptables: No chain/target/match by that name
> 
> Hm, you do not seem to have your kernel configured for connection state
> matching.
> 
> Just start with basic rules:
> $ iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
> $ iptables -A FORWARD -o eth0 -i ppp0 -j ACCEPT
> 
> (instead of the "iptables -A" settings mentioned before)
> 
> But note that those would potentially allow inbound connections to get
> routed to any desired machine (desired by the party outside your
> network, that is). So make sure that either such requests aren't
> getting forwarded to your router (and this is most probably already the
> case for your setup -- DSL or cable, I guess?) or your LAN doesn't care
> (i.e. is secured). Most PPP endpoints, however, would drop such traffic
> anyway, so you should be secure if you trust your provider.
> 
> Basically I think this is what the Gentoo wiki guide *intended* to do.
> 
> -hwh

Now the kernel can handle connection state matching :)

I can apply your rules with one exception:
iptables -A POSTROUTING -o ppp0 -j MASQUERADE

The same error message as before.

I've enabled basically everything in the kernel's netfilter submenu that
can be compiled as a module and since these modules were automatically
inserted when necessary I don't know what's the problem right now.

I'll attach lsmod and the kernel config, just in case...

Oh, and I've still got 100% packet loss when trying to ping Google's IP
from anywhere but the router.

[-- Attachment #2: config.bz2 --]
[-- Type: application/x-bzip, Size: 9842 bytes --]

[-- Attachment #3: lsmod.txt --]
[-- Type: text/plain, Size: 713 bytes --]

Module                  Size  Used by
xt_state                3136  0 
ipt_MASQUERADE          4096  3 
iptable_nat             8452  1 
nf_nat                 19884  2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4      18640  2 iptable_nat
nf_conntrack           61980  5 xt_state,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
iptable_filter          3712  1 
ip_tables              19632  2 iptable_nat,iptable_filter
x_tables               20296  4 xt_state,ipt_MASQUERADE,iptable_nat,ip_tables
option                 11648  1 
usbserial              33968  3 option
b44                    28236  0 
sr_mod                 18020  0 
cdrom                  35944  1 sr_mod
sg                     26016  0 

Re: [gentoo-user] Need help with routing

[Hans-Werner Hilse]

Hi,

On Tue, 11 Sep 2007 21:38:26 +0200
Florian Philipp <f.philipp@addcom.de> wrote:

> Now the kernel can handle connection state matching :)
> 
> I can apply your rules with one exception:
> iptables -A POSTROUTING -o ppp0 -j MASQUERADE
> 
> The same error message as before.

But a different cause: My brain ;-)  That should rather read
$ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
(I forgot the "-t nat")

There is, however, a kernel configuration needed for masquerading, too
(CONFIG_IP_NF_TARGET_MASQUERADE on newer kernels, you can search for it
-- or just "MASQUERADE" on older kernels -- using the "/" key in the
kernel's menuconfig). So if iptables keeps complaining, check that too.

BTW: I'm starting to really hate the HOWTO that much that I might even
consider editing it. The HOWTO got this command wrong as well: It
MASQUERADEs the connections going out to the LAN interface...

For a proper durable setup, after performing all steps manually until
you have iptables in the way, you should issue
$ /etc/init.d/iptables save
and have iptables fire up using rc-update, if not yet done. Also put
the sysctl setting in /etc/sysctl.conf. Then routing/masquerading will
be set up right on each boot.

-hwh

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Need help with routing

[Florian Philipp]

Hans-Werner Hilse schrieb:
> Hi,
> 
> On Tue, 11 Sep 2007 21:38:26 +0200
> Florian Philipp <f.philipp@addcom.de> wrote:
> 
>> Now the kernel can handle connection state matching :)
>>
>> I can apply your rules with one exception:
>> iptables -A POSTROUTING -o ppp0 -j MASQUERADE
>>
>> The same error message as before.
> 
> But a different cause: My brain ;-)  That should rather read
> $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> (I forgot the "-t nat")
> 
> There is, however, a kernel configuration needed for masquerading, too
> (CONFIG_IP_NF_TARGET_MASQUERADE on newer kernels, you can search for it
> -- or just "MASQUERADE" on older kernels -- using the "/" key in the
> kernel's menuconfig). So if iptables keeps complaining, check that too.
> 
> BTW: I'm starting to really hate the HOWTO that much that I might even
> consider editing it. The HOWTO got this command wrong as well: It
> MASQUERADEs the connections going out to the LAN interface...
> 
> For a proper durable setup, after performing all steps manually until
> you have iptables in the way, you should issue
> $ /etc/init.d/iptables save
> and have iptables fire up using rc-update, if not yet done. Also put
> the sysctl setting in /etc/sysctl.conf. Then routing/masquerading will
> be set up right on each boot.
> 
> -hwh
> 

Thank you for your patience, it's finally working!

If you don't edit the wiki, I'll do it (sooner or later). Just tell me
if you don't want to see your name when I give you credit for the settings.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Need help with routing [OT: Issues with an article on the wiki]

[Hans-Werner Hilse]

Hi,

On Wed, 12 Sep 2007 18:35:41 +0200
Florian Philipp <f.philipp@addcom.de> wrote:

> Thank you for your patience, it's finally working!

OK, that's good news :-)

> If you don't edit the wiki, I'll do it (sooner or later). Just tell me
> if you don't want to see your name when I give you credit for the settings.

Reading through it, it'll need a general rewrite.

The more I look at it, the less it makes sense. Though on the
discussion site, the last comment gives a valuable hint to what the
main culprit is: The article doesn't clarify on its focus (and I guess
that's why it hasn't got that much attention yet). Based on the title,
there are many ways to conclude what task is described there. I guess
it was really about routing an internet connection to some "clients",
but the general concept of "Routing" is broader. So I think the article
should
- clarify what it's about (introduction)
- introduce routing and the "route" command (and/or "ip route")
- introduce masquerading (what you wanted and the original article
  intended to describe, I think)

I'll take a try on rewriting it this evening (CEST). Feel free to
further rewrite it or start doing it, but I really think the aspects
noted above are worth following.

-hwh
-- 
gentoo-user@gentoo.org mailing list