Solved

Setting up XP machines for use with Redhat masquerading server : Part II

Posted on 2003-10-25
17
291 Views
Last Modified: 2010-03-18
Hi everyone,

I am having difficulty getting my XP machine to access the internet through my masquerading Red Hat 7.1 box.  While experimenting, I did an ipconfig /displaydns on the XP machine, and got a short list of 8 URLs.  I can ping these URLs, however, *I cannot ping any other URLs.*

My setup is:

connection type: cable

Linux (two LAN cards): 192.168.0.1 (eth1) and using DHCP for eth0.

XP: 192.168.0.2, using the Linux box as gateway.  An ipconfig /all in XP reveals that "IP Routing" is enabled, however, I do not see where to disable this.

The problem is, despite being able to connect to the ISP and ping any URLs from the Linux box, I cannot ping most internet sites from the XP machine.  The Linux and XP machines can ping each other without problem.

My Linux firewall settings (which are minimal for testing) are:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -j MASQUERADE

I have no firewalls enabled on the XP machine.

Does anyone know what might be the problem?  This is related to an earlier question of mine, that I have not successfully worked through...

Many thanks,
C. Wang
0
Comment
Question by:ChristopherWang
  • 8
  • 5
  • 2
  • +1
17 Comments
 
LVL 10

Expert Comment

by:Luxana
ID: 9622022
Hi ChristopherWang

Have you tried this?

On windowsXP: set DNS address given from linux  /etc/resolv.conf
0
 

Author Comment

by:ChristopherWang
ID: 9622205
Hi Luxana,

Yes, I've given a primary and secondary DNS, which I got from the /etc/resolv.conf.  

Thanks,
C. Wang
0
 

Author Comment

by:ChristopherWang
ID: 9625678
Anyone have any other suggestions?  

I can get ping responses on the handful of URLs like "ads.tripod.com" and sites like doubleclick.com or hotclick.com, which happen to be in my ipconfig /displaydns.

Thanks,
C. wang
0
 
LVL 10

Expert Comment

by:Luxana
ID: 9625892
Hallo  Christopher

It looks alright to me but I'm not expert in this case. That means Ithat I do not want to get you wrong. I'm also using forwarding for sharing internet. Check and try my if you want:

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
/sbin/iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -I FORWARD -p tcp --dport 0:1023 -d 192.168.1.0/24 -j DROP

I have one win98 and winXP clients on network both working perfectly including doubleclick.com and hotclick.com .

Luxana
0
 

Author Comment

by:ChristopherWang
ID: 9626346
Thanks, Luxana.

I've replaced my firewall script with your script above.  Unfortunately, now when I ping sites, I get:  

"From 10.0.144.1 : Packet filtered"             ...and 100% packet loss.

Any other ideas?  Do I need to enter anything for "WINS server" in XP?  I've kept this blank.

Thanks,
Christopher
0
 
LVL 10

Expert Comment

by:Luxana
ID: 9630704
Hallo Christofer

No you do not have to set up WINS on XP. All what we need is setup GATEWAY and DNS.

Filtered from 10.0.144.1? Do you have firewall in linux enabled or what?
try:
#setup
and then firewall settings

What is your DHCP range of IP's on eth0?
0
 

Author Comment

by:ChristopherWang
ID: 9632628
Hi Luxana,

Well, when I installed Red Hat originally, I selected "no firewall" in the graphical install.

I just ran setup now, and in the firewall section, it defaults to "high security", but did not seem to accept my change to "no firewall".  Is there a way to check if Linux is running another firewall script?

Also, where can I check the DHCP range?  

Many thanks,
Christopher
0
 
LVL 10

Expert Comment

by:Luxana
ID: 9632698
Hallo Christofer

All what I'm wondering is what IP is this: 10.0.144.1?
So just make it clear ! On your linux you are runnig DHCP service in eth0. If so the range of IP addresses you can see in /etc/dhcpd.conf.

And on your  eth1 you are connected to  192.168.0.0 network?

Christofer I said that I do not want get you wrong I 'm not expert in this case I'm just comparing your situation with myone.

