5. FAQ's - Frequently Asked Compla^H^H^H^H^H^H Questions

• How do I list the rules I've got so far?

  - Try

  $> iptables -L $> iptables -t nat -L

• It won't resolve IP's! I'm typing 'www.microsoft.com' in and it says it can't find it!

  - Make sure you add the dns server ip to all the clients.

• It don't work! It doesn't like iptables / NAT / SNAT / MASQ

  - Go get the latest kernel, and compile with iptables and full NAT support.

• It don't work! The masquerading doesn't work at all! Die scum!

  - Try echo 1 > /proc/sys/net/ipv4/ip_forward

• It don't work! I can't use the network at all and I hate you!

  - Try

  $> iptables -F $> iptables -t nat -F $> iptables -t mangle -F

  (all rules went bye-bye) then rerun the other iptables rules.

  - Try iptables -P FORWARD ACCEPT

• It still don't work!

  - Hmm, does "dmesg | tail" give any errors? or "cat /var/log/messages | tail" ? Like I care tho...

• I don't get, it just ain't working!

  - I dunno.. but you should be able to:

  1) From the gateway machine, ping the outside 2) From the gateway ping your internal machines 3) From the internal machines ping the gateway

  And this is before you play with masq'ing

• Where do I put this stuff?

  - In the /etc/network/interfaces file, or firewall.rc. If you put it in the interfaces file, then put it as a pre-up to the external interface, and have "iptables -t nat -F" as the post-down.

• How do I get it to only bring the ppp up on demand?

  - Assuming your ISP gateway IP is say 23.43.12.43 for arguments sake, then append a line like this:

  :23.43.12.43

  to /etc/ppp/peers/provider at the end. (this is for dynamic IP - static IP would be my.external.ip.number:23.43.12.43 )

  Then at the end of that file add on a newline:

  demand

  Pppd will remain in the background to redial the connection on demand if it's dropped until you do an "ifdown ppp0" or a "poff", unless you add a "nopersist" option, in which case pppd will exit after the connection is up. You can also add on a new line "idle 600" to disconnect after 10 mins of idleness.

• The connection keeps dropping!

  - First, do you have demand dialing? Is it just doing what it is supposed to? Check /etc/ppp/peers/provider, and make sure your dial up works fine before attempting masq'ing.

  - Secondly, if not, then perhaps, like me, something is going weird, and you need to fall back to Linux 2.4.3 and see if that works instead.. dunno why.

• I hate doing this myself! I want a pre-made script and GUI and stuff.

  - Sure: http://shorewall.sourceforge.net/

  Eat your heart out!

• Do I count Cable modems as static or dynamic IP's?

  - Good question.. might as well make it dynamic.

• Do I count DHCP network cards as static or dynamic IP's?

  - They are dynamic.

• How do I handle incomming services?

  - Try forwarding or redirecting the IP ports - again make sure you firewall this if needed.

• From the clients, I can ping the linux gateway's external IP address, but can't access the internet.

  - Okay, try doing "rmmod iptable_filter" - more info on this as I get it.

  - Make sure your not running routed or gated - to check run "ps aux | grep -e routed -e gated".

  - Look at http://ipmasq.cjb.net

• How can I view the connections establish? Something like netstat..

  - Try cat /proc/net/ip_conntrack

• I need more squid info and routing and stuff!

  - Try the Advanced Routing HOWTO http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html

• This howto is crap! How do I yell at the guys who wrote this?

  - Go to #debian on irc.opensource.net and find and locate JohnFlux. - Mail me (JohnFlux) at tapselj0@cs.man.ac.uk

• This howto is crap! How can I see better versions?

  - Try http://ipmasq.cjb.net

  - Consult the LDP Masq-HOWTO.

• What else are you working on?

  Currently I'm writing a guide on linux on anti-missile-missiles-made-simple. There's no good guides on protecting your system from nuclear attacks for newbies. People seem to think its rocket science or something..