You do not need a guru. Otherwise I couldn't answer this question:) Since you've got on the inside are reserved IP's (for private networks) you need a iptables rule which masquerades your inside IP's. The following should do:
iptables -t nat -A POSTROUTING -o <outgoing interface> -j MASQUERADE <outgoing interface> is probably eth0 or eth1. This hides all your ... There is some HOWTO to read for you (probably Firewall-HOWTO). Michael. On Wed, 2002-08-07 at 16:50, Ryan McAlister wrote: > I'm trying to setup a firewall machine that will forward packets only. I > will not be running any services (DNS/Squid/SSHD/NAMED/etc..) on this > box. I have even #'ed out the services in /etc/inetd.conf. > > > > All I want this box to do is forward packets. > > > > I have ip forwarding enabled. > > I can ping inside and outside from the firewall box. > > I can ping the router (216.29.167.1) and internet ip's from the firewall > box. > > I can ping the internal (192.168.100.49) AND external (216.29.167.225) > nic's from my pc. > > I CANNOT ping the router (216.29.167.1) or internet ip's from my pc. > > > > What am I missing? Do I have to use IPTABLES to accomplish this? > > > > You will have to forgive me but I'm an old netware guy and I can set > this up in like 10 minutes with a novell box. *opens self up to > ridicule* > > > > A little info about my setup: > > > > > > ------------------------------------------------------------------------ > -------------------------------------------- > > > > fw6:~# cat /proc/version > > Linux version 2.4.19 ([EMAIL PROTECTED]) (gcc version 2.95.4 20011002 (Debian > prerelease)) #1 Tue Aug 6 14:50:25 EDT 2002 > > fw6:~# > > > > ------------------------------------------------------------------------ > -------------------------------------------- > > > > fw6:~# cat /etc/network/options > > ip_forward=yes > > spoofprotect=yes > > syncookies=no > > > > ------------------------------------------------------------------------ > -------------------------------------------- > > > > fw6:~# cat /proc/sys/net/ipv4/ip_forward > > 1 > > fw6:~# > > > > ------------------------------------------------------------------------ > --------------------------------------------- > > > > fw6:~# route > > Kernel IP routing table > > Destination Gateway Genmask Flags Metric Ref Use > Iface > > localnet * 255.255.255.0 U 0 > 0 0 eth0 > > 216.29.167.0 * 255.255.255.0 U 0 0 > 0 eth1 > > default 216.29.167.1 0.0.0.0 UG 0 0 > 0 eth1 > > > > ------------------------------------------------------------------------ > --------------------------------------------- > > > > fw6:~# cat /etc/network/interfaces > > # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8) > > > > # The loopback interface > > auto lo > > iface lo inet loopback > > > > # The first network card - this entry was created during the Debian > installation > > # (network, broadcast and gateway are optional) > > auto eth0 > > iface eth0 inet static > > address 192.168.100.49 > > netmask 255.255.255.0 > > network 192.168.100.0 > > broadcast 192.168.100.255 > > > > auto eth1 > > iface eth1 inet static > > address 216.29.167.225 > > netmask 255.255.255.0 > > network 216.29.167.0 > > broadcast 216.29.167.255 > > gateway 216.29.167.1 > > > > fw6:~# > > > > ------------------------------------------------------------------------ > --------------------------------------------- > > > > > > fw6:/# cat /etc/inetd.conf > > # /etc/inetd.conf: see inetd(8) for further informations. > > # > > # Internet server configuration database > > # > > # > > # Lines starting with "#:LABEL:" or "#<off>#" should not > > # be changed unless you know what you are doing! > > # > > # If you want to disable an entry so it isn't touched during > > # package updates just comment it out with a single '#' character. > > # > > # Packages should modify this file by using update-inetd(8) > > # > > # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args> > > # > > #:INTERNAL: Internal services > > #echo stream tcp nowait root internal > > #echo dgram udp wait root internal > > #chargen stream tcp nowait root internal > > #chargen dgram udp wait root internal > > ## discard stream tcp nowait root internal > > ## discard dgram udp wait root internal > > ## daytime stream tcp nowait root internal > > #daytime dgram udp wait root internal > > ## time stream tcp nowait root internal > > #time dgram udp wait root internal > > > > #:STANDARD: These are standard services. > > > > #:BSD: Shell, login, exec and talk are BSD protocols. > > > > #:MAIL: Mail, news and uucp services. > > #disabled#smtp stream tcp nowait mail /usr/sbin/exim > exim -bs > > > > #:INFO: Info services > > > > #:BOOT: Tftp service is provided primarily for booting. Most sites > > # run this only on machines acting as "boot servers." > > > > #:RPC: RPC based services > > > > #:HAM-RADIO: amateur-radio services > > > > #:OTHER: Other services > > > > fw6:/# > > > > ------------------------------------------------------------------------ > --------------------------------------------- > > > > > > >From Windows: > > H:\>ipconfig /all > > > > Windows IP Configuration > > > > Host Name . . . . . . . . . . . . : hostname > > Primary Dns Suffix . . . . . . . : mydomain.com > > Node Type . . . . . . . . . . . . : Hybrid > > IP Routing Enabled. . . . . . . . : No > > WINS Proxy Enabled. . . . . . . . : No > > DNS Suffix Search List. . . . . . : mydomain.com > > > > Ethernet adapter Local Area Connection: > > > > Connection-specific DNS Suffix . : > > Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network > Connection > > Physical Address. . . . . . . . . : 00-00-39-E0-61-E7 > > Dhcp Enabled. . . . . . . . . . . : No > > IP Address. . . . . . . . . . . . : 192.168.100.50 > > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > > Default Gateway . . . . . . . . . : 192.168.100.49 > > DNS Servers . . . . . . . . . . . : 192.168.100.11 > > > > > > H:\>ping 192.168.100.49 > > > > Pinging 192.168.100.49 with 32 bytes of data: > > > > Reply from 192.168.100.49: bytes=32 time<1ms TTL=64 > > Reply from 192.168.100.49: bytes=32 time<1ms TTL=64 > > Reply from 192.168.100.49: bytes=32 time<1ms TTL=64 > > Reply from 192.168.100.49: bytes=32 time<1ms TTL=64 > > > > Ping statistics for 192.168.100.49: > > Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), > > Approximate round trip times in milli-seconds: > > Minimum = 0ms, Maximum = 0ms, Average = 0ms > > > > H:\>ping 216.29.167.225 > > > > Pinging 216.29.167.225 with 32 bytes of data: > > > > Reply from 216.29.167.225: bytes=32 time<1ms TTL=64 > > Reply from 216.29.167.225: bytes=32 time<1ms TTL=64 > > Reply from 216.29.167.225: bytes=32 time<1ms TTL=64 > > Reply from 216.29.167.225: bytes=32 time<1ms TTL=64 > > > > Ping statistics for 216.29.167.225: > > Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), > > Approximate round trip times in milli-seconds: > > Minimum = 0ms, Maximum = 0ms, Average = 0ms > > > > H:\>ping 216.29.167.1 > > > > Pinging 216.29.167.1 with 32 bytes of data: > > > > Request timed out. > > Request timed out. > > Request timed out. > > Request timed out. > > > > Ping statistics for 216.29.167.1: > > Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), > > > > H:\> > > > > > > > > Thanks, > > > > Ryan McAlister > > >
