Recently I started to play with a firewall machine and I have some problems. The setup is: Debian on a 2.4.2 kernel with iptables. When it was on a 2.2/iptables it worked more or less fine. Now I have a basic setup of iptables -F (all chains policy ACCEPT) and echo 1 > ip_forward It's the most basic setup I can think of, and I use it just to make things right, then I'll add some rules, to fit my needs. But it isn't working, no packages get through.
Then I did: for f in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 1 > $f; done and it worked? The problem is that now the arp cache on the host is filled with the same MAC address for all hosts on that segment, and from the outside, address is the same for the firewall and for the host (host has a routable IP address, so I presume this is not normal). I also had to reset arp cache on the router, in order to get the world back to the host. Just for the info, here are the kernel options. Maybe I should have loaded some kernel modules? I tried several of them, with no success. # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_MATCH_UNCLEAN=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_MIRROR=y CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_MARK=m CONFIG_IP_NF_TARGET_LOG=y
