Linux-Networking Digest #436, Volume #12 Wed, 1 Sep 99 10:13:41 EDT
Contents:
Re: how to reroute cisco to firewall? ("Gilles 2")
To set up POP mail, and web server ("kim yong")
chat error: can't get terminal parameters: not a typewriter (Khurram Farhan Hassan)
setting up fixed IP address ([EMAIL PROTECTED])
Is Linux Better than FreeBSD as Router ? (Pak,Wooguil)
Re: Please help! DNS setting ("Scott Johnson")
Re: diald problems ("Howard")
Re: samba-2.0.5a ("michael.fengler")
Re: D-link 220??? (Cliff)
Re: diald problems (Mike Jagdis)
Krn and attachments (Ronald Hovens)
Re: NFS caching (Peter Samuelson)
setup virtual domain ("Lim")
Re: ppp and samba (Francisco =?iso-8859-1?Q?Jos=E9?= Toledano
=?iso-8859-1?Q?Alcal=E1?=)
Re: Need help: POP/SMTP not working (RH5.2) (Stuart Summerville)
Re: Remote printing from DGUX to Linux ([EMAIL PROTECTED])
Re: inews error - No such newsgroup (Jeffery Browning)
Re: samba-2.0.5a (Monte Phillips)
Re: Can't mount Windows drives ("Robert (Bob) McGwier")
Re: Compiling kernel ("Robert (Bob) McGwier")
Re: Setting up Masquerading under RH6.0 ("Gilles 2")
----------------------------------------------------------------------------
From: "Gilles 2" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.firewalls
Subject: Re: how to reroute cisco to firewall?
Date: Wed, 1 Sep 1999 11:56:52 +0200
Can you give us a picture/explanation of the network ?
--
Gilles C.
Sysop at France Multimedia
Original message is:
Tim Downing <[EMAIL PROTECTED]> a �crit dans le message :
[EMAIL PROTECTED]
> I have been using a Cisco ISDN router for some time as our internet
> gateway.
>
> Have just installed a dedicated firewall machine, and I suppose I need
> to change the routing table on my Cisco.
>
> The problem is I have only 1 class C and the Cisco won't let me do
> what I think I need to do -- hopefully I've got it wrong and someone
> can guide me.
>
> current configuration (no subnetting at all):
> ethernet 0
> ip address 203.19.6.1 255.255.255.0
>
> need to route the class C to 203.19.6.2 which is connected on ethernet
> 0.
>
> Any suggestions welcome.
>
> Regards,
> Tim.
>
> -----------------
> Tim Downing
> Systems Manager
> Touchstone Colour
> Perth, Australia
------------------------------
From: "kim yong" <[EMAIL PROTECTED]>
Subject: To set up POP mail, and web server
Date: 2 Sep 1999 05:15:17 +1000
Reply-To: "kim yong" <[EMAIL PROTECTED]>
I've RedHat6.0 installed with sendmail and imap. The linux box is on a LAN.
I can ping and telnet from any PC.
I'm testing the local mail from a Win95 pc. When i try to check mail
the /var/log/maillog says ipop3d : connected from host
ipop3d: Authenticate Twinkie failure host
I thought that Rh by default allow all service requests. Anyway
I have added a line in etc/hosts.allow ALL:.mydomain.com
Now I can retrieve any mail from Win95 PC but cant send any. The
/var/log/maillog still says ipo3d[xxx]:Authenticate Twinkie failure
I'm all confused. I have the same setting(i think!!) at home and
is working fine.
Can any body help me ? What have i missed out ?
Thanks
------------------------------
From: Khurram Farhan Hassan <[EMAIL PROTECTED]>
Subject: chat error: can't get terminal parameters: not a typewriter
Date: Wed, 01 Sep 1999 10:00:06 GMT
Hi,
I have a Linux 2.0.36 system using ppp 2.3.9. Whenever I try to execute
a chat script containing AT command (other than AT, ATZ), I get the
above error. For example, the following script produces no error:
chat -v \
TIMEOUT 7 \
ABORT 'BUSY' \
ABORT 'NO ANSWER' \
'' ATZ0 \
OK ''
But the following produces the error:
chat -v \
TIMEOUT 7 \
ABORT 'BUSY' \
ABORT 'NO ANSWER' \
'' AT&F%E0&W0 \
OK ''
If I send this command (AT&F%E0&W0) to the modem using minicom, there
is no error.
