Tom Eastep <teastep@shorewall.net> writes:> Jacob Bunk Nielsen wrote:
>
>> After shorewall has started without any errors I don''t see any
>> masquerading rules in the output of ''iptables -L -v
-n'', which I would
>> have expected. Why not?
>>
>
> The command that you entered dumps the contents of the filter table
> while MASQUERADE rules are placed in the nat table. That table is
> dumped using "shorewall show nat" (preferred) or by
"iptables -t nat
> -L -n -v"
Cool - thank, now it works. Apparently Epiphany had gone into "offline
mode". Annoying feature!
,----
| # shorewall show nat
| Shorewall-3.2.6 NAT Table at box - Wed Aug 20 20:17:47 CEST 2008
|
| Counters reset Wed Aug 20 17:40:51 CEST 2008
|
| Chain PREROUTING (policy ACCEPT 16457 packets, 846K bytes)
| pkts bytes target prot opt in out source
destination
|
| Chain POSTROUTING (policy ACCEPT 3497 packets, 222K bytes)
| pkts bytes target prot opt in out source
destination
| 3345 213K eth1_masq 0 -- * eth1 0.0.0.0/0 0.0.0.0/0
|
| Chain OUTPUT (policy ACCEPT 3499 packets, 222K bytes)
| pkts bytes target prot opt in out source
destination
|
| Chain eth1_masq (1 references)
| pkts bytes target prot opt in out source
destination
| 7 438 excl_1 0 -- * * 10.168.1.0/24 0.0.0.0/0
policy match dir out pol none
|
| Chain excl_1 (1 references)
| pkts bytes target prot opt in out source
destination
| 0 0 RETURN 0 -- * * 0.0.0.0/0
10.168.1.0/24
| 7 438 MASQUERADE 0 -- * * 0.0.0.0/0 0.0.0.0/0
`----
But there''s still something that bothers me. It seems that I''m
able to
ping hosts outside my network:
,----[ From 10.168.1.4 ]
| $ ping -n -c 1 google.com
| PING google.com (64.233.167.99) 56(84) bytes of data.
| 64 bytes from 64.233.167.99: icmp_seq=1 ttl=239 time=146 ms
|
| --- google.com ping statistics ---
| 1 packets transmitted, 1 received, 0% packet loss, time 0ms
| rtt min/avg/max/mdev = 146.472/146.472/146.472/0.000 ms
`----
But traceroutes look funny:
,----[ From 10.168.1.4 ]
| $ sudo traceroute -I google.com
| traceroute to google.com (72.14.207.99), 30 hops max, 40 byte packets
| 1 10.168.1.1 (10.168.1.1) 0.243 ms 0.228 ms *
| 2 * * *
| 3 * * *
| 4 * * *
| 5 * * *
| 6 * ti3004b300-ae2-0.ti.telenor.net (148.122.9.25) 6.427 ms 6.561 ms
| 7 ti3004c310-ae0-0.ti.telenor.net (146.172.105.41) 17.242 ms 17.720 ms
18.145 ms
| 8 * * *
| 9 ti3001b300-ae0-0.ti.telenor.net (146.172.105.50) 19.852 ms 20.518 ms
20.644 ms
| ^C
`----
No matter what I trace I get a reply to the second and third ICMP packet
to the 6th hop. Other hops before it answers those if I don''t go
through
my one-armed router:
,----[ From 10.168.1.1/<public IP> ]
| # traceroute -I google.com
| traceroute: Warning: google.com has multiple addresses; using 64.233.167.99
| traceroute to google.com (64.233.167.99), 30 hops max, 52 byte packets
| 1 budbringeren.bunk.cc (212.242.94.25) 0.382 ms 0.308 ms 0.298 ms
| 2 loop0.mxc1-frix.ip.cybercity.dk (212.242.2.153) 5.333 ms 4.448 ms 5.360
ms
| 3 ge-0-1-1-10.mcr1-soex.ip.cybercity.dk (212.242.7.237) 9.859 ms 4.948 ms
4.823 ms
| 4 ge-1-0-0.br1-albx.ip.cybercity.dk (212.242.6.34) 5.250 ms 5.395 ms
5.338 ms
| 5 ti3004b300-ae2-0.ti.telenor.net (148.122.9.25) 5.348 ms 5.809 ms 5.857
ms
| 6 ti3004c310-ae0-0.ti.telenor.net (146.172.105.41) 16.668 ms 16.314 ms
16.871 ms
| ^C
`----
So what am I still doing wrong?
--
Jacob
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/