Bill Shirley wrote:
>
>
> Did anyone understand my posting? Did anyone at
> Mandrake verify this problem? Am I on track here, or
> totally ignorant of how ipchains works?
>
> (Pffft, pffft, is this thing working? Testing, one,
> two, three. Testing.)
>
>
>------------------------------------------------------------------------------------------------------------
>
> There is a bug in netconf. Please follow the
> description of the problem below.
> I want to forward traffic between my two subnets,
> 192.168.1.0/24 (subnetA) and 192.168.2.0/24
> (subnetB). Also, I want to masquerade subnetA to the
> internet.
>
> When I enter the rules into linuxconf
> (/networking/firewalling/forward firewalling) I
> should enter the forward rule between subnetA and
> subnetB before (using the weight option) the
> masquerading rule. If I don't then traffic between
> the two subnets will be masqueraded instead of
> forwarded.
>
> However, if I only enter a single non-masq rule
> between subnetB and subnetA marked as bi-directional
> (weighted 20) and a single masq rule between subnetA
> and 0.0.0.0/0.0.0.0 marked as bi-directional
> (weighted 50) then the output is incorrect. I get:
>
> [root@server1 etc]# ipchains -L forward -n
> Chain forward (policy DENY):
> target prot opt source destination ports
> ACCEPT all ------ 192.168.2.0/24 192.168.1.0/24 n/a
> MASQ all ------ 192.168.1.0/24 0.0.0.0/0.0.0.0 n/a
> ACCEPT all ------ 192.168.1.0/24 192.168.2.0/24 n/a
> As you can see, traffic from subnetB to subnetA will
> be forwarded. But, traffic from subnetA to subnetB
> will be masqueraded instead of forwarded. Rule #3
> will never be used. To get the correct functionality,
> I need two serperate non-bidirectional rules.
>
> subnetA ---> subnetB non-masq non-bi-directional
> weight 20
> subnetB ---> subnetA non-masq non-bi-directional
> weight 20
> subnetA <-> internet masq bi-directional weight 50
> Linuxconf/netconf must not be using the ipchains -b
> flag when it creates the rules. It seems to be using
> a second pass of the rules to implement the
> bi-directional feature resulting in the output being
> in incorrect order. Yes, I know the work-around
> (create two non bi-directional rules) but will the
> new linux users?
>
> Bill
>
>
>
Mmmm, new to me. I use masquerading and forwarding
from ipchains without netconf/linuxconf, writing my own
script... I looked at it just now--didn't even know it
was there til then. I think this one might be a good
one for a bug report.
Civileme
