5. Testing IP Masquerade

Finally, it's time to give IP Masquerading an official try after all this hard work. If you haven't already rebooted your Linux box, do so to make sure the machines boots ok, executes the /etc/rc.d/rc.firewall ruleset, etc. Next, make sure that both the internal LAN connection and connection of your Linux hosts to the Internet is okay.

Now do the following:

• One: From an internal MASQed computer, try pinging your local IP address (i.e. ping 192.168.0.10 ). This will verify that TCP/IP is correctly working on the local machine. If this doesn't work, make sure that TCP/IP is correctly configured on the MASQed PC as described earlier in this HOWTO.

• Two: On the MASQ server itself, ping then internal IP address of the MASQ network (i.e. ping 192.168.0.1). Now Then ping the external IP address connected to the Internet. This address might be your PPP, Ethernet, etc. address connected to your ISP. If you don't know what this IP address is, run the Linux command "/sbin/ifconfig" on the MASQ server to get the Internet address. This will confirm that the MASQ server has full network connectivity.

• Three: Back on a internal MASQed computer, try pinging the IP address of the Masquerading Linux box's internal Ethernet card, (i.e. ping 192.168.0.1). This will prove that your internal network and routing is ok. If this fails, make sure Ethernet cards of the MASQ server and the MASQed computer have "link". This is usually a LED light on either the back of each Ethernet card and also on the Ethernet hub/switch (if you are using one).

• Four: From an internal MASQed computer, ping the IP address of the MASQ server's external TCP/IP address obtained in item TWO above. This address might be your PPP, Ethernet, etc. address connected to your ISP. This ping test will prove that masquerading is working (ICMP Masquerading specifically). If it doesn't work, make sure that you enabled "ICMP Masquerading" in the kernel and "IP Forwarding" in your /etc/rc.d/rc.firewall script. Also make sure that the /etc/rc.d/rc.firewall ruleset loaded ok. Try run the /etc/rc.d/rc.firewall script manually for now to see if it runs ok.

If you still can't get things to work, take a look at the output from

• "ifconfig" : Make sure your Internet connection is UP and you have the correct IP address for the Internet connection

• "netstat -rn" : Make sure your default gateway (the column one with the IP address in the Gateway column) is set

• "cat /proc/sys/net/ipv4/ip_forward" : Make sure it says "1" so that Linux forwarding is enabled

• "/sbin/ipfwadm -F -l" for 2.0.x or "/sbin/ipchains -F -L" for 2.2.x users : Make sure you have MASQ enabled

• Five: From an internal MASQed computer, now ping a static TCP/IP address out on the Internet (i.e. ping 152.19.254.81 (this is http://metalab.unc.edu - home of the LDP). If this works, that means that ICMP Masquerading is working over the Internet. If it didn't work, again check your Internet connection. If this still doesn't work, make sure you are using the simple rc.firewall ruleset and that you have ICMP Masqurading compiled into the Linux kernel.

• Six: Now try TELNETing to a remote IP address (i.e. telnet 152.2.254.81 (metalab.unc.edu - Note that this might take a while to get a login prompt since this is a VERY busy server.) Did you get a login prompt after a while? If that worked, that means that TCP Masquerading is running ok. If not, try TELNETing to some other hosts you think will support TELNET like 198.182.196.55 (www.linux.org). If this still doesn't work, make sure you are using the simple rc.firewall ruleset for now.

• Seven: Now try TELNETing to a remote HOSTNAME (i.e. "telnet metalab.unc.edu" (152.2.254.81). If this works, this means that DNS is working fine as well. If this didn't work but step FOUR did work, make sure that you have valid DNS servers configured on your MASQed computer.

• Eight: As a last test, try browsing some 'INTERNET' WWW sites on one of your MASQed machines, and see if you can reach them. For example, access the Linux Documentation Project site. If this works, you can be fairly certain that everything is working FINE!

If you see The Linux Documentation Project homepage, then CONGRATULATIONS! It's working! If that WWW site comes up correctly, then all other standard network tolls such as PING, TELNET, SSH, and with their related IP MASQ modules loaded: FTP, Real Audio, IRC DCCs, Quake I/II/III, CuSeeme, VDOLive, etc. should work fine! If FTP, IRC, RealAudio, Quake I/II/III, etc. aren't working or are performing poorly, make sure their associated Masquerading modules are loaded by running "lsmod" and also be sure you are loading the module with any non-default server ports. If you don't see your needed module, make sure your /etc/rc.d/rc.firewall script is loading them (i.e. remove the # character for a give IP MASQ module).