Masquerading problems

Craig White craigwhite@azapple.com
Sat, 9 Dec 2000 13:57:34 -0700


> -----Original Message-----
> From: plug-discuss-admin@lists.plug.phoenix.az.us
> [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of Eric
> Thelin
> Sent: Saturday, December 09, 2000 1:44 PM
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: Masquerading problems
>
>
>
> I trying to use ip masquerading and getting very strange results.  I
> have created an ipchains config script that should work and sort of
> does.  It works fine to both addresses on the gateway machine.  Then I
> try to ping remote addresses.  The first ping and a few following pings
> usually works and then most of the rest are lost.  About 1 in 250 pings
> are returned.  I have actually rebuild the machine from scratch and it
> still does the same thing.  I had it working about 6 months ago and have
> know idea what is different.  My ipchanis config consists of:
>
> /sbin/depmod -a
> /sbin/modprobe ip_masq_ftp
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/ip_always_defrag
> /sbin/ipchains -M -S 7200 10 160
> /sbin/ipchains -F
> /sbin/ipchains -P forward DENY
> /sbin/ipchains -A forward -s 192.168.0.0/16 -j MASQ
>
> Any ideas?  What could even cause this?  Could it be something related
> to the fact that the connection I am trying to share is a cable modem?
>
----
Assuming that you can ping repeatedly without packet loss...

I would definitely change the last rule to...

/sbin/ipchains -A forward -i eth0 -s 192.168.0.0/16 -d ! 192.168.0.0/16 -j
MASQ

the difference being...

add the specific interface being masqueraded...the internal network adaptor
the destination address being masquerade anything NOT destined for the
internal lan

obviously, this is a simple rule set and nowhere near adequate for securing
a network.

and lastly....

sometimes the cable modems are goofy and insistent about being powered off
before switching to another network adaptor on another computer.

Craig