Please help.
--
Khurram
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: setting up fixed IP address
Date: Wed, 01 Sep 1999 10:17:17 GMT
I'm writing an application under Linux that connects a device to a
network using a fixed IP address.
The user gives me the IP address, the netmask and the gateway IP. Is it
enough ?
I've managed to allocate the IP to the device, the device can ping
machines in the same subnet and can be pinged, but I cant reach the
outside world and nobody can ping my device !
What are the required steps to do that ?
Thanks
David
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Pak,Wooguil)
Subject: Is Linux Better than FreeBSD as Router ?
Date: Tue, 31 Aug 99 06:55:05 GMT
Our Team plans to make routers with Linux or FreeBSD.
So I should select OS among Linux and FreeBSD.
But I don't know which is better.
Is Linux Better than FreeBSD as Router ?
thanks advance.
------------------------------
Reply-To: "Scott Johnson" <[EMAIL PROTECTED]>
From: "Scott Johnson" <[EMAIL PROTECTED]>
Subject: Re: Please help! DNS setting
Date: Tue, 31 Aug 1999 00:40:43 -0700
Configure your own DNS.. point to yourself, and set the ISP as a forwarder.
SJ
dbp wrote in message <[EMAIL PROTECTED]>...
>I have a problem that after setting a DNS of a ISP, if I do not connect
>to
>internet, I need to wait one minute in order to telnet from other
>computer
>to the linux computer. Can I set the time to wait for other DNS
>response?
>
>Thank you!
>
>--
>Please reply me at [EMAIL PROTECTED], thank you.
>
>
------------------------------
From: "Howard" <[EMAIL PROTECTED]>
Subject: Re: diald problems
Date: Tue, 31 Aug 1999 08:10:49 +0100
Thanks Mike - I was/am having the same problems as our other friend. Your
reply has given me the clues I needed - - The problem I now have is that I
know Rule 1 Proto 17 is the thorn in my arse but not what this means or
where the hell it comes from !!
Thanks for the pointer to tcpdump.
Howard
> Sigh... The *point* is that diald does not magically know when
> you "want to browse the Internet". It only knows about packets
> that are routed over its link. If it sees packets that match
> its filter rules it brings the link up. If it continuously
> brings the link up it is because it is seeing such packets.
> There are many ways of finding out what those packets are.
> Two of the more obvious and useful are to use diald's excellent
> debug option or to use tcpdump. The least useful is to have
> some third party guess what is happening. Once you know what
> the packets are and where they come from you can worry about
> how to fix it.
>
> Mike
>
> --
> A train stops at a train station, a bus stops at a bus station.
> On my desk I have a work station...
> .----------------------------------------------------------------------.
> | Mike Jagdis | Internet: mailto:[EMAIL PROTECTED] |
> | Roan Technology Ltd. | |
> | 2 Markham Mews, Broad Street | Telephone: +44 118 989 0403 |
> | Wokingham ENGLAND | Fax: +44 118 989 1195 |
> `----------------------------------------------------------------------'
------------------------------
From: "michael.fengler" <[EMAIL PROTECTED]>
Subject: Re: samba-2.0.5a
Date: Wed, 1 Sep 1999 09:28:52 +0200
Reply-To: [EMAIL PROTECTED]
On Wed, 1 Sep 1999 [EMAIL PROTECTED] wrote:
>Hello all :)
>Recently I upgraded my samba suite from 2.0.3-8 to 2.0.5a and ever
>since my autoscript for smbmount stopped working.
>
>I've noticed there's a change in the smbmount syntax ...and I don;t
>seem to be able to make it mount w/o asking for the password. Before
# smbmount //optiplix/ftp /mnt -Umike
Added interface ip=10.42.42.107 bcast=10.42.42.255 nmask=255.255.255.0
Password:
# cd /mnt
# ls
. .. mypc3
Eh voila.
