Setting up XP machines for use with Redhat masquerading server : Part II

Hi everyone,

I am having difficulty getting my XP machine to access the internet through my masquerading Red Hat 7.1 box.  While experimenting, I did an ipconfig /displaydns on the XP machine, and got a short list of 8 URLs.  I can ping these URLs, however, *I cannot ping any other URLs.*

My setup is:

connection type: cable

Linux (two LAN cards): 192.168.0.1 (eth1) and using DHCP for eth0.

XP: 192.168.0.2, using the Linux box as gateway.  An ipconfig /all in XP reveals that "IP Routing" is enabled, however, I do not see where to disable this.

The problem is, despite being able to connect to the ISP and ping any URLs from the Linux box, I cannot ping most internet sites from the XP machine.  The Linux and XP machines can ping each other without problem.

My Linux firewall settings (which are minimal for testing) are:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -j MASQUERADE

I have no firewalls enabled on the XP machine.

Does anyone know what might be the problem?  This is related to an earlier question of mine, that I have not successfully worked through...

Many thanks,
C. Wang
ChristopherWangAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LuxanaCommented:
Hi ChristopherWang

Have you tried this?

On windowsXP: set DNS address given from linux  /etc/resolv.conf
ChristopherWangAuthor Commented:
Hi Luxana,

Yes, I've given a primary and secondary DNS, which I got from the /etc/resolv.conf.  

Thanks,
C. Wang
ChristopherWangAuthor Commented:
Anyone have any other suggestions?  

I can get ping responses on the handful of URLs like "ads.tripod.com" and sites like doubleclick.com or hotclick.com, which happen to be in my ipconfig /displaydns.

Thanks,
C. wang
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

LuxanaCommented:
Hallo  Christopher

It looks alright to me but I'm not expert in this case. That means Ithat I do not want to get you wrong. I'm also using forwarding for sharing internet. Check and try my if you want:

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
/sbin/iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -I FORWARD -p tcp --dport 0:1023 -d 192.168.1.0/24 -j DROP

I have one win98 and winXP clients on network both working perfectly including doubleclick.com and hotclick.com .

Luxana
ChristopherWangAuthor Commented:
Thanks, Luxana.

I've replaced my firewall script with your script above.  Unfortunately, now when I ping sites, I get:  

"From 10.0.144.1 : Packet filtered"             ...and 100% packet loss.

Any other ideas?  Do I need to enter anything for "WINS server" in XP?  I've kept this blank.

Thanks,
Christopher
LuxanaCommented:
Hallo Christofer

No you do not have to set up WINS on XP. All what we need is setup GATEWAY and DNS.

Filtered from 10.0.144.1? Do you have firewall in linux enabled or what?
try:
#setup
and then firewall settings

What is your DHCP range of IP's on eth0?
ChristopherWangAuthor Commented:
Hi Luxana,

Well, when I installed Red Hat originally, I selected "no firewall" in the graphical install.

I just ran setup now, and in the firewall section, it defaults to "high security", but did not seem to accept my change to "no firewall".  Is there a way to check if Linux is running another firewall script?

Also, where can I check the DHCP range?  

Many thanks,
Christopher
LuxanaCommented:
Hallo Christofer

All what I'm wondering is what IP is this: 10.0.144.1?
So just make it clear ! On your linux you are runnig DHCP service in eth0. If so the range of IP addresses you can see in /etc/dhcpd.conf.

And on your  eth1 you are connected to  192.168.0.0 network?

Christofer I said that I do not want get you wrong I 'm not expert in this case I'm just comparing your situation with myone.

Luxana
LuxanaCommented:
Hallo Christofer

can you please place here your
#route

and

#netstat -r

and

#ifconfig

and

#iptables -L

thanks

Luxana
ChristopherWangAuthor Commented:
Hi Luxana,

Ok, firstly, I checked for the /etc/dhcpd.conf and did not find one.  I did a find on the whole system, and no dhcpd.conf was found.  There were two empty directories under /etc called "dhcpc" and "dhcpcd".  By the way, I connect to the net using a program called "BPALogin" which was designed to connect cable modems to my ISP while bypassing a regular "heartbeat" signal from the ISP.  BPALogin uses DHCP.  It does connect me, but I cannot find the "DHCP range".

