Step Six: Testing internal MASQ client to external MASQ
server connectivity
From an internal MASQed computer, ping the IP address of the MASQ server's
EXTERNAL TCP/IP address obtained in Step FIVE above. This address could be
from your Ethernet, PPP, etc. interface which is ultimately the address
connected to your ISP. This ping test will prove that Linux masquerading
(ICMP Masquerading specifically) and IP forwarding is working.
If everthing thing is working correctly, the output should look something
like the following (hit Control-C to abort the ping):
-------------------------------------
masq-client# ping 12.13.14.15
PING 12.13.14.15 (12.13.14.15): 56 data bytes
64 bytes from 12.13.14.15: icmp_seq=0 ttl=255 time=0.8 ms
64 bytes from 12.13.14.15: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 12.13.14.15: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 12.13.14.15: icmp_seq=3 ttl=255 time=0.5 ms
^C
--- 12.13.14.15 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.8 ms
------------------------------------- |
If this test doesn't work, first make sure that the "Default Gateway" on the
MASQed PC is pointing to the IP address on the MASQ -SERVERs- INTERNAL NIC.
Also double check that the /etc/rc.d/rc.firewall script was run without any
errors. Just as a test, try re-running the /etc/rc.d/rc.firewall script now
to see if it runs OK. Also, though most kernels support it by default, make
sure that you enabled "ICMP Masquerading" in the kernel comfiguration and
"IP Forwarding" in your /etc/rc.d/rc.firewall script.
If you still can't get things to work, take a look at the output from the
following commands run on the Linux MASQ SERVER:
"ifconfig" : Make sure the interface for
your Internet connection (be it ppp0, eth0, etc.) is UP and you have the
correct IP address for the Internet connection. An example of this output is
shown in STEP FIVE above.
"netstat -rn" : Make sure your default
gateway (the column with an IP address in the Gateway column) is set. An
example of this output might look like:
-------------------------------------
masq-server# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.1 0.0.0.0 255.255.255.255 UH 0 16384 0 eth1
12.13.14.15 0.0.0.0 255.255.255.255 UH 0 16384 0 eth0
12.13.14.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 16384 0 lo
0.0.0.0 12.13.14.1 0.0.0.0 UG 0 16384 0 eth0
------------------------------------- |
Notice the very LAST line that starts with 0.0.0.0? Notice that it also has
an IP address in the "Gateway" field? You should specify an IP address for
your specific setup in that field (this is typically done automatically when
your Internet connection is enabled). "cat /proc/sys/net/ipv4/ip_forward" : Make
sure it says "1" so that Linux forwarding is enabled
Run the command "/sbin/ipchains -n -L" for
2.2.x users or "/sbin/ipfwadm -F -l" for
2.0.x users. Specifically, look for the FORWARDing section to make sure you
have MASQ enabled. An example of an IPCHAINS output might look like for users
using the Simple rc.firewall ruleset:
------------------------------------
.
.
Chain forward (policy REJECT):
target prot opt source destination ports
MASQ all ------ 192.168.0.0/24 0.0.0.0/0 n/a
ACCEPT all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
.
.
------------------------------------
|