[SOLVED] Masquerade Issue

baldur_1 · 12-25-2022, 01:40 PM

I am having an iritating issue. i am rebuilding my server from scratch...putting the os on a new ssd. i am using fc37 server. i install the os, configure the network devices, one via dhcp, one via static ip and install it. i update it and everything works. i install dhcp. grab my old dhcpd.conf file and put it in its place...that starts up no issue. make sure the firewall is set to masquerade external nic. i restart it...everythings good. the dhcp passes out ips but i cannot connect to the internet from any other computer. it will not do it. i plugged in my old hd and everything worked as is but in fc37, it will not masquerade.

baldur_1 · 12-25-2022, 01:51 PM

my old os was fc31. man, this should work...

michaelk · 12-25-2022, 01:57 PM

Did you enable ip forwarding?

baldur_1 · 12-25-2022, 02:04 PM

no, i am do not need any ports forwarded...

michaelk · 12-25-2022, 02:16 PM

No the kernel variable ip_forward. It forwards packets from one network to another and is necessary if you want the system to act as a router.

baldur_1 · 12-25-2022, 02:32 PM

i have been at this for hours now...my eyes are bleeding...i didnt quite read the response right the first time. i did check that now and it was =1 on both...

# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

baldur_1 · 12-25-2022, 02:35 PM

just to be thorough, i did check selinux too.

setenforce 0

still didnt work...

baldur_1 · 01-02-2023, 07:54 AM

i finally figured this out. there were several compounding issues i had to work out to get to the root and after searching/thunking on it for a while, i got it. to figure it out on a dhcp client i ran...

ping 8.8.8.8 - everything good
ping google.com - packet filtered

that led me to searching on the firewall changes. one of them is the new iptables (nftables or whatever) which dont allow by default dhcp clients to masquerade so i ran...

firewall-cmd --zone=my_zone --add-source=192.168.0.0/24 (24 because my netmask is 255.255.255.0)

and it worked once again.

baldur_1 · 01-14-2023, 10:08 AM

the above solution was not good. this is what you should do...

when i could not get masquerade yes on the firewall to work (i believe this is a bug), i added a source 192.168.0.0/24 to allow the under computers to access the internet. this caused all subsequent issues. as a result packets would go by the internal interface where samba was to external maybe or whatever and not mount right. i fixed this my adding a new policy that essentially, if not actually, did the maquerading...

firewall not configurable

Code:

firewall-cmd --zone=external --remove-source=192.168.0.0/24

to fix the pass-through...

to fix masquerade...

Code:

# firewall-cmd --permanent --new-policy intToExt
  # firewall-cmd --permanent --policy intToExt --set-target ACCEPT
  # firewall-cmd --permanent --policy intToExt --add-ingress-zone internal
  # firewall-cmd --permanent --policy intToExt --add-egress-zone external
  # firewall-cmd --reload

...and now everything works. i was able to samba mount again.