Description of Problem: I am using Redhat 7.1 w/2.4.9-6 kernel and all upgraded rpms (as of 10/25/01). Can not get masquerading to work in ipchains with a dialup connection through ppp0. I have tried everything that I can think of, but nothing works. Currently I have ipchains turned of in chkconfig and have the fillowing in rc.local: modprobe ipchains >/dev/null 2>&1 || exit 0 echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_dynaddr /sbin/ipchains -F input /sbin/ipchains -F forward /sbin/ipchains -F output /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i ppp0 -j MASQ <snip> Now, if I do not include my local IP in the hosts file, I can dialup and get assigned an IP dynamically from the remote access server. I can verify this with ifconfig and can ping out. If I include my local host IP and name in hosts, then when I dialup, I get the local IP in ifconfig and can not ping out. This tells me that MASQ in ipchains is NOT working. I did upgrade ipchains to 1.3.10, but it didn't work before I upgraded. Version-Release number of selected component (if applicable): ipchains 1.3.10 How Reproducible: Out of the box Redhat 7.1 Steps to Reproduce: 1. 2. 3. Actual Results: Expected Results: Additional Information:
In this non-working setup, please attach the output of the following commands: lsmod ipchains -L -v --line-numbers ifconfig uname -a rpm -q ipchains
[root@mcw rc.d]# lsmod Module Size Used by ppp_deflate 41600 1 (autoclean) bsd_comp 4352 0 (autoclean) appletalk 20912 0 (autoclean) ipx 16416 0 (autoclean) ppp_async 6800 1 (autoclean) ppp_generic 19360 3 (autoclean) [ppp_deflate bsd_comp ppp_async] slhc 5280 1 (autoclean) [ppp_generic] soundcore 4432 0 (autoclean) ide-cd 27104 0 (autoclean) cdrom 28512 0 (autoclean) [ide-cd] ipchains 39424 0 autofs 11584 1 (autoclean) 3c59x 26528 1 (autoclean) usb-uhci 21696 0 (unused) usbcore 51584 1 [usb-uhci] [root@mcw rc.d]# [root@mcw rc.d]# [root@mcw rc.d]# ipchains -L -v --line-numbers Chain input (policy ACCEPT: 1529 packets, 226692 bytes): Chain forward (policy DENY: 0 packets, 0 bytes): num pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 1 0 0 MASQ all ------ 0xFF 0x00 any 192.168.0.0/24 anywhere n/a Chain output (policy ACCEPT: 331 packets, 44193 bytes): [root@mcw rc.d]# [root@mcw rc.d]# [root@mcw rc.d]# ifconfig eth0 Link encap:Ethernet HWaddr 00:10:4B:6A:2B:04 inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3713 errors:0 dropped:0 overruns:0 frame:0 TX packets:357 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 ppp0 Link encap:Point-to-Point Protocol inet addr:192.168.1.5 P-t-P:10.64.64.64 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:18 errors:0 dropped:0 overruns:0 frame:0 TX packets:24 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 [root@mcw rc.d]# [root@mcw rc.d]# [root@mcw rc.d]# uname -a Linux mcw.otrcomm.lcl 2.4.9-6 #1 Thu Oct 18 09:39:55 EDT 2001 i686 unknown [root@mcw rc.d]# [root@mcw rc.d]# [root@mcw rc.d]# rpm -q ipchains ipchains-1.3.10-7 [root@mcw rc.d]#
The reason I got the 192.168.0.0/24 for my source in ipchains -L -v is because I added a -s switch to my test in rc.local, i.e.: /sbin/ipchains -A forward -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ But this didn't help. I didn't expect it to, but I wanted to try.
Yeah, it has been 24 hours on this easily reproducible problem and no solution. I didn't think anyone would/could address this. So much for being "quite capable of maintaining my own packages..." you're welcome.
Arjan, I've got a clean 7.1 install set up here, with IP masquerading configured. I've got all 7.1 erratum applied. IP masquerading works fine for me in this test setup - ie: I cannot reproduce any ipchains IP masquerade problems that this polite fellow is reporting. Before closing the bug as NOTABUG, I thought I would get you to give a second opinion on it, as the kernel is involved. Your thoughts?
If you can get ipchains to masquerade, then could you please send this person who does not care about being polite a copy of your ipchains rules? I assume that you set you system to have an internal network on eth0, you local IP in the hosts file, and internal nameserver for you local network, and connected to an access server via a dialup?
Only a subset of IP masquerading works with ipchains, you'll need to switch to iptables to improve the setup (and have it work useful). Bugzilla is not a support channel - I suggest you ask on mailing lists for your particular setup.
Trond, As you know, ipchains and iptables can not both be active in the kernel simultaneously. I have not been able to install Redhat 7.1 without installing ipchains. That is, if during initial install you select not to install a firewall, ipchains gets installed in the kernel anyway and then you can not install iptables. How do you recommend that I install iptables with Redhat 7.1? Or should I just go to 7.2? Furthermore, what you are telling me here is that ip masquerading does not work with ipchains, is that correct?
*** Bug 55280 has been marked as a duplicate of this bug. ***
eth0 Link encap:Ethernet HWaddr 00:10:4B:6A:2B:04 inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0 then /sbin/ipchains -A forward -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ You've got a subnet 192.168.1.*, and you're masquerading 192.168.0.*. This is not expected to work! Make sure that your network subnets match throughout your network. Masquerading should work fine with ipchains, but iptables is the preferred way to drive 2.4 kernels: much of the new firewalling functionality in 2.4 is only available via iptables.