Next, I ran the commands you asked me to run:

#route
 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0      *               255.255.255.0       U     0      0        0 eth1
144.136.48.0    *               255.255.252.0       U     0      0        0 eth0
127.0.0.0         *               255.0.0.0              U     0      0        0 lo
default      192.168.0.254   0.0.0.0                 UG    0      0        0 eth1
default      CPE-144-136-48- 0.0.0.0               UG    0      0        0 eth0
---------------------------------------------------------------------------
#netstat -r

Kernel IP routing table
Destination     Gateway         Genmask      Flags   MSS Window  irtt   Iface
192.168.0.0     *               255.255.255.0   U        40      0          0    eth1
144.136.48.0    *              255.255.252.0   U        40      0          0    eth0
127.0.0.0       *                   255.0.0.0       U        40      0          0     lo
default         192.168.0.254   0.0.0.0         UG       40      0          0     eth1
default         CPE-144-136-48- 0.0.0.0       UG       40      0          0     eth0

------------------------------------------------------------------------------
ifconfig

eth0      Link encap:Ethernet  HWaddr 00:40:F4:6E:73:A6  
          inet addr:144.136.51.206  Bcast:255.255.255.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6061 errors:0 dropped:0 overruns:0 frame:0
          TX packets:75 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:9 Base address:0x8f00

eth1    Link encap:Ethernet  HWaddr 00:40:F4:7C:04:74  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:106 errors:0 dropped:0 overruns:0 frame:0
          TX packets:71 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:12 Base address:0xae00

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:27 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

----------------------------------------------------------------------------------------

iptables –L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain block (0 references)
target     prot opt source               destination        


The inet address for eth0 was automatically generated by my connection.

Thanks very much for any help,

Christopher



jsvorCommented:
Hi Christopher,
A couple questions for you.  Are you able to surf the web from the linux machine or can you just ping out?  Do you have anything in your hosts file under /etc?   What is the full contents of /etc/rc.d/rc.firewall?  What is the contents of /etc/rc.d/rc.local?  The reason I ask about rc.local is that I reference /etc/rc.d/rc.firewall in it.  Below is a clipping from my firewall.  Give it a shot and see if you can ping outside from the xp machine to somewhere other then the ones in your displaydns (i.e. ping www.yahoo.com).
-----------------------Copy Below-------------------------------

ETHOUTSIDE="`/sbin/ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
echo 0 > /proc/sys/net/ipv4/ip_forward

# Run modprobes
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

# Initial Flush of Rules
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t nat


# DEFAULT RULES
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

# IP SPOOFING, Deny any packets on the internal network side
# that have an external source address
/sbin/iptables -A INPUT -i eth1 -s ! 192.168.0.0/24 -j LOG --log-prefix "DENY SPOOF 1:"
/sbin/iptables -A INPUT -i eth1 -s ! 192.168.0.0/24 -j DROP
/sbin/iptables -A FORWARD -i eth1 -s ! 192.168.0.0/24 -j DROP

# IP Spoofing, Deny any outside packets with localhost address,
# packets not on the lo interface, any on eth0 and eth1, that have
# the address or localhost.
/sbin/iptables -A INPUT  -i ! lo -s 127.0.0.0/255.0.0.0 -j LOG --log-prefix "DENY SPOOF 2:"
/sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.0/255.0.0.0
/sbin/iptables -A FORWARD -j DROP -i ! lo -s 127.0.0.0/255.0.0.0

# Accept internal Network to lo interface
#/sbin/iptables -A INPUT -j LOG -i lo
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -A FORWARD -j ACCEPT -p all -i eth1
/sbin/iptables -A INPUT -j ACCEPT -p all -i eth1 -s 192.168.0.0/24

# Allow Established and related outside communication to your system
# Allow outside communication to the firewall except ICMP packets
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth1 -p ! icmp -j ACCEPT