- mike
------------------------------
From: Cliff <[EMAIL PROTECTED]>
Subject: Re: D-link 220???
Date: Wed, 01 Sep 1999 00:59:53 -0700
Hello Steve,
Go to ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/Ethernet-HOWTO and look
under 5.14.1..
Good Luck,
Cliff
"Kim V. & Steve S." wrote:
> I just ditched the magitronic card that I had and got a D-link 220 in
> exchange. Is this card going to work with Linux??
>
> I really hope so...
>
> Steve
------------------------------
From: [EMAIL PROTECTED] (Mike Jagdis)
Subject: Re: diald problems
Date: 1 Sep 1999 11:09:14 GMT
Reply-To: [EMAIL PROTECTED]
In article <7qijhg$[EMAIL PROTECTED]>, Howard wrote:
>
>Thanks Mike - I was/am having the same problems as our other friend. Your
>reply has given me the clues I needed - - The problem I now have is that I
>know Rule 1 Proto 17 is the thorn in my arse but not what this means or
>where the hell it comes from !!
Rule 1 means the first filter rule in your config, proto 17 is udp.
In the filter sets that come with diald the first udp rule should be an
ignore rule for rwho packets. Either the rule is being matched but
is not actually causing the link to come up (because it is an ignore
rule) or you are not using any of the filter sets that come with diald.
Mike
--
A train stops at a train station, a bus stops at a bus station.
On my desk I have a work station...
.----------------------------------------------------------------------.
| Mike Jagdis | Internet: mailto:[EMAIL PROTECTED] |
| Roan Technology Ltd. | |
| 2 Markham Mews, Broad Street | Telephone: +44 118 989 0403 |
| Wokingham ENGLAND | Fax: +44 118 989 1195 |
`----------------------------------------------------------------------'
------------------------------
From: Ronald Hovens <[EMAIL PROTECTED]>
Crossposted-To: news.software.readers,comp.os.linux.development.apps
Subject: Krn and attachments
Date: Wed, 01 Sep 1999 13:16:55 +0200
Hello,
For some time now, I use krn as newsreader that came with kde 1.1.1.
When reading newsmessages with e.g. audio or graphic attachments, krn
displays a lot of rubbish. Why doesn't krn - like kde's mail client
kmail - show the attachments (inline or as icons). Am I doing something
wrong? Is this a feature that will be implemented in an upcoming
release? Is there any good newsreader - besides netscape messenger -
with gui that processes attachments correcly?
Many thanks in advance.
Ronald Hovens
------------------------------
From: [EMAIL PROTECTED] (Peter Samuelson)
Crossposted-To: comp.os.linux.development.system
Subject: Re: NFS caching
Date: 1 Sep 1999 04:56:07 -0500
Reply-To: Peter Samuelson <[EMAIL PROTECTED]>
[bill davidsen <[EMAIL PROTECTED]>]
> Has anyone done anything to reduce network traffic between client and
> server when the data on the server is known not to change? I'm being
> very vague because I don't want to scare off any good solutions.
AIX implements a CacheFS on top of NFS for this purpose. I haven't
researched/deployed it yet though it could be useful here. It's on my
todo list.... Anyway I haven't heard that this has been implemented in
Linux yet.
Meanwhile Coda has a rather sophisticated caching scheme, it seems, but
of course that might be a level of complexity you don't need or want.
I like someone's rsync suggestion.
--
Peter Samuelson
<sampo.creighton.edu!psamuels>
------------------------------
From: "Lim" <[EMAIL PROTECTED]>
Subject: setup virtual domain
Date: Wed, 1 Sep 1999 20:13:47 +0800
Hi,
I have a linux server running RedHat 6 and try to manage several
domains, but I have a question is how to setup individual passwd file for
each virtual domain.
Thanx in advance!
------------------------------
From: Francisco =?iso-8859-1?Q?Jos=E9?= Toledano =?iso-8859-1?Q?Alcal=E1?=
Subject: Re: ppp and samba
Date: Tue, 31 Aug 1999 22:18:30 +0200
Francisco Jos=E9 Toledano Alcal=E1 wrote:
> =
> I've got a network class C (192.168.0.0/255.255.255.0).
