[H-GEN] ip masq progressing one prob remains

Ben Carlyle benc at foxboro.com.au
Wed Sep 29 20:18:32 EDT 1999 

[ Humbug *General* list - semi-serious discussions about Humbug and
Unix-related topics. ]

staeci at yahoo.com wrote:

> ok I successfully have machines ip masqing with email, ftp and irc
> but web pages time out.

> could anyone give me some pointers on what may be missing, does it require
> a module a'la ftp and irc or does it require a proxy?


Basic IP masquerading works with TCP/IP.  All normal TCP/IP
connections work through the basic code, and do not require
modules.  TCP is relatively easy, because it's a connection-
based protocol.  All the code really has to do is remember
which external connection matches to the connection inside
the firewall.
 ___      ___      ___
| C |/___| M |___\| S |
|___|\   |___|   /|___|
Figure 1:  A TCP masquerade connects a client and server in a
           well defined way, with incoming packets obviously
           relating to the corresponding outoing packets.

Masq modules are required for other protocols, typically
(always?) based on UDP/IP.  Unlike TCP, UDP is and
unreliable connectionless protocol.  Rather than having
a connection that data travels reliably down, UDP considers
every packet to be independant.  The raw UDP protocol has
no way of knowing that a return packet is related to a
request.
 ___      ___      ___
| C | <--| M | <--| S |
|___|--> |___|--> |___|
Figure 2:  The raw UDP protocol makes no connection, so incoming
           packets have no obvious relation to outgoing packets.

In practice, most protocols that use UDP do have some kind of
implicit connection involved with them.  The IP masq modules
use information about the protocols encapsulated within UDP to
discover which machine each packet should be routed to.

So...
In summary, if any TCP connection works then your core MASQ is
working and no modules have to be loaded for the web.  In fact,
if any TCP connection works then your routing is also good.
Unless you're doing something tricky with routing of different
ports the problem must be hidden somewhere in firewall rules.

The other thing I would check is whether you're using a proxy for
the web.  MASQ requires no proxy of it's own, but firewalls farther
afield may require you to use one.  Check your connectivity to that
host if you have one.


Benjamin.

--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.

More information about the General mailing list