# Prevent Outside initiated connections
/sbin/iptables -A INPUT -m state --state NEW -i eth0 -j LOG --log-prefix "DENY OUTSIDE CONNECTION:"
/sbin/iptables -A INPUT -m state --state NEW -i eth0 -j DROP
/sbin/iptables -A FORWARD -m state --state NEW -i eth0 -j DROP

# Allow local internal network to access outside networks
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Accept ICMP ping (0 and 8) and destination unreachable (3) messages
# others will be rejected by INPUT and OUTPUT DROP policy
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-reply -d $ETHOUTSIDE
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-request -d $ETHOUTSIDE
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type destination-unreachable -d $ETHOUTSIDE
ChristopherWangAuthor Commented:
Thanks jsvor,

No, I have not tried surfing from Linux, and am not sure I have browsing software for my shell (I'm not using X Windows, and I didn't plan to surf from the Linux box.)  If it would help the troubleshooting, I would be glad to install a browser.  

Okay, under my /etc/hosts, I have:

 127.0.0.1      localhost.localdomain    localhost

I have named my firewall "rc.firewall1" under /etc/rc.d.  I have tried two different firewall scripts:  The one in my original post above, and the following script that I got from Luxana:

 echo 1 > /proc/sys/net/ipv4/ip_forward
 /sbin/iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
 /sbin/iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
 /sbin/iptables -I FORWARD -p tcp --dport 0:1023 -d 192.168.1.0/24 -j DROP


My rc.local is as follows:
--------------------------------------------------------------------

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

if [ -f /etc/redhat-release ]; then
    R=$(cat /etc/redhat-release)

    arch=$(uname -m)
    a="a"
    case "_$arch" in
          _a*) a="an";;
          _i*) a="an";;
    esac
   
    NUMPROC=`egrep -c "^cpu[0-9]+" /proc/stat`
    if [ "$NUMPROC" -gt "1" ]; then
        SMP="$NUMPROC-processor "
        if [ "$NUMPROC" = "8" -o "$NUMPROC" = "11" ]; then
            a="an"
      else
          a="a"
        fi
    fi

    # This will overwrite /etc/issue at every boot.  So, make any changes you
    # want to make to /etc/issue here or you will lose them when you reboot.
    echo "" > /etc/issue
    echo "$R" >> /etc/issue
    echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/issue

    cp -f /etc/issue /etc/issue.net
    echo >> /etc/issue
fi
touch /var/lock/subsys/local
/etc/rc.d/init.d/bpalogin start
/bin/sh /etc/rc.d/rc.firewall1
-----------------------------------------------------------------------------

Also, I tried your firewall clipping, and error messages followed:

-------------------------------------------------------------
: no such file or directoryoc/sys/net/ipv4/ip_forward
:command not foundll1
modprobe: can't locate module ip_tables    
modprobe: can't locate modeule iptable_filter
modprobe: can't locate module ip_conntrack
modprobe: can't locate module ip_conntrack_ftp
modprobe: can't locate module ip_nat_ftp
:command not foundll1
ip_tables (c)2000 Netfilter core team
iptables: No chain/target/match by that name
': tables does not exist  (do you need to insmod?)e 'nat
Perhaps iptables or your kernel needs to be upgraded
iptables: Bad policy name
iptables v1.2.1a: invalid target name 'DROP'
------------------------------------------------------------------

The other firewall scripts I have used (mentioned above) don't give any error messages, so I wonder if your script requires an iptables version > 1.2.1a. ?

C. Wang



jsvorCommented:
Did you copy the whole clipping?  The first line of your error message seems like you missed the beginning of the script. My iptables version is 1.2.8.  Let me know about the clipping and in the mean time I'll look around for an older script I had.
ChristopherWangAuthor Commented:
Hi jsvor,

Sorry for the lull -- I've also been studying for an exam.  

Yep, I copied your entire clipping.

Many thanks for your help,

C. Wang
ChristopherWangAuthor Commented:
Can anyone suggest anything else I might try?  Even general principles that should be minded for networking with windows nodes.

Also, please note that I am not being lazy in asking for help with these configurations -- there are a lot of variables and modules to learn, and I've been reading a lot of the literature when I have the time.

Thanks for any help.

C.Wang
moduloCommented:
PAQed with points refunded (100)

modulo
Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.