> I've got a LInux box as Firewall, masquerade server and mgetty server
> with one modem.
> I've got a volume share with samba server on linux box.
> I've got a remote client with Windows.
> In Window's cliente, I'd created one ppp conection to the linux server.=
> The conection start ok. pppd on server have a proxyarp option. I can do=
> ping to windows client and windows client to linux server too.
> The client can't browse or connect to share volume on samba server.
> =
> =BFAny idea about it?
> =
> Thank you very much and best regards from C=F3rdoba(Spain).
I reply myself because a found the error.
There was a name resolution problem. Simply adding a name to /etc/hosts
according with the name of remote machine e' voila!
Regards
------------------------------
From: [EMAIL PROTECTED] (Stuart Summerville)
Crossposted-To: comp.os.linux.setup
Subject: Re: Need help: POP/SMTP not working (RH5.2)
Reply-To: [EMAIL PROTECTED]
Date: Wed, 01 Sep 1999 12:43:08 GMT
>I am still dead sending mail.
I just went through this same process - there's a bunch of stuff in
/etc/sendmail.cf to check.
>There are a couple of files in /etc/mail; ip_allow, name_allow, and
>relay_allow. I have no idea what the structure of these files should
>be, they were all empty at install.
I just added "single word per line" entries to each of these. ip_allow
has the ip address of the machines I want to enable relay from (ie.
any host sending mail via your linux box), name_allow has the name(s)
of the hosts to allow (I added full dns and hostname entries), and
same for relay_allow (name? ip?).
I spent ages tweaking these and /etc/sendmail.cf & found nothing
worked. I then did a "kill -HUP" to sendmail & it suddenly started
working for outgoing email. Consequently I don't know which of the
changes to any of the files made the difference (Most of these changes
seemed to do so..).
What I did in sendmail.cf
1) Just into the "Local Info" section, changed "my official local
domain" from my.NET (or whatever it was) to "D<my actual domain
name>".
2) Changed the "Smart Relay Host" to "DS<my ISPs secondary MX mail
server>".
3) Changed "fallback MX host" from "fall.back.host.net" to "<my ISPs
secondary MX mail server>"
4) Enabled the line "O HostsFile=/etc/hosts" by removing the hash at
the start of the line.
Again, all of these seemed logical enough at the time. If anyone can
confirm these as (in?)appropriate changes, then please say so.
Good luck.
Stu.
==============================================
Stuart Summerville
Home: stus@<nospam>netspace.net.au
Work: stuart.summerville@<nospam>icpdd.neca.nec.com.au
==============================================
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.os.linux.misc
Subject: Re: Remote printing from DGUX to Linux
Date: Wed, 01 Sep 1999 11:58:05 GMT
Hi Kevin.
I dunno if what Allen Wong suggested worked for you, but I sat with that same
problem for like 3 days. Bummer. But, I got it right, and yes it was a
bastard.
What happens if you do a "lpq" on that printer? Something like waiting for
connection to "your machine"? If it does, this is what I had to do to get it
right.
1) Create the user (with same password) on your linux box that you're using
on the DGUX box. 2) Don't forget the bleeding /etc/hosts.lpd file and the
allowed ip's to lpd on your linux box (which you've accomplished already).
The above assumes of course that you've printed on that printer before and it
works (lpr on your linux box). This worked for me, and I'm smiling. Gained a
lot (time question).
Hope it helps
Ricardo
In article <[EMAIL PROTECTED]>,
"Kevin Williams" <[EMAIL PROTECTED]> wrote:
> Hi There
>
> I am trying to print to a printer attached to the parallel port on a linux
> machine from a DGUX machine.
