Hello guys,
I have the following very frustrating problem.
I have 1 internet connection (DSL-MODEM) and I want to share it with my LAN via NAT-Router.
(INTERNET- DSL-MODEM (80.109.145.1) - NAT-SUSE11.2ROUTER (80.109.145.85 <-> 10.10.5.1) - SWITCH - LAN)
Output of ‘ifconfig’:
000d88cd4cb5:/home/king/Desktop # ifconfig
eth1 Link encap:Ethernet HWaddr 00:0D:88:CD:4C:B4
**inet addr:10.10.5.1 Bcast:10.255.255.255 Mask:255.0.0.0**
inet6 addr: fe80::20d:88ff:fecd:4cb4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12565 errors:0 dropped:0 overruns:0 frame:0
TX packets:682 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:830235 (810.7 Kb) TX bytes:88383 (86.3 Kb)
Interrupt:18 Base address:0xc000
eth2 Link encap:Ethernet HWaddr 00:0D:88:CD:4C:B5
**inet addr:80.109.145.85 Bcast:80.109.145.255 Mask:255.255.255.0**
inet6 addr: fe80::20d:88ff:fecd:4cb5/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:119989 errors:0 dropped:0 overruns:0 frame:0
TX packets:57697 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:124384614 (118.6 Mb) TX bytes:4686368 (4.4 Mb)
Interrupt:19 Base address:0xc100
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:639 errors:0 dropped:0 overruns:0 frame:0
TX packets:639 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:150547 (147.0 Kb) TX bytes:150547 (147.0 Kb)
eth1 is connected to DSL-MODEM
eth2 is connected to SWITCH (Network)
I have a DHCP server running that guarantees that my LAN gets -IPv4’s from 10.10.5.10-100 (LAN)
-Subnet: 255.0.0.0 (Class A)
-Gateway: 10.10.5.1 (Suse NAT-Router)
Following options are running:
IP-Forwarding Enabled
Masquerading Enabled (From Private (10.10.5.) to Public (80.109.145.)
What am I doing wrong? I also tried manipulating IP-Tables and make routing commands, but nothing works…
Output of ‘route’:
000d88cd4cb5:/home/king/Desktop # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
80.109.145.0 * 255.255.255.0 U 0 0 0 eth2
link-local * 255.255.0.0 U 0 0 0 eth1
10.0.0.0 * 255.0.0.0 U 0 0 0 eth1
loopback * 255.0.0.0 U 0 0 0 lo
default chello080109145 0.0.0.0 UG 0 0 0 eth2
I hope I described the problem detailed enough, if you need more information please just post. Is it possible to route from class A subnet to class C subnet?
thanks for your help, I’m really frustrated this doesn’t work, and I’m randomly typing route-commands, so I’m so glad for help
How are you “manipulating” the firewall rules? You should be doing it via YaST or by editing /etc/sysconfig/SuSEfirewall2, where there are lots of comments, not manually. Show us the NAT rules of your machine. Run:
iptables -t nat -L -n
If you don’t have a MASQUERADE rule under POSTROUTING, then you don’t really have masquerading. Also show us the normal rules:
iptables -L -n
I’m manipulating the Firewall-rules via Yast, by just checking the checkbox “Masquerade Networks”.
Output of ‘iptables -t nat -L -n’:
000d88cd4cb5:/home/king/Desktop # iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Output of ‘iptables -L -n’:
000d88cd4cb5:/home/king/Desktop # iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED
input_int all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
forward_int all -- 0.0.0.0/0 0.0.0.0/0
forward_ext all -- 0.0.0.0/0 0.0.0.0/0
forward_ext all -- 0.0.0.0/0 0.0.0.0/0
forward_ext all -- 0.0.0.0/0 0.0.0.0/0
forward_ext all -- 0.0.0.0/0 0.0.0.0/0
forward_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '
Chain forward_ext (5 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain forward_int (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 5
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain input_ext (6 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:53 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain input_int (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain reject_func (0 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Thanks for the fast reply!
btw these are my Firewall settings as they are displayed by Yast as a ‘detailed summary’:
Firewall Starting
• Enable firewall automatic starting
• Firewall starts after the configuration gets written
Internal Zone
Interfaces
• DL10050 Sundance Ethernet / eth1
Open Services, Ports, and Protocols
• Internal zone is unprotected. All ports are open.
Demilitarized Zone
• No interfaces assigned to this zone.
External Zone
Interfaces
• DL10050 Sundance Ethernet / eth2
• 'bond0' Unknown network interface.
• 'br0' Unknown network interface.
Open Services, Ports, and Protocols
• HTTP Server:
• TCP Ports: http (80)
• bind DNS server:
• TCP Ports: domain (53)
• UDP Ports: domain (53)
You don’t have masquerading active. You need to turn this on under firewall rules in YaST.
BTW, the fact you don’t have eth0 but have eth1 and eth2 suggests that you had fights with the network configuration. You may find it easier to go into YaST network device configuration and rename them to eth0 and eth1 first. Also delete bond0 and br0, they don’t appear to do anything.
yes, that’s true, I somehow just managed it about half an hour ago to have real eth devices, before i had (i don’t know why) to use a bridge in order to connect to the internet…
Nevermind, I’ll fix that right now, but what you said about the Firewall in Yast:
I start ‘Yast’, then I go to the tap ‘Security and Users’, and then I go to the Typ ‘Masquerading’ and Check ‘Masquerade networks’.
When checking it a listbox is enabled that allows to add ‘Masquerade rules…’. This listbox is empty.
But, however, I enable Masquerading in Yast, as you said, it is not really running…
Did you follow this page, and also Swerdna’s page linked from it?
ICS - openSUSE
Perhaps you should clean up your network interface names first.
ok, I’ll try to clean my network devices, somehow they appear just in the Firewall, when typing ‘ifconfig’ none of them appear, and when looking in the Network-Device section of Yast then br0 or bond0 don’t appear as well…
Should I try to delete them using the terminal? (but i wouldn’t have any idea how to do that)
and btw eth0 is displayed, because i have so many network cards, i just don’t use eth0 because the eth0 network card is a little slower, but i think it’s a minor problem if eth0 is unused then if br0 and bond0 are in the firewall.
The link you posted is very good, thank you, it describes ICS really easy as a combination of
-ipforwarding
-masquerading
so, i think i have just a very little problem, and this makes everything not working. hopefully the problem is my weird ethernet-setup.