[SLL] Masquerading mystery

Brad Willson bwil150n at u.washington.edu
Wed Sep 26 08:23:23 PDT 2007 

Greetings,

After much gnashing of teeth I come to the list for help with this...the
problem is hosts in the subnet cannot resolve names.  Of course the
subnet is all non-linux machines...

tcpdump -i eth0 output:

07:49:49.312033 IP 192.168.10.229.1823 > kron.seanet.com.domain: 60694
PTR? 1.0.0.127.in-addr.arpa. (40)
07:49:49.312129 IP 192.168.10.1 > 192.168.10.229: ICMP host
kron.seanet.com unreachable - admin prohibited, length 76
07:49:50.311883 IP 192.168.10.229.1823 > kron.seanet.com.domain: 60694
PTR? 1.0.0.127.in-addr.arpa. (40)
07:49:50.311979 IP 192.168.10.1 > 192.168.10.229: ICMP host
kron.seanet.com unreachable - admin prohibited, length 76
07:49:51.311877 IP 192.168.10.229.1823 > kron.seanet.com.domain: 60694
PTR? 1.0.0.127.in-addr.arpa. (40)
07:49:51.311937 IP 192.168.10.1 > 192.168.10.229: ICMP host
kron.seanet.com unreachable - admin prohibited, length 76
07:50:29.561384 IP 192.168.10.229.1824 > dns1.seanet.com.domain: 22120+
A? domain.name.smeared. (45)
07:50:29.561490 IP 192.168.10.1 > 192.168.10.229: ICMP host
dns1.seanet.com unreachable - admin prohibited, length 81
07:50:29.561505 IP 192.168.10.229.1824 > dns2.seanet.com.domain: 22120+
A? domain.name.smeared. (45)
07:50:29.561525 IP 192.168.10.1 > 192.168.10.229: ICMP host
dns2.seanet.com unreachable - admin prohibited, length 81
07:50:29.561534 IP 192.168.10.229.1824 > kron.seanet.com.domain: 22120+
A? domain.name.smeared. (45)
07:50:29.561552 IP 192.168.10.1 > 192.168.10.229: ICMP host
kron.seanet.com unreachable - admin prohibited, length 81

IPTables is stock output from lokkit; eth0 has a static address facing
out, eth1 faces the LAN.  I cleared the modules line in
/etc/sysconfig/iptables-config so only the default modules load.

*nat
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
*mangle
-A PREROUTING -i eth1 -j MARK --set-mark 0x9

[root at obscured ipv4]# cat /proc/sys/net/ipv4/ip_forward
1

'lsmod | grep ip' reveals:

ipt_MASQUERADE          7745  1
iptable_nat            11461  1
nf_nat                 22381  2 ipt_MASQUERADE,iptable_nat
iptable_mangle          6977  1
nf_conntrack_ipv4      15049  9 iptable_nat
ipt_REJECT              8641  2
iptable_filter          7105  1
ip_tables              16517  3 iptable_nat,iptable_mangle,iptable_filter
nf_conntrack_ipv6      23505  12
nf_conntrack           63049  6
ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
nfnetlink               9945  4
nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,nf_conntrack
ip6t_REJECT             9537  2
ip6table_filter         6849  1
ip6_tables             17669  1 ip6table_filter
x_tables               18629  10
ipt_MASQUERADE,xt_mark,iptable_nat,xt_MARK,ipt_REJECT,ip_tables,xt_state,xt_tcpudp,ip6t_REJECT,ip6_tables
ipv6                  277957  49 sit,nf_conntrack_ipv6,ip6t_REJECT

I have confirmed that dhcp pushes the proper nameserver addresses out to
the LAN hosts.  The gateway/netmask is also set properly.

The server itself can resolve external addresses both forward and
reverse and can ping any host on the LAN.  The LAN hosts can ping the
server.

Any assistance will be greatly appreciated.  Thank you!!!

Brad

-- 
Brad Willson, Sr. Computer Specialist
UW GeneTests, UW Box: 358735
EM: bwil150n at u.washington.edu
W: 206.221.4674, C: 425.891.2732
http://www.genetests.org

More information about the linux-list mailing list