IP masquerading, Qwest

Vaughn Treude plug-discuss@lists.PLUG.phoenix.az.us
Tue, 25 Sep 2001 22:08:46 -0700


Another thought:
Are these firewall lines correct?

Should the  network spec on this line be the one connected to the Cisco (eth1) or the internal LAN?  (I've tried both!)
/sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp

And these are at the end:
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth1 -s 192.168.1.0/24 -j MASQ

Yes, my network is set up with a "1" in the third quad.
Thanks again,
VAughn

Vaughn Treude wrote:

> Yep.  I already had the same DNS addresses entered on both machines, since the ME notebook was working with the dialup connection.
> BTW, I've been revisiting the "test" section of the "IP Masquerade" HOWTO.  I was able to find the REAL IP address by telnetting to the Cisco, and I could
> ping that from the Windows box.  But I could NOT telnet to the sample fixed IP addresses they gave (like the one for www.linux.org.)  Perhaps these have
> changed, or they are more security conscious now and rejected me without the prompt.  In any case, my forwarding seems to be failing independent of the
> DNS lookup function.
> Also, it's been suggested that I need to run DHCPD on the firewall box, but the IP-Masq howto doesn't mention this at all.   It was my understanding that
> Qwest was doing this for me.  I currently haven't tried running DHCPD; haven't figured out the setup yet.
>
> Thanks,
> Vaughn
>
> Kevin Brown wrote:
>
> > and you have DNS configured right?
> >
> > Vaughn Treude wrote:
> > >
> > > Thanks to everyone for their help, but I still can't connect my Windows ME notebook.
> > > 1. The gateway IS set up correctly.
> > > 2. I CAN ping the Cisco modem from the ME notebook.
> > > 3. As a desparation move, I removed the dialup connections.
> > > 4. I removed all proxy server settings under the Internet settings applet.
> > > 5. Neither Exploder nor Outlook can find the server in any way, shape or form.
> > >
> > > Unfortunately, converting all my systems to Linux isn't an option.
> > > Any ideas?
> > >
> > > Patrick Fleming wrote:
> > >
> > > > Unless you are using a proxy server there is no need to set anything in
> > > > the browser. The routing just needs to know how to get out of the LAN to
> > > > access anything else. If the machine can see the outside ip# (public) then
> > > > you should even be able to set it to that external ip#.
> > > > You can check the status of Win routing by typing c:\windows\route print.
> > > > Patrick
> > > >
> > > > On Tue, 25 Sep 2001, Vaughn Treude wrote:
> > > >
> > > > > Thanks, Patrick.  That command-line program looks similar to what I was doing in the GUI, but I'll have to try it anyway.  I wonder how to tell
> > > > > Windows where to connect.  There's a place in the Internet Exploder Internet Options dialog for a server IP and port number, but I'm not sure what
> > > > > port number to use.
> > > > >
> > > > > Later,
> > > > > Vaughn Treude
> > > > > Nakota Software, Inc.
> > > > >
> > > > > Patrick Fleming wrote:
> > > > >
> > > > > > On Mon, 24 Sep 2001, Vaughn Treude wrote:
> > > > > >
> > > > > > > Thanks for your reply, Dan.  Your setup is similar to mine; though it seems I need to run dhclient on my firewall machine in order to acess the
> > > > > > > internet.  Either that, or there's some other configuration step I accidentally did when I added that in.  My "eth1" NIC behaves a bit
> > > > > > > strangely; it always shows a FAIL when the system comes up, and dhclient first reports the network as "down" and then succeeds.  I don't know
> > > > > > > what's happening, but at least it works!
> > > > > > >
> > > > > > >  Both you and Gontran mentioned setting up the Gateway address on the client machine, which is what I'd missed, because I skipped the step where
> > > > > > > they had you setting up the NIC, since it was already set up!  Now I can successfully ping the Cisco from another machine on the LAN.  Now I
> > > > > > > need to figure out why my stupid Windows machine doesn't let me replace the dialup connection with a LAN connection.  It has buttons for LAN
> > > > > > > configuration, but be damned if I can figure out how to actually enable it (or if they mean the same thing by "proxy server" as Linux people
> > > > > > > mean by that term.)  I know it's terribly OT, but is there a trick to making this crazy Redmond stuff look over the LAN without deleting the
> > > > > > > dialup account?  (One of these is a notebook.)
> > > > > > >
> > > > > > > Thanks again,
> > > > > > > Vaughn
> > > > > > >
> > > > > > Here's the setup that I used. In tcp/ip properties of your nic, I set
> > > > > > enable DNS, and set the name servers to one inside name server, and one
> > > > > > outside name server. I have problems when the internal DNS is down so I
> > > > > > don't think that the external forwards correctly... another project. I
> > > > > > also set the nic ip number. From the command line
> > > > > > c:\windows\route add 0.0.0.0 mask 0.0.0.0 {firewall nic ip}
> > > > > >
> > > > > > If I remember correctly this machine was still able to dial out indepenent
> > > > > > of the firewall.
> > > > > >
> > > > > > Patrick
> > > > > >
> > > > > > ________________________________________________
> > > > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > > > > >
> > > > > > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > > > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > > >
> > > > > ________________________________________________
> > > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > > > >
> > > > > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > > >
> > > >
> > > > ________________________________________________
> > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > > >
> > > > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > >
> > > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss