Fedora 7 Masquerading Problem?

[Marley Junior]

I have recently installed F7 after using previous Fedora (Cores) with no problems, it now appears I no longer have a working IP Masq / NAT router.

My F7 box connects to the internet using ppp0 (successfully) and is internally networked via eth0. I have another machine (XP Pro) that can see my F7 box, can resolve an IP address from the internet (using bind from the F7 box) but gets timed out when connecting to the internet (Destination host unreachable from ping).

F7 Settings / File Contents:

'route'
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
89.242.192.1 * 255.255.255.255 UH 0 0 0 ppp0
192.168.13.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default * 0.0.0.0 U 0 0 0 ppp0

'ifconfig'
eth0 Link encap:Ethernet HWaddr 00:19:21:44:14:1C
inet addr:192.168.13.254 Bcast:192.168.13.255 Mask:255.255.255.0
inet6 addr: fe80::219:21ff:fe44:141c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:976 errors:0 dropped:0 overruns:0 frame:0
TX packets:1010 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:68276 (66.6 KiB) TX bytes:107538 (105.0 KiB)
Interrupt:11 Base address:0xa000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8851 errors:0 dropped:0 overruns:0 frame:0
TX packets:8851 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:62898555 (59.9 MiB) TX bytes:62898555 (59.9 MiB)

ppp0 Link encap:Point-to-Point Protocol
inet addr:89.242.204.143 P-t-P:89.242.192.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:216412 errors:0 dropped:0 overruns:0 frame:0
TX packets:136594 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:297840654 (284.0 MiB) TX bytes:7814206 (7.4 MiB)

'cat /proc/sys/net/ipv4/ip_forward'
1

'cat /etc/sysconfig/iptables'
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -j MARK --set-mark 0x9
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
COMMIT

Can anyone suggest where I can start looking next for the problem please?

Thank you in advance,
MJ

[ionutv202003]

Hello,

You can resolve the host name and the ping returns Destination Host Unreachable?

The rules for local are a bit different that the rules for routing and I do not understand the behavior to well from your post so can you please provide the following information:

Can the router machine resolve a host name?
Can the router machine ping a host name?
Can a machine behind the router resolve a host name?
Can a machine behind the router ping a host name?

Also, can you post the output for: iptables -L and the iptables rules you use to route the packages, if any beside what you have already posted?

[Marley Junior]

Quote:

Originally Posted by ionutv202003

Can the router machine resolve a host name? Can the router machine ping a host name?

I'm using it to post this message.

Quote:

Originally Posted by ionutv202003

Can a machine behind the router resolve a host name? Can a machine behind the router ping a host name?

It can resolve the hostname using my router as the DNS.
No it cannot ping past / through the router.

Quote:

Originally Posted by ionutv202003

Also, can you post the output for: iptables -L and the iptables rules you use to route the packages, if any beside what you have already posted?

Output from 'iptables -L'
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT 0 -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited

I do not really understand iptables in a decent way, in previous versions of Fedora i have simply ran 'setup' from a terminal, gone into Firewall Configuration, and enabled Masquerading that way. This is exactly the same method i've done with F7, and i have no other iptable rules in operation that i know of.

Thanks for your time,
MJ

[ionutv202003]

Hi again,

First of all, I use for the internal network the DNS that the router uses, so I do not use the router as a DNS, but since name resolving works I think this is not a problem, I just wanted to make a note.

Second, here is the iptables rule I use for masquerading:

Code:

    iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.10.0/24 -j MASQUERADE
    iptables -P FORWARD ACCEPT

ppp0 is the interface via which I connect to the internet and the network 192.168.10.0 is the internal network. /24 means route for the first 24 IPs. Try to adapt this to your environment. I do not have much experience with iptables either, the best I can do is provide you a few iptables rules you can use to create a basic router. The one above is for masquerading, there are a few others for forwarding ports and security.

Third, for a more secure internal network and router I suggest you use DROP not REJECT . REJECT notifies the machine that made the request of the presence of the router and DROP just drops the packages. This way you avoid being detected by unauthorized machines and the internet is not aware of your presence .

Hope it helps.

[Marley Junior]

OK, I solved the problem but i don't know how much i've messed up in the meantime!?!

My interpretation is thus:

Looking at your suggestion the POSTROUTING was already being handled by my script, it looks like it 'marks' any packet from the eth0 connection and if a packet has this 'mark' is allowed to MASQUERADE. The second line was markedly different, my iptables script was set to REJECT any FORWARD rules, whilst having the default policy of ACCEPT.

I have simply hacked the /etc/sysconfig/iptables file and replaced the line

Code:

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

with the new line

Code:

-A FORWARD -j ACCEPT

This seems like i've just opened a big hole and i need to find out what i have done! It has cured the problem and i'm now masquerading but is my system still secure?

Anyway, this is the problem solved so thanks for the help, i really appreciate it.
MJ

[ionutv202003]

I believe that this entry

Code:

REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited

is rejecting any input that does not meet the conditions above it, so in a way you are protected.

Furthermore, since the rule you changed is in the FORWARD chain the router has the same security level as before, the only impact can be on the internal network.

Anyway, the REJECT rule in the INPUT chain should reject anything that is not compliant to the rules above it even if the packets are destinate for the internal network. My security rule is something like

Code:

iptables -I INPUT -i ppp0 -s ! <some_secure_ip> -j DROP

this leads to the fact that my machine does not respond to ping or any other requests made by a machine that is different from the <some_secure_ip>. But, if my machine creates a request "outside" then the reply from "outside" is accepted even if it comes from a machine that is other than <some_secure_ip>. I'm not sure if this applies to REJECT too, but my logic tells me that is should.

BTW, is the router you are talking about a "home usage" router?

[Marley Junior]

Quote:

Originally Posted by ionutv202003

BTW, is the router you are talking about a "home usage" router?

Very much so. I was tired of trying to get Internet Connection Sharing working reliably on Windows many moons ago so decided to install a Linux box instead.

MJ