Did anyone understand my posting? Did anyone at Mandrake verify this problem? Am I on track here, or totally ignorant of how ipchains works?
(Pffft, pffft, is this thing working? Testing, one, two, three. Testing.)
-------------------------------------------------------------------------------------------------------------
There is a bug in netconf. Please follow the description of the problem below.
I want to forward traffic between my two subnets, 192.168.1.0/24 (subnetA) and 192.168.2.0/24 (subnetB). Also, I want to masquerade subnetA to the internet.
When I enter the rules into linuxconf (/networking/firewalling/forward firewalling) I should enter the forward rule between subnetA and subnetB before (using the weight option) the masquerading rule. If I don't then traffic between the two subnets will be masqueraded instead of forwarded.
However, if I only enter a single non-masq rule between subnetB and subnetA marked as bi-directional (weighted 20) and a single masq rule between subnetA and 0.0.0.0/0.0.0.0 marked as bi-directional (weighted 50) then the output is incorrect. I get:
[root@server1 etc]# ipchains -L forward -n
Chain forward (policy DENY):
target prot opt source destination ports
ACCEPT all ------ 192.168.2.0/24 192.168.1.0/24 n/a
MASQ all ------ 192.168.1.0/24 0.0.0.0/0.0.0.0 n/a
ACCEPT all ------ 192.168.1.0/24 192.168.2.0/24 n/a
As you can see, traffic from subnetB to subnetA will be forwarded. But, traffic from subnetA to subnetB will be masqueraded instead of forwarded. Rule #3 will never be used. To get the correct functionality, I need two serperate non-bidirectional rules.
subnetA ---> subnetB non-masq non-bi-directional weight 20
subnetB ---> subnetA non-masq non-bi-directional weight 20
subnetA <-> internet masq bi-directional weight 50
Linuxconf/netconf must not be using the ipchains -b flag when it creates the rules. It seems to be using a second pass of the rules to implement the bi-directional feature resulting in the output being in incorrect order. Yes, I know the work-around (create two non bi-directional rules) but will the new linux users?
Bill
smime.p7s