Unable to masquerade networks with 12.2

xiaoti · October 14, 2012, 3:28pm

Hi, I installed 64 bit 12.2 with lxde/openbox on a box called “maria”
with two network devices.

I have eth0 (firewall external zone) connected to my ISP and eth1
(firewall internal zone) connected to my internal network as
10.0.0/24. On the internal network I can ping “maria”, and on “maria”
I can ping google.com.

In Yast -> Security_and_Users -> Firewall -> Masquerading,
I have enabled “Masquerade Networks”. In YaST -> Network_devices ->
network_settings -> Routing, I have enabled “IP forwarding”.

This was sufficient in earlier releases to get NAT working. However
with 12.2 I cannot access the internet from machines on the
10.0.0/24 network. I receive the report ping: unknown host google.com

On “maria” command route reports:

Kernel IP routing table
 Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
 default         78.243.124.254  0.0.0.0         UG    0      0        0 eth0
 10.0.0.0        *               255.255.255.0   U     0      0        0 eth1
 78.243.124.0    *               255.255.255.0   U     0      0        0 eth0
 loopback        *               255.0.0.0       U     0      0        0 lo
 link-local      *               255.255.0.0     U     0      0        0 eth0

IPv6 is disabled.

In openSUSE 12.2: Chapter 13. Masquerading and Firewalls I read

As mentioned, whenever one of the LAN hosts sends a packet
destined for an Internet address, it goes to the default
router. However, the router must be configured before it can forward
such packets. For security reasons, this is not enabled in a default
installation. To enable it, set the variable IP_FORWARD in the file
/etc/sysconfig/sysctl to IP_FORWARD=yes.

but there is no file /etc/sysconfig/sysctl in my 64 bit 12.2 installation.

What additional settings are needed to get NAT working in 12.2?

Roger

knurpht · October 14, 2012, 3:52pm

There is a file, /etc/sysctl.conf , where I find these lines:


@laptop:/etc> grep forw sysctl.conf
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

please set the value to “1” and check what happens. It seems that some things have changed. Must say. it’s merely a wild guess, after a " locate sysctl | grep etc " on the laptop, and having a look in that file.

xiaoti · October 15, 2012, 2:25pm

In my box “maria” I also find:

rprice@maria:~> grep forw /etc/sysctl.conf
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

I set both values to 1 and rebooted “maria”. No change - I’m still
unable to ping from a box on the internal network to google.com.

Any suggestion would be much appreciated,
Roger

xiaoti · October 15, 2012, 3:59pm

Hi, I’ve just seen this note in file /etc/sysconfig/SuSEfirewall2
which suggests that setting FW_ROUTE=“yes”, and also setting
FW_MASQUERADE=“yes”, should overide sysctl settings for masquerading.

Roger

# This option overrides IP_FORWARD from /etc/sysconfig/sysctl and
# net.ipv4.ip_forward settings in /etc/sysctl.conf
# Note: IPv4 only. The IPv6 forwarding sysctl has to be turned on
# manually.
#
# Setting this option one alone doesn't do anything. Either activate
# masquerading with FW_MASQUERADE below if you want to masquerade
# your internal network to the internet, or configure FW_FORWARD to
# define what is allowed to be forwarded. You also need to define
# internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.
#
# defaults to "no" if not set
#
FW_ROUTE="yes"

FW_MASQUERADE="yes"

xiaoti · October 23, 2012, 10:45pm

I finally found the problem after sniffing the internal network with tcpdump.
In file /etc/dhcpd.conf the line

option routers 10.0.0.7;

was corrupt, pointing to a non-existent machine. Once this was corrected
and dhcpd restarted, masquerading worked correctly.

Roger