> The print job is not leaving the DGUX machine and getting to print queue on
> the linux machine. I have the DGUX machine name in both the hosts.equiv and
> the hosts.lpd
>
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Jeffery Browning <[EMAIL PROTECTED]>
Crossposted-To: athome.users-unix,comp.os.linux.misc,comp.os.linux.redhat
Subject: Re: inews error - No such newsgroup
Date: Wed, 01 Sep 1999 07:25:07 -0400
Scott Post wrote:
>
> I just switched from a modem based ISP to cable based. I had
> previously been maintaining a local news spool via suck, but now
> that I have a fast connection I'd prefer to read directly from
> my ISP's news server. That works just fine using trn with
> NNTPSERVER set. The problem is I can't post. It looks like trn
> uses Pnews to compose a post then sends it to inews for posting.
> I'm using inews-1.7-4 and when I try posting it hangs for several
> seconds then says "No such newsgroup as athome.test". I can read
> the newsgroup, so I know it exists.
>
> The inews man page is pretty sparse, so I can't figure out what's
> happening. How does inews go about figuring out if a newsgroup exists
> or not? How does it know what news server to connect to (I'm assuming
> it uses the NNTPSERVER environmental variable).
>
> Any help would be appreciated.
>
> --
> Scott Post [EMAIL PROTECTED]
My 2 bits.
Have you checked you /etc/news/inn.conf?
I may be off the track. But this gave me a great deal of trouble when I
set up our news feed.
--
Jeffery C. Browning, Enhanced Solutions
Computing
Systems Administrator 2251 Old Cornelia Hwy
Gainesville, Ga 30507
------------------------------
From: [EMAIL PROTECTED] (Monte Phillips)
Subject: Re: samba-2.0.5a
Date: Wed, 01 Sep 1999 13:00:34 GMT
Your problem will be solved if you post it on comp.protocols.smb
there is indeed a change in the commands, they are as yet not in the
docs.
[EMAIL PROTECTED] wrote:
>Hello all :)
>Recently I upgraded my samba suite from 2.0.3-8 to 2.0.5a and ever
>since my autoscript for smbmount stopped working.
>
>I've noticed there's a change in the smbmount syntax ...and I don;t
>seem to be able to make it mount w/o asking for the password. Before
>I'd do:
>
>smbmount \\\\server\\share PASSWORD -I x.x.x.x -U USERNAME -
>c 'mount /mountpoint'
>
>now the new smbmount gives me an incorrect syntax error ...
>I just can't figure it out. Has anybody had the same issue ?
------------------------------
From: "Robert (Bob) McGwier" <[EMAIL PROTECTED]>
Crossposted-To: linux.samba
Subject: Re: Can't mount Windows drives
Date: Wed, 01 Sep 1999 13:53:05 GMT
I contend that whoever did the RH samba packages for the Dec Alpha FORGOT
to do
configure --with-smbmount
before they did the compile. I downloaded the source, did the configure, and
I now have smbmount and everything works perfectly.
Thanks,
Bob
Cliff wrote:
> Hello Robert,
>
> You mean you installed everything but can't locate it?
> It should be /usr/bin/smbmount
> Simply type "smbmount" without the quotes and see what you get..
>
> Cliff
>
> "Robert (Bob) McGwier" wrote:
>
> > I can't find smbmount and I installed RH 6.0 with "ALL packages"
> > selected. Everything else in the samba configuration works. Networked
> > printers, and Windoze machines using samba based resources on the linux
> > machines. I just cannot mount my windoze directories on my linux machines.
> > Is there a way to do this without smbmount and if not, why didn't RH 6.0
> > install it?
> >
> > Bob
> >
> > Cliff wrote:
> >
> > > Hello,
> > >
> > > Yes, in addition, you need to add another backslash before \c.
> > > Backslash "\" means something in shell and many other scripting languages,
> > > therefore, you need to escape it by adding another backslash.
> > > I forgot to mention about the -N option, it's to disable password prompt.
> > > So basically you can enter such line..
> > > smbmount \\\\mypc\\c /mnt/win -N in your linuxconf so this will mount your
> > > samba share at bootup. (assuming your win98 machine is always on)
> > >
> > > Cliff
> > >
> > > Hiawatha Bray wrote:
> > >
> > > > So...I'm supposed to put 2 more slashes before mypc?
> > > >
> > > > Cliff <[EMAIL PROTECTED]> wrote in message
> > > > news:[EMAIL PROTECTED]...