Luxana
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 10

Expert Comment

by:Luxana
ID: 9633147
Hallo Christofer

can you please place here your
#route

and

#netstat -r

and

#ifconfig

and

#iptables -L

thanks

Luxana
0
 

Author Comment

by:ChristopherWang
ID: 9640978
Hi Luxana,

Ok, firstly, I checked for the /etc/dhcpd.conf and did not find one.  I did a find on the whole system, and no dhcpd.conf was found.  There were two empty directories under /etc called "dhcpc" and "dhcpcd".  By the way, I connect to the net using a program called "BPALogin" which was designed to connect cable modems to my ISP while bypassing a regular "heartbeat" signal from the ISP.  BPALogin uses DHCP.  It does connect me, but I cannot find the "DHCP range".

Next, I ran the commands you asked me to run:

#route
 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0      *               255.255.255.0       U     0      0        0 eth1
144.136.48.0    *               255.255.252.0       U     0      0        0 eth0
127.0.0.0         *               255.0.0.0              U     0      0        0 lo
default      192.168.0.254   0.0.0.0                 UG    0      0        0 eth1
default      CPE-144-136-48- 0.0.0.0               UG    0      0        0 eth0
---------------------------------------------------------------------------
#netstat -r

Kernel IP routing table
Destination     Gateway         Genmask      Flags   MSS Window  irtt   Iface
192.168.0.0     *               255.255.255.0   U        40      0          0    eth1
144.136.48.0    *              255.255.252.0   U        40      0          0    eth0
127.0.0.0       *                   255.0.0.0       U        40      0          0     lo
default         192.168.0.254   0.0.0.0         UG       40      0          0     eth1
default         CPE-144-136-48- 0.0.0.0       UG       40      0          0     eth0

------------------------------------------------------------------------------
ifconfig

eth0      Link encap:Ethernet  HWaddr 00:40:F4:6E:73:A6  
          inet addr:144.136.51.206  Bcast:255.255.255.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6061 errors:0 dropped:0 overruns:0 frame:0
          TX packets:75 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:9 Base address:0x8f00

eth1    Link encap:Ethernet  HWaddr 00:40:F4:7C:04:74  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:106 errors:0 dropped:0 overruns:0 frame:0
          TX packets:71 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:12 Base address:0xae00

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:27 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

----------------------------------------------------------------------------------------

iptables –L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain block (0 references)
target     prot opt source               destination        


The inet address for eth0 was automatically generated by my connection.

Thanks very much for any help,

Christopher



0
 
LVL 8

Expert Comment

by:jsvor
ID: 9642044
Hi Christopher,
A couple questions for you.  Are you able to surf the web from the linux machine or can you just ping out?  Do you have anything in your hosts file under /etc?   What is the full contents of /etc/rc.d/rc.firewall?  What is the contents of /etc/rc.d/rc.local?  The reason I ask about rc.local is that I reference /etc/rc.d/rc.firewall in it.  Below is a clipping from my firewall.  Give it a shot and see if you can ping outside from the xp machine to somewhere other then the ones in your displaydns (i.e. ping www.yahoo.com).
-----------------------Copy Below-------------------------------

ETHOUTSIDE="`/sbin/ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
echo 0 > /proc/sys/net/ipv4/ip_forward

# Run modprobes
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

# Initial Flush of Rules
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t nat


# DEFAULT RULES
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

# IP SPOOFING, Deny any packets on the internal network side
# that have an external source address
/sbin/iptables -A INPUT -i eth1 -s ! 192.168.0.0/24 -j LOG --log-prefix "DENY SPOOF 1:"
/sbin/iptables -A INPUT -i eth1 -s ! 192.168.0.0/24 -j DROP
/sbin/iptables -A FORWARD -i eth1 -s ! 192.168.0.0/24 -j DROP

# IP Spoofing, Deny any outside packets with localhost address,
# packets not on the lo interface, any on eth0 and eth1, that have
# the address or localhost.
/sbin/iptables -A INPUT  -i ! lo -s 127.0.0.0/255.0.0.0 -j LOG --log-prefix "DENY SPOOF 2:"
/sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.0/255.0.0.0
/sbin/iptables -A FORWARD -j DROP -i ! lo -s 127.0.0.0/255.0.0.0

# Accept internal Network to lo interface
#/sbin/iptables -A INPUT -j LOG -i lo
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -A FORWARD -j ACCEPT -p all -i eth1
/sbin/iptables -A INPUT -j ACCEPT -p all -i eth1 -s 192.168.0.0/24

# Allow Established and related outside communication to your system
# Allow outside communication to the firewall except ICMP packets
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth1 -p ! icmp -j ACCEPT

