Hans-Werner Hilse wrote: > Hi, > > On Tue, 16 Jan 2007 00:30:30 +0100 > "Daniel Pielmeier" <[EMAIL PROTECTED]> wrote: > > >>> - is forwarding actually really enabled? Just "cat" the >>> relevant /proc/sys/net/ipv4/ip_forward. >>> >> cat /proc/sys/net/ipv4/ip_forward >> returns 1 >> >> >>> So remaining things to check would be >>> - where do packets do what? Use "tcpdump" on the router to monitor >>> how packets flow. Don't cite all the output, but look at where >>> packets are coming and going. Two terminals with "tcpdump -i eth0" >>> and "tcpdump -i ppp0" would tell you that. Send a few pings from the >>> desktop to the internet. Also try pinging an IP from the desktop, not >>> just hostnames (to rule out nameserver borkage). >>> >> Here is what tcdump returns! >> [...] >> > > That's what I wanted to avoid with asking for not citing everything :-) > > But everything looks quite normal, except for that packets aren't > routed. So its up to somebody else to tell exactly what that "policy" > module in iptables does -- and how. I don't have answers left here -- > except for the case that a manual iptables setup is sufficient. > > Personally, I'm quite happy with > > $ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > $ iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j > ACCEPT > $ iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j > ACCEPT > > for the forwarding. All that fancy-schmanzy stuff that shorewall does > isn't in there, granted. > > -hwh >
Well, I got lucky. I'm not real sure what I did to be honest. Here is my main box that is connected to the net: > [EMAIL PROTECTED] / # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref > Use Iface > nas2.greenwood1 * 255.255.255.255 UH 0 0 > 0 ppp0 > 192.168.0.0 * 255.255.255.0 U 0 0 > 0 eth0 > loopback * 255.0.0.0 U 0 0 0 lo > default nas2.greenwood1 0.0.0.0 UG 0 0 > 0 ppp0 > [EMAIL PROTECTED] / # > [EMAIL PROTECTED] / # iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > [EMAIL PROTECTED] / # This is from the second rig: > swifty ~ # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref > Use Iface > 192.168.0.0 * 255.255.255.0 U 0 0 > 0 eth0 > loopback * 255.0.0.0 U 0 0 0 lo > default smoker 0.0.0.0 UG 0 0 > 0 eth0 > swifty ~ # No iptables on this one. I don't know what I did but it all works. I guess even I get lucky sometimes. :-O Dale :-) :-) :-) -- www.myspace.com/dalek1967