> > > > > Hello,
> > > > >
> > > > > Try this..
> > > > >
> > > > > smbmount \\\\mypc\\c /mnt/win -N
> > > > >
> > > > > (make sure /mnt/win exists)
> > > > >
> > > > > Cliff
> > > > >
> > > > > Obs wrote:
> > > > >
> > > > > > you should do smbmount ////computer-name/sharename /mount-point
> > > > > >
> > > > > > Hiawatha Bray <[EMAIL PROTECTED]> wrote in message
> > > > > > news:7qcp4c$[EMAIL PROTECTED]...
> > > > > > > I got my Samba working and I can mount my Linux drives on my Windows
> > > > > > > machine. Now...how do I do it the other way around, mounting Windows
> > > > > > drives
> > > > > > > on my Linux box? I'm using RH 6 and Samba 2.0.3, withWin 98 on the
> > > > > > Windows
> > > > > > > machine.
> > > > > > >
> > > > > > > I created a /mnt/win mountpoint and then tried the smbmount command.
> > > > > > Here's
> > > > > > > what I got...
> > > > > > >
> > > > > > > [root@linux watha]# smbmount file://mypc/c /mnt/win
> > > > > > > Added interface ip=10.0.2.16 bcast=10.255.255.255 nmask=255.0.0.0
> > > > > > > Server time is Sun Aug 29 21:42:48 1999
> > > > > > > Timezone is UTC-4.0
> > > > > > > security=share
> > > > > > > smb: \>
> > > > > > >
> > > > > > > I don't even know what this means...is this the correct response?
> > > > Thanks.
> > > > > > >
> > > > > > >
> > > > >
> > > > >
------------------------------
From: "Robert (Bob) McGwier" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.linux.questions,comp.os.linux.setup,linux.dev.config,linux.dev.newbie
Subject: Re: Compiling kernel
Date: Wed, 01 Sep 1999 13:42:27 GMT
I believe the zImage is compressed with *nix compress (command line compress)
and bzImage is compressed with bzip2. Both are described in man pages in
standard linux installations.
Bob
Johannes Ziegler wrote:
> Jimmy wrote:
>
> > 1. could u describe what's the difference between 'make zImage' and 'make
> > bzImage'? or just send me the URL for this info.
> >
> > 2. do u know what 's the problem is with the following err msg at the end of
> > kernel compilation? i got the err, "System is 525k, System is too big. Try using
> > bzImage"
> > Thank u very much!
> >
> > Johnny Chen
> > [EMAIL PROTECTED]
> >
> > Johannes Ziegler wrote:
> >
> > > make dep ; make bzImage (because zImage is out of date)
> > > make modules ; make modules_install
> > >
> > > Then you should copy the new kernel and also the corresponding System.map
> > > to /boot/vmlinuz-<kernel-version+revision> and
> > > /boot/System.map-<kernel-version+revision>.
> > > Configure /etc/lilo.conf by hand (so you can still use the old kernel).
> > > Call lilo and reboot to try the new kernel.
> > > You can remove the old kernel later (don't forget to update lilo).
> > >
> > > Good luck!
> > > Johannes Ziegler
> > > [EMAIL PROTECTED]
> > > (feedback always welcome)
>
> I don't know exactly the difference between bzImage and zImage.
> Both are compressed kernel images.
> The bzImage is usually smaller than the zImage (this is important,
> because the kernel is limited to some size).
> I think lilo can handle the bzImages better than the zImages (relocating and stuff),
>
> therefore it's recommended to use the bzImages.
>
> Best regards
> Johannes Ziegler
> [EMAIL PROTECTED]
> (feedback always welcome)
------------------------------
From: "Gilles 2" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.firewalls
Subject: Re: Setting up Masquerading under RH6.0
Date: Wed, 1 Sep 1999 11:35:23 +0200
First, just delete first default policy. One is sufficient.
