[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fw: Linux(2.4.x) and masqeurating
- To: linux-il(at-nospam)linux.org.il
- Subject: Fw: Linux(2.4.x) and masqeurating
- From: Avishay Aton <cgadsl6(at-nospam)netvision.net.il>
- Date: Fri, 16 Nov 2001 22:01:32 +0200
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Disposition-notification-to: cgadsl6@netvision.net.il
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
----- Original Message -----
From: "Avishay Aton" <cgadsl6@netvision.net.il>
To: "Dani Arbel" <darbel@techunix.technion.ac.il>
Sent: Friday, November 16, 2001 9:58 PM
Subject: Re: Linux(2.4.x) and masqeurating
> GREAT,this was the problem. i have inserted the following rule in FORWARD
> chain
> nad it works..
> iptables -I FORWARD -p tcp --tcp-flags SYN,RST,SYN -j
> TCPMSS --clamp-mss-to-pmtu
>
> all i have to do is changing tcpmss in ipfilter on FreeBSD.
>
> Thanks
> ----- Original Message -----
> From: "Dani Arbel" <darbel@techunix.technion.ac.il>
> To: "Avishay Aton" <cgadsl6@netvision.net.il>
> Sent: Friday, November 16, 2001 9:44 PM
> Subject: Re: Linux(2.4.x) and masqeurating
>
>
> > Avishai,
> > You are probably a victim of blackholing. go to:
> > http://damyen.technion.ac.il/~dani/
> > read about the ADsL MTU issu , and see in the iptables example there the
> > line with tcp_mss that you should add to your script.
> > Dani
> >
> > On Fri, 16 Nov 2001, Avishay Aton wrote:
> >
> > > I didn't enable ECN on my last kernel compilation(2.4.14)
> > > My configuration:
> > > uname -a
> > > Linux rasta 2.4.14-ext3 #1 Fri Nov 16 19:35:20 IST 2001 i686 unknown
> > >
> > >
> > > [root@rasta root]# ifconfig
> > > eth0 Link encap:Ethernet HWaddr 00:50:DA:1C:76:6B
> > > inet addr:10.0.0.140 Bcast:10.255.255.255 Mask:255.0.0.0
> > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > > RX packets:702 errors:1 dropped:0 overruns:0 frame:2
> > > TX packets:1001 errors:0 dropped:0 overruns:0 carrier:0
> > > collisions:2 txqueuelen:100
> > > RX bytes:149791 (146.2 Kb) TX bytes:121058 (118.2 Kb)
> > > Interrupt:9 Base address:0x1400
> > >
> > > eth1 Link encap:Ethernet HWaddr 00:A0:C9:B0:0D:43
> > > inet addr:10.0.0.141 Bcast:10.255.255.255 Mask:255.0.0.0
> > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > > RX packets:90 errors:0 dropped:0 overruns:0 frame:0
> > > TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
> > > collisions:0 txqueuelen:100
> > > RX bytes:10178 (9.9 Kb) TX bytes:3007 (2.9 Kb)
> > > Interrupt:10
> > >
> > > lo Link encap:Local Loopback
> > > inet addr:127.0.0.1 Mask:255.0.0.0
> > > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > > RX packets:37 errors:0 dropped:0 overruns:0 frame:0
> > > TX packets:37 errors:0 dropped:0 overruns:0 carrier:0
> > > collisions:0 txqueuelen:0
> > > RX bytes:2176 (2.1 Kb) TX bytes:2176 (2.1 Kb)
> > >
> > > ppp0 Link encap:Point-to-Point Protocol
> > > inet addr:212.143.40.233 P-t-P:212.143.32.1
> Mask:255.255.255.255
> > > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1452 Metric:1
> > > RX packets:198 errors:0 dropped:0 overruns:0 frame:0
> > > TX packets:205 errors:0 dropped:0 overruns:0 carrier:0
> > > collisions:0 txqueuelen:3
> > > RX bytes:90908 (88.7 Kb) TX bytes:26131 (25.5 Kb)
> > >
> > >
> > >
> > > and Finally my rules
> > >
> > >
> > > [root@rasta root]# cat fw.rules
> > > #!/bin/sh
> > > ## open up pptp connection
> > > echo "Connecting to the net"
> > > /usr/bin/pptp 10.0.0.138
> > > sleep 3
> > > if ifconfig | grep -q "ppp"
> > > then
> > > echo "looking good,now let's secure our connection!"
> > >
> > > ## initialize iptables
> > > echo "Firewall initialization"
> > >
> > > modprobe ipt_state || exit 1
> > > modprobe iptable_nat || exit 1
> > > modprobe ip_conntrack_ftp || exit 1
> > > modprobe ipt_LOG || exit 1
> > >
> > >
> > > iptables -N block
> > > iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
> > > iptables -A block -j DROP
> > > iptables -A INPUT -j block
> > > iptables -A FORWARD -j block
> > >
> > > echo "Now for NAT - only MASQUERDAING!!"
> > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> > > echo "iptables is up `date`"
> > >
> > > The end
> > > Thanks
> > >
> > >
> > > ----- Original Message -----
> > > From: "Dani Arbel" <darbel@techunix.technion.ac.il>
> > > To: "Avishay Aton" <cgadsl6@netvision.net.il>
> > > Cc: <linux-il@linux.org.il>
> > > Sent: Friday, November 16, 2001 6:54 PM
> > > Subject: Re: Linux(2.4.x) and masqeurating
> > >
> > >
> > > > Avisay,
> > > > 1) send a complete list of your rules + ifconfig output
> > > > 2) what is secure remote?
> > > > 3) when you fail to connect somewhere, there should be a message in
> the
> > > > log containing the droped packet description (unless you have not
put
> log
> > > > rules ). That can help in catching the problem.
> > > >
> > > >
> > > > On Fri, 16 Nov 2001, Avishay Aton wrote:
> > > >
> > > > > Hi,
> > > > > i connect to the net with pptp + adsl, and i use nat on my linux
> > > box(2.4.x) for other computers on
> > > > > my private network.
> > > > > My nat rule is simple one:
> > > > >
> > > > > modprobe iptable_nat
> > > > > modprobe ip_conntrack_ftp
> > > > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> > > > >
> > > > >
> > > > > I can get most of the sites , but for example www.linuxtoday.com
> dosn't
> > > work for me.
> > > > > also , imap client sometimes work , sometimes dosn't.
> > > > > and finally "secure remote" ?! anyone sucsseded to connect with
nat
> +
> > > FWZ ?
> > > > > Thanks
> > > > > Avishay
> > > > >
> > > >
> > > >
> > > > =================================================================
> > > > To unsubscribe, send mail to linux-il-request@linux.org.il with
> > > > the word "unsubscribe" in the message body, e.g., run the command
> > > > echo unsubscribe | mail linux-il-request@linux.org.il
> > > >
> > > >
> > >
> >
> >
>
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il