[oclug] IP MASQ / ipchains problem (dumb)

Hazen Valliant-Saunders hazen at potentia.ca
Thu Mar 1 17:25:05 EST 2001 

Hello,
	Let me be your saviour.
	Ok
1.	Use the ISP's DNS servers!
2.	Find a good firwall in IP chains (Check Gerard Mourani's Secruing and
Optimizeing RH linux guide on www.linuxdoc.org  Under the guides section.)

3. 	Use the firewall given with the guide.
	the IP chains firewall provided with the guide is very professional and
took close to a month to write so you can try but i suggest using his
instead of writeing your own ruleset, and add it to the sysinit.  Now the
firewall is bar-none in the way of securing your IP stack (you will still be
vulnerable to MLIM and Other stack attacks).  But It does a sufficent job of
keeping script-kiddies away.

Troubleshooting IP 101  <-- Thank me later.

To Troubleshoot the problem correclty much like good ZEN you must find the
source.

1. 	Can you connect form the Slack box (yes/no)
2.	Can you see the slack box, from an internal machine (Yes/No)
3.	Is the slack box forwarding properly (yes/no)

For number 3, sit at one of the boxes on your internal subnet and ping in
this order
1. 127.0.0.1 <-- Make sure TCP/IP is working on your LOOPback Interface
2. MACHINE INTERFACE IP <--Make sure the card is working
3. Internal Interface on gateway(192.168.0.1 usually) <--Make sure you can
see the gateway
4. External Interface on gateway(ISP's Assigned IP)  <--Hard to do with
PPPOE
5. ISP's DNS servers (so you can querey properly)
6. Any knowen good www adress (www.trytel.com works)

	If you get replies on all 6 of those then congrats your the proud new owner
of a functional network.
	Now if you get hung up at step three or four, try takeing a look at your
ARP tables, (In windows ARP -a, in linux arp )
	This should show you weather or not your local interface can see anyone or
has replied to an ARP request.  This way you properly troubleshoot the TCP
stack starting at IP and working backwards to the Data Link layer.  I
suggest you familaraize your self with the OSI Model.

	On a personal note if you need more advanced network functionality, Like IP
SEC, GRE Tunneling, and "good" VPN, I suggest using FreeBSD, or OpenBSD, the
BSD's tend to be more standards compliant than linux, they do nice
encryption too.  Also they are a product of "slave" Ahem I mean berkley
student labour.  :)  <--That was a recommendation to my room mate on how to
check his mail at Nortel whilest at home, they use very tight security with
VPN/IP Sec and High Encryption.

	Hope this helps
Hazen Valliant-Saunders.


-----Original Message-----
From: oclug-admin at lists.oclug.on.ca
[mailto:oclug-admin at lists.oclug.on.ca]On Behalf Of Billy Omer
Sent: Thursday, March 01, 2001 11:56 AM
To: oclug at lists.oclug.on.ca
Subject: [oclug] IP MASQ / ipchains problem (dumb)


Hi all,
    I am a ip masq virgin, so please bare with me.  Here is my (simple)
setup:
Linux machine (Slackware 7.0, kernel 2.2.13 {going to update}) running as
the gateway/firewall/ip_masq server with 3 windows machines behind it,
using a 5 port hub (all Ethernet connections) with a ppp connection to the
internet (demand dial).

I have a simple startup script to load the ip masq rules on boot up.
<snip>
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i ppp0 -s 192.168.1.0/24 -j MASQ
</snip>

Now on a client machine, I can ping outside (real) ip's all day long.
However, the problem I'm having is with dns resolution (note the dumb in
the subject).  I can resolve domains on the Linux machine.  On the client
machiens (Win98), I have tried disabling the dns configuration in the
tcp/ip properties, enabling it with the correct ip's for the isp, and using
the ip for the linux machine.  None of these three configurations I have
tried seem to work.

Could anyone offer me any advice as to what I am doing wrong?  I've read
over the IP-Masquerade-HOWTO, and followed it very closely, however still
no dns on client machines.

Any help would be great

Thanks,
Billy Omer


_______________________________________________
oclug mailing list
oclug at lists.oclug.on.ca
http://www.oclug.on.ca/mailman/listinfo/oclug

More information about the OCLUG mailing list