Bug 55202 - ipchains not working in 7.1 w/ 2.4.9-6 kernel
Summary: ipchains not working in 7.1 w/ 2.4.9-6 kernel
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: ipchains
Version: 7.1
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Mike A. Harris
QA Contact:
URL:
Whiteboard:
: 55280 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-10-27 01:42 UTC by Need Real Name
Modified: 2008-08-01 16:22 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2001-10-28 23:06:26 UTC
Embargoed:


Attachments (Terms of Use)

Description Need Real Name 2001-10-27 01:42:06 UTC
Description of Problem:

I am using Redhat 7.1 w/2.4.9-6 kernel and all upgraded rpms (as of 
10/25/01).

Can not get masquerading to work in ipchains with a dialup connection 
through ppp0.

I have tried everything that I can think of, but nothing works.

Currently I have ipchains turned of in chkconfig and have the fillowing in 
rc.local:

modprobe ipchains >/dev/null 2>&1 || exit 0

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

/sbin/ipchains -F input
/sbin/ipchains -F forward
/sbin/ipchains -F output

/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i ppp0 -j MASQ

<snip>

Now, if I do not include my local IP in the hosts file, I can dialup and 
get assigned an IP dynamically from the remote access server.  I can verify 
this with ifconfig and can ping out.

If I include my local host IP and name in hosts, then when I dialup, I get 
the local IP in ifconfig and can not ping out.

This tells me that MASQ in ipchains is NOT working.

I did upgrade ipchains to 1.3.10, but it didn't work before I upgraded.

Version-Release number of selected component (if applicable):
ipchains 1.3.10

How Reproducible:
Out of the box Redhat 7.1

Steps to Reproduce:
1. 
2. 
3. 

Actual Results:


Expected Results:


Additional Information:

Comment 1 Mike A. Harris 2001-10-27 02:04:35 UTC
In this non-working setup, please attach the output of the following
commands:

lsmod
ipchains -L -v --line-numbers

ifconfig

uname -a

rpm -q ipchains

Comment 2 Need Real Name 2001-10-27 04:22:09 UTC
[root@mcw rc.d]# lsmod
Module                  Size  Used by
ppp_deflate            41600   1  (autoclean)
bsd_comp                4352   0  (autoclean)
appletalk              20912   0  (autoclean)
ipx                    16416   0  (autoclean)
ppp_async               6800   1  (autoclean)
ppp_generic            19360   3  (autoclean) [ppp_deflate bsd_comp ppp_async]
slhc                    5280   1  (autoclean) [ppp_generic]
soundcore               4432   0  (autoclean)
ide-cd                 27104   0  (autoclean)
cdrom                  28512   0  (autoclean) [ide-cd]
ipchains               39424   0 
autofs                 11584   1  (autoclean)
3c59x                  26528   1  (autoclean)
usb-uhci               21696   0  (unused)
usbcore                51584   1  [usb-uhci]
[root@mcw rc.d]#   
[root@mcw rc.d]# 
[root@mcw rc.d]# ipchains -L -v --line-numbers
Chain input (policy ACCEPT: 1529 packets, 226692 bytes):
Chain forward (policy DENY: 0 packets, 0 bytes):
num   pkts bytes target     prot opt    tosa tosx  ifname     mark       outsize  
source                destination           ports
1        0     0 MASQ       all  ------ 0xFF 0x00  any                            
192.168.0.0/24       anywhere              n/a
Chain output (policy ACCEPT: 331 packets, 44193 bytes):
[root@mcw rc.d]#          
[root@mcw rc.d]# 
[root@mcw rc.d]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:10:4B:6A:2B:04  
          inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3713 errors:0 dropped:0 overruns:0 frame:0
          TX packets:357 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:12 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:192.168.1.5  P-t-P:10.64.64.64  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 

[root@mcw rc.d]# 
[root@mcw rc.d]# 
[root@mcw rc.d]# uname -a
Linux mcw.otrcomm.lcl 2.4.9-6 #1 Thu Oct 18 09:39:55 EDT 2001 i686 unknown
[root@mcw rc.d]# 
[root@mcw rc.d]# 
[root@mcw rc.d]# rpm -q ipchains
ipchains-1.3.10-7
[root@mcw rc.d]#

Comment 3 Need Real Name 2001-10-27 04:34:05 UTC
The reason I got the 192.168.0.0/24 for my source in ipchains -L -v is because I  
added a -s switch to my test in rc.local, i.e.:


/sbin/ipchains -A forward -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j 
MASQ

But this didn't help.  I didn't expect it to, but I wanted to try.

Comment 4 Need Real Name 2001-10-28 01:59:20 UTC
Yeah, it has been 24 hours on this easily reproducible problem and no solution. 
I didn't think anyone would/could address this.  So much for being "quite 
capable of maintaining my own packages..." you're welcome.

Comment 5 Mike A. Harris 2001-10-28 22:59:46 UTC
Arjan, I've got a clean 7.1 install set up here, with IP masquerading
configured.  I've got all 7.1 erratum applied.  IP masquerading works
fine for me in this test setup - ie: I cannot reproduce any ipchains
IP masquerade problems that this polite fellow is reporting.

Before closing the bug as NOTABUG, I thought I would get you to give
a second opinion on it, as the kernel is involved.

Your thoughts?

Comment 6 Need Real Name 2001-10-28 23:06:21 UTC
If you can get ipchains to masquerade, then could you please send this person 
who does not care about being polite a copy of your ipchains rules?

I assume that you set you system to have an internal network on eth0, you local 
IP in the hosts file, and internal nameserver for you local network, and 
connected to an access server via a dialup?


Comment 7 Trond Eivind Glomsrxd 2001-10-28 23:12:32 UTC
Only a subset of IP masquerading works with ipchains, you'll need to switch to
iptables to improve the setup (and have it work useful). Bugzilla is not a
support channel - I suggest you ask on mailing lists for your particular setup.

Comment 8 Need Real Name 2001-10-29 05:45:57 UTC
Trond,

As you know, ipchains and iptables can not both be active in the kernel 
simultaneously.  I have not been able to install Redhat 7.1 without installing 
ipchains.  That is, if during initial install you select not to install a 
firewall, ipchains gets installed in the kernel anyway and then you can not 
install iptables.  How do you recommend that I install iptables with Redhat 
7.1?  Or should I just go to 7.2?

Furthermore, what you are telling me here is that ip masquerading does not work 
with ipchains, is that correct?

Comment 9 Mike A. Harris 2001-10-30 02:30:24 UTC
*** Bug 55280 has been marked as a duplicate of this bug. ***

Comment 10 Stephen Tweedie 2001-11-01 17:43:13 UTC
eth0      Link encap:Ethernet  HWaddr 00:10:4B:6A:2B:04  
          inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0
 
then

/sbin/ipchains -A forward -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ

You've got a subnet 192.168.1.*, and you're masquerading 192.168.0.*.  This is
not expected to work!  Make sure that your network subnets match throughout your
network.

Masquerading should work fine with ipchains, but iptables is the preferred way
to drive 2.4 kernels: much of the new firewalling functionality in 2.4 is only
available via iptables.


Note You need to log in before you can comment on or make changes to this bug.