• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 346
  • Last Modified:

Masquerade problem

I would like to connect my Windows (10.0.0.10) to the  Internet thru Linux (eth1: 10.0.0.1). I use the following commands:

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_tables iptable_nat iptable_nat_ftp
/sbin/modprobe ip_conntrack ip_conntrack_ftp
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/16 -j MASQUERADE

However it won't work.

Note:
I can connect to the Internet in Linux;
I can ping from Windows to Linux;
When I try to browse a site in Windows, the send and recieve lights are blinking but the page cannot be displayed;

Thanks.
0
andersy
Asked:
andersy
  • 5
  • 4
  • 3
  • +1
1 Solution
 
ahoffmannCommented:
souds like a routing problem on Windows, what does following on windows tell you:

   netstat -rn
   ipconfig -all
0
 
andersyAuthor Commented:
Hi ahoffmann,

netsta -rn:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1       10.0.0.10       1
         10.0.0.0      255.255.0.0        10.0.0.10       10.0.0.10       1
        10.0.0.10  255.255.255.255        127.0.0.1       127.0.0.1       1
   10.255.255.255  255.255.255.255        10.0.0.10       10.0.0.10       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        224.0.0.0        10.0.0.10       10.0.0.10       1
  255.255.255.255  255.255.255.255        10.0.0.10       10.0.0.10       1
Default Gateway:          10.0.0.1
===========================================================================
Persistent Routes:
  None

Active Connections
  Proto  Local Address          Foreign Address        State


ipconfig -all:

0 Ethernet adapter :

        Description . . . . . . . . : NDIS 5.0 driver
        Physical Address. . . . . . : 00-C1-26-01-B4-73
        DHCP Enabled. . . . . . . . : Yes
        IP Address. . . . . . . . . : 10.0.0.10
        Subnet Mask . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . : 10.0.0.1
        DHCP Server . . . . . . . . : 10.0.0.1
        Primary WINS Server . . . . :
        Secondary WINS Server . . . :
        Lease Obtained. . . . . . . : 04 13 02 PM 10:26:59
        Lease Expires . . . . . . . : 04 14 02 AM 04:26:59
0
 
ahoffmannCommented:
looks good, and what does

     iptables -L -n

on Linux report?
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
andersyAuthor Commented:
# /sbin/iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
 
hangmanCommented:
Your problem is most likely a windows problem. Have you told windows about the router. Under TCP/IP properties,
click Advanced. Then click on the button under default gateways. Add 10.0.0.1 metric 1.

Give that a go
0
 
kannabisCommented:
This is not a windows problem.  First off.....you have to define that value in the PREROUTING table, not POST.

2nd - You are mixing IPchains and IPTables commands, you have to stick with one or the other.

oh.....and it's not called masquerading anymore either....it's now referred to NAT (Network Address Translation)  (:

anyhow, d/l this dude's firewall/NAT script.  You have some very minor changes to make to the script, and you'll be up and running with a fairly secure firewall to boot.


http://monmotha.mplug.org/firewall/index.php

0
 
ahoffmannCommented:
> ... not POST
it must be the POSTROUTING in iptables, the iptables command provided in the question is correct (I'm not shure about the modprobes, 'cause I never use modules for security:)

> 2nd ..
do not see any reference to ipchains here

> .. not called masquerading anymore
RTFM or RTFW or RTFH
It's right that the correct term is NAT, but since the early days of netfilter (ipfw, ipchains) the special n-to-1 NAT is called masquerading. And people tend to use this term, masquerading, if they refere to n-to-1 NAT.


andersy,
think that the interface is specified wrong in your iptables command. Are you shure that your internet traffic is going through eth0? As you specified the iptables command, the interface for the -o option must be that which is connected to your ISP, not that to the LAN.
0
 
kannabisCommented:
well on my firewall, the command I use to get NAT working is PRE-ROUTING.

I find that most references to masquerading are made using a 2.2 kernel and ipchains.  On the other hand when I see references to 2.4 and IPTables, then NAT is used...no big deal, maybe something I just noticed.....

0
 
andersyAuthor Commented:
Hello Ahoffmann,

I've checked many times that eth0 is connect to the Internet, it is not with IP 10.0.0.1. I think the HTTP request can be sent out from Windows, however, the response cannot be routed back to Windows...

Anyway, many thanks to both of you.
0
 
andersyAuthor Commented:
Thanks ahoffmann.
0
 
kannabisCommented:
It doesn't sound like your problem was solved, was it?

0
 
ahoffmannCommented:
> ..that eth0 is connect to the Internet, it is not with IP 10.0.0.1.

Sounds like we're all missunderstanding something.
Either eth0 is connected to internet, then it definitely cannot have 10.0.0.1, and you can no longer ping your other mashines on the same LAN.
Or your internet connections goes through another interface, for example ppp0 or ippp0, which cannot have 10.0.0.1 either. In this case your iptables command is wrong (interface to - o option), as I said in a previous comment.
0
 
andersyAuthor Commented:
Maybe I didn't describe my system clearly...

My Linux has 2 NICs: eth0 is connect to Internet thru a cable modem and the IP is got from dhcp of my ISP; eth1 is set to 10.0.0.1 and my Windows (10.0.0.10) is connected to Linux thru this NIC.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 5
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now