# Prevent Outside initiated connections
/sbin/iptables -A INPUT -m state --state NEW -i eth0 -j LOG --log-prefix "DENY OUTSIDE CONNECTION:"
/sbin/iptables -A INPUT -m state --state NEW -i eth0 -j DROP
/sbin/iptables -A FORWARD -m state --state NEW -i eth0 -j DROP

# Allow local internal network to access outside networks
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Accept ICMP ping (0 and 8) and destination unreachable (3) messages
# others will be rejected by INPUT and OUTPUT DROP policy
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-reply -d $ETHOUTSIDE
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-request -d $ETHOUTSIDE
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type destination-unreachable -d $ETHOUTSIDE
0
 

Author Comment

by:ChristopherWang
ID: 9654937
Thanks jsvor,

No, I have not tried surfing from Linux, and am not sure I have browsing software for my shell (I'm not using X Windows, and I didn't plan to surf from the Linux box.)  If it would help the troubleshooting, I would be glad to install a browser.  

Okay, under my /etc/hosts, I have:

 127.0.0.1      localhost.localdomain    localhost

I have named my firewall "rc.firewall1" under /etc/rc.d.  I have tried two different firewall scripts:  The one in my original post above, and the following script that I got from Luxana:

 echo 1 > /proc/sys/net/ipv4/ip_forward
 /sbin/iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
 /sbin/iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
 /sbin/iptables -I FORWARD -p tcp --dport 0:1023 -d 192.168.1.0/24 -j DROP


My rc.local is as follows:
--------------------------------------------------------------------

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

if [ -f /etc/redhat-release ]; then
    R=$(cat /etc/redhat-release)

    arch=$(uname -m)
    a="a"
    case "_$arch" in
          _a*) a="an";;
          _i*) a="an";;
    esac
   
    NUMPROC=`egrep -c "^cpu[0-9]+" /proc/stat`
    if [ "$NUMPROC" -gt "1" ]; then
        SMP="$NUMPROC-processor "
        if [ "$NUMPROC" = "8" -o "$NUMPROC" = "11" ]; then
            a="an"
      else
          a="a"
        fi
    fi

    # This will overwrite /etc/issue at every boot.  So, make any changes you
    # want to make to /etc/issue here or you will lose them when you reboot.
    echo "" > /etc/issue
    echo "$R" >> /etc/issue
    echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/issue

    cp -f /etc/issue /etc/issue.net
    echo >> /etc/issue
fi
touch /var/lock/subsys/local
/etc/rc.d/init.d/bpalogin start
/bin/sh /etc/rc.d/rc.firewall1
-----------------------------------------------------------------------------

Also, I tried your firewall clipping, and error messages followed:

-------------------------------------------------------------
: no such file or directoryoc/sys/net/ipv4/ip_forward
:command not foundll1
modprobe: can't locate module ip_tables    
modprobe: can't locate modeule iptable_filter
modprobe: can't locate module ip_conntrack
modprobe: can't locate module ip_conntrack_ftp
modprobe: can't locate module ip_nat_ftp
:command not foundll1
ip_tables (c)2000 Netfilter core team
iptables: No chain/target/match by that name
': tables does not exist  (do you need to insmod?)e 'nat
Perhaps iptables or your kernel needs to be upgraded
iptables: Bad policy name
iptables v1.2.1a: invalid target name 'DROP'
------------------------------------------------------------------

The other firewall scripts I have used (mentioned above) don't give any error messages, so I wonder if your script requires an iptables version > 1.2.1a. ?

C. Wang



0
 
LVL 8

Expert Comment

by:jsvor
ID: 9657396
Did you copy the whole clipping?  The first line of your error message seems like you missed the beginning of the script. My iptables version is 1.2.8.  Let me know about the clipping and in the mean time I'll look around for an older script I had.
0
 

Author Comment

by:ChristopherWang
ID: 9675319
Hi jsvor,

Sorry for the lull -- I've also been studying for an exam.  

Yep, I copied your entire clipping.

Many thanks for your help,

C. Wang
0
 

Author Comment

by:ChristopherWang
ID: 9701573
Can anyone suggest anything else I might try?  Even general principles that should be minded for networking with windows nodes.

Also, please note that I am not being lazy in asking for help with these configurations -- there are a lot of variables and modules to learn, and I've been reading a lot of the literature when I have the time.

Thanks for any help.

C.Wang
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14051745
PAQed with points refunded (100)

modulo
Community Support Moderator
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now