Hmm, ok... I have never had problems getting the box connected to my ISP, I am haveing problems getting the ethernet working on eth1... IE: No connection between linux box and the pc's it's connected to..
A couple of people have had suggestions that I am going to try later on today. Dave Price wrote: > On Mon, Sep 09, 2002 at 08:51:29AM -0700, Bob Nielsen wrote: > > > > It is quite possible that you will need a crossover cable between the > > firewall and the ADSL modem. I do in my installation (Cisco 678 > > modem). > > > If his ISP is anything like US-Worst, who sold me my cisco, an > appropriate cable was almost certainly provided. The link lights on the > ADSL connected ethernet card will confirm that. The linux box/firewall > will be able to use the net independent of iptable/masq working at any > rate; that is step one. > > As a side note, I have built 'firewalls' that did masquerading with a > single ethernet card and ip-aliasing (eth0:1, etc) it works fine with > ipfwadmin (kernel 2.0) or ipchains (kernel 2.2); i have never tried it > with iptables, but there is know reason why it would not; > > I got a toshiba laptop that came with two ethernet cards at a garage > sale for $50 - that is what my ip tables runs on - rock solid, but it > took 4 hours plus to built a 2.4.18 kernel and modules on it; had i > known, i would have compiled on a different box. But I had a golf date, > and just let it run, I was shocked that it was not finished when I got > home. At that, I had to run the compile on a 300mb pcmcia drive that > came along with the $50 laptop - there is no room for the pcmcia drive > in the machine when the two LAN cards are installed, but it was a good > hack, and debian woody will run in less than 150mb on a 486/66 with 16mb > ram - no X, just a firewall a minimal samba setup and dhcp services for > braindead windoze clients, sound works as does the _built_in_ scsi > that toshiba used to use (adaptec 1520 chipset); out of the box on > debian woody. Also can do wireless; but i don't use that ny more since > I got a netgear access point (which the laptop feed dhcp to) debian > rocks. > > Filesystem 1k-blocks Used Available Use% Mounted on > /dev/hda1 236268 148262 75807 67% / > /dev/hda2 47326 24224 20659 54% /home > [EMAIL PROTECTED]:~$ uname -a > Linux fw 2.4.18 #1 Sun May 26 10:23:53 MDT 2002 i486 unknown > > [EMAIL PROTECTED]:~$ uptime > 10:08:54 up 98 days, 13:39, 4 users, load average: 0.13, 0.05, 0.01 > > Here is /root/iptables script that works fine for this box > > #!/bin/bash > #### > # default table : > > # setup the default policies -- DROP everything > iptables -P OUTPUT ACCEPT > iptables -P INPUT ACCEPT > iptables -P FORWARD ACCEPT > > # flush out all the old chains and delete user chains > iptables -F > iptables -X > > #### > # INPUT chain -- what can come into the system > > # allow loopback > iptables -A INPUT -i lo -j ACCEPT > #iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT > > # allow replies > iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT > > # take all input from the LAN (assumes addresses are correct) > iptables -A INPUT -i eth0 -j ACCEPT > > # allow ping > iptables -A INPUT -p icmp -j ACCEPT > > #### > # OUTPUT chain -- what is allowed to get out > > # allow loopback > iptables -A OUTPUT -o lo -j ACCEPT > # stop all samba stuff going out the DSL line, but tell the host (me) > iptables -A OUTPUT -o eth1 -p tcp --dport 137:139 -j REJECT > > iptables -A OUTPUT -o eth0 -j ACCEPT > iptables -A OUTPUT -o eth1 -j ACCEPT > > #### > # nat table -- how we translate (masq) stuff > > # flush out all the old chains > iptables -t nat -F > > #### > # POSTROUTING chain > > # allow loopback > iptables -A OUTPUT -o lo -j ACCEPT > > # masquerade stuff from the LAN to the WAN > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > # enable forwarding in the kernel > echo "1" > /proc/sys/net/ipv4/ip_forward > > Hope this helps - Have a lot of fun! > > aloha, > dave > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
