Re: [SLE] SuSE 10.0 masquerade changes?

From: Peter A. Taylor (murmur_at_ghg.net)
Date: 11/15/05

  • Next message: Bruce Marshall: "Re: [SLE] SPAM: Howto DVD DL to 2 DVD SL?" 
    To: suse-linux-e@suse.com
Date: Tue, 15 Nov 2005 14:54:01 -0600

    On Monday 14 November 2005 18:16, Darryl Gregorash wrote:
    > On 11/14/2005 09:40 AM, Peter A. Taylor wrote:
    > > I got simple masquerading working under SuSE 9.3 (sharing a modem), but
    > > I can't get it working under SuSE 10.0 . I can ping and ftp within my
    > > internal network, but the internal network can't see the internet. Has
    > > anything relevant changed between 9.3 and 10.0, or am I doing something
    > > stupid? Any ideas? Where do I look for clues?
    >
    > Depending on how much firewall logging you've turned on, you might be
    > able to find some hints in /var/log/firewall.

      Short version: "ifup eth0" tells me my default route is unreachable, but I
    don't understand why.

      Update: Now I'm really confused. I get the same error message from "ifup
    eth0" under SuSE 9.3, but masquerade works anyway. Under 10.0, my wife can't
    ping our ISP's ftp server via masquerade, but she at least seems to resolve
    the server's name.

      Long version:

      In /var/log/firewall, I get stuff like the following (192.168.2.15 is my
    "athena" box with the modem. 192.168.2.20 is my wife's "isis", to which I
    want to give internet access. 192.168.2.1 is an SMC router.):

    Nov 15 09:05:49 athena kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0
    SRC=192.168.2.20 DST=64.243.71.82 LEN=73 TOS=0x00 PREC=0x00 TTL=127 ID=33119
    PROTO=UDP SPT=1027 DPT=53 LEN=53

    Nov 15 09:05:54 athena kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0
    SRC=192.168.2.20 DST=207.46.2.31 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=33122
    DF PROTO=TCP SPT=1415 DPT=1863 WINDOW=65535 RES=0x00 SYN URGP=0 OPT
    (020405B401010402)

    Nov 15 09:09:34 athena kernel: SFW2-IN-ILL-TARGET IN=eth0 OUT= MAC=
    SRC=192.168.2.15 DST=224.0.0.251 LEN=74 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF
    PROTO=UDP SPT=5353 DPT=5353 LEN=54

    > The firewall configuration
    > variables are all stored in /etc/sysconfig/SuSEfirewall2.

    > egrep "^[^#]" /etc/sysconfig/SuSEfirewall2

      Very nice. Thank you. I've added that to my crib ***. :-)

      I will post the full output below, but the short version is that I did this
    to both the 9.3 and 10.0 SuSEfirewall2 files, sorted the output, and ran
    "diff". The result ("<" is 9.3, ">" is 10.0):

    2,4c2,4
    < FW_ALLOW_FW_BROADCAST_DMZ="no"
    < FW_ALLOW_FW_BROADCAST_EXT="no"
    < FW_ALLOW_FW_BROADCAST_INT="no" 

    ---
> FW_ALLOW_FW_BROADCAST_DMZ=""
> FW_ALLOW_FW_BROADCAST_EXT=""
> FW_ALLOW_FW_BROADCAST_INT=""
24a25
> FW_LOAD_MODULES=""
37c38
< FW_ROUTE="yes"   # PAT 11-1-2005.
---
> FW_ROUTE="yes"
54a56
> FW_USE_IPTABLES_BATCH=""
  I "diff"ed some other files, too:
/etc/host.conf			identical
/etc/hosts				identical
/etc/hosts.allow		identical
/etc/hosts.deny		identical
/etc/sysconfig/sysctl		identical
/etc/sysconfig/network/routes			identical
/etc/sysconfig/network/ifcfg-modem0	identical
/etc/sysconfig/network/ifcfg-eth-id-00:07:95:37:98:b7
2c2
< BROADCAST='192.168.2.255'
---
> BROADCAST=''
7c7
< NETWORK='192.168.2.0'
---
> NETWORK=''
  That looked interesting, so I renamed the 10.0 file and copied the 9.3 
version ("<"), then ran "ifdown eth0" and "ifup eth0".  Here's what I got:
athena:/etc/sysconfig/network # ifup eth0
    eth0      device: Silicon Integrated Systems [SiS] SiS900 PCI Fast
Ethernet (rev 90)
    eth0      configuration: eth-id-00:07:95:37:98:b7
ERROR: Warning: Could not set up default route via interface
       Command ip route replace to default via 192.168.2.1 returned:
       . RTNETLINK answers: Network is unreachable
       Configuration line: default 192.168.2.1 - -
       This needs NOT to be AN ERROR if you set up multiple interfaces.
       See man 5 routes how to avoid this warning.
  But both the 9.3 and the 10.0 versions of ifcfg-eth-id-00:07:95:37:98:b7 
produced the same result under 10.0 .
  I also compared /etc/sysconfig/network/config (egrep, sort, diff):
9d8
< FAILURE_ACTION=off
10a10
> FORCE_PERSISTENT_NAMES=yes
13c13
< IFPLUGD_OPTIONS="-f -I -u 0 -d 10"
---
> IFPLUGD_OPTIONS="-f -I"
18d17
< USE_IPV6=yes
  I overlooked the FAILURE_ACTION variable, but played with the other three, 
which hod no apparent effect.
  Again, /etc/sysconfig/network/routes is identical to the 9.3 version that 
works.
  I'm thoroughly confused.
  Peter Taylor
  PS.  Here is /etc/sysconfig/network/routes:
192.168.2.0 192.168.2.1 255.255.255.0 eth-id-00:07:95:37:98:b7
default 192.168.2.1 - -
  Here is the sorted output from the egrep command on the 10.0 SuSEfirewall2 
file:
FW_ALLOW_CLASS_ROUTING=""
FW_ALLOW_FW_BROADCAST_DMZ=""
FW_ALLOW_FW_BROADCAST_EXT=""
FW_ALLOW_FW_BROADCAST_INT=""
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_PING_FW="yes"
FW_CUSTOMRULES=""
FW_DEV_DMZ=""
FW_DEV_EXT="modem0"
FW_DEV_INT="eth-id-00:07:95:37:98:b7"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_HTB_TUNE_DEV=""
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IPSEC_TRUST="no"
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_KERNEL_SECURITY="yes"
FW_LOAD_MODULES=""
FW_LOG=""
FW_LOG_ACCEPT_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_DROP_CRIT="yes"
FW_LOG_LIMIT=""
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_MASQUERADE="yes"
FW_PROTECT_FROM_INT="no"
FW_REDIRECT=""
FW_REJECT=""
FW_ROUTE="yes"
FW_SERVICES_ACCEPT_EXT=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_TRUSTED_NETS=""
FW_USE_IPTABLES_BATCH=""
FW_ZONES=""
-- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com
  • Next message: Bruce Marshall: "Re: [SLE] SPAM: Howto DVD DL to 2 DVD SL?"