After,
#------------------------------------
# Local Traffic Rules
#------------------------------------
/sbin/ipchains -A input -j ACCEPT -i $INTERFACE_DEV -s $NETWORK/24
-d $INTERFACE_IP
# Accept any packet from local network to server on input of eth0
/sbin/ipchains -A input -j ACCEPT -i $LOOPBACK_IP -s $NETWORK/24 -d
$INTERFACE_IP
# Accept any packet from local network to server on input of lo
/sbin/ipchains -A output -j ACCEPT -i $INTERFACE_DEV -s $INTERFACE_IP
-d $NETWORK/24
# Accept any packet from server to local network on output of eth0
/sbin/ipchains -A output -j ACCEPT -i $LOOPBACK_IP -s $INTERFACE_IP -d
$NETWORK/24
# Accept any packet from server to local network on output of lo
and you mistake UNIVERSE and INTERNET ...
and the mask is not 255.255.255.0 but 24 ...
--
Gilles C.
Sysop at France Multimedia
Original message is:
Stephen Torri <[EMAIL PROTECTED]> a �crit dans le message :
[EMAIL PROTECTED]
> I have a need to setup a dial-out server using PPP. I have the PPP
> scripts all installed and tested. The dail out server can surf the web
> and all that stuff. Now I want to be able to masquerade the internal
> network we have here with the Internet. Below is the firewall script I
> wrote down. There are a few requirements:
>
> 1.) Firewall doesn't restrict ANY internel traffic. Clients should be
> able to use samba, ftp, etc.
> 2.) Firewall forwards packets to destinations not located on the
> internel network. Reverse is true, return packets are sent to the
> request machine.
>
> Simple rules.
>
> Problems are:
> 1.) Can't resolve domain names from dial out server.
> 2.) Can't ping from clients (i.e. another computer tries to ping to
> www.yahoo.com through dial out server).
> 3.) Can't ping from clients to the IP assigned by my ISP.
>
> Here is the script:
>
> -------------------------------------------------------
> #!/bin/sh
>
> # Flush old policy
> /sbin/ipchains -P input REJECT
> /sbin/ipchains -P output REJECT
> /sbin/ipchains -P forward REJECT
> /sbin/ipchains -F input
> /sbin/ipchains -F output
> /sbin/ipchains -F forward
>
> # Load masquerade modules
> /sbin/depmod -a
> /sbin/modprobe ip_masq_ftp
>
> #------------------------------------
> # Variables
> #------------------------------------
> LOOPBACK_IP="127.0.0.1"
> INTERNET="0.0.0.0"
> NETWORK="10.0.0.0"
> ETHERNET_BROADCAST="10.0.0.255"
> UNPRIVPORTS="1024:65535"
>
> #------------------------------------
> # Devices
> #------------------------------------
>
> # External interface to the Internet
> PPP_INT="ppp0"
>
> # We need to get the IP address this way because Stratos issues IP
> # addresses from a pool and not DHCP.
> PPP_IP=`/sbin/ifconfig | grep -A 4 $PPP_INT | awk '/inet/ { print $2 }'
> | sed -e s/addr://`
> DEFAULT_GATEWAY=$PPP_IP
>
> # Internal interface to the local network
> INTERFACE_DEV="eth0"
> INTERFACE_IP="10.0.0.6"
>
>
> #------------------------------------
> # Default Policies
> #------------------------------------
> /sbin/ipchains -P input REJECT
> /sbin/ipchains -P output REJECT
> /sbin/ipchains -P forward REJECT
>
> /sbin/ipchains -M -S 7200 10 60
>
> #------------------------------------
> # Local Traffic Rules
> #------------------------------------
> /sbin/ipchains -A input -j ACCEPT -i $INTERFACE_DEV -s $INTERFACE_IP/24
> -d $NETWORK/0
> /sbin/ipchains -A input -j ACCEPT -i $LOOPBACK_IP -s $NETWORK/0 -d
> $NETWORK/0
> /sbin/ipchains -A output -j ACCEPT -i $INTERFACE_DEV -s $INTERFACE_IP/24
> -d $NETWORK/0
> /sbin/ipchains -A output -j ACCEPT -i $LOOPBACK_IP -s $NETWORK/0 -d
> $NETWORK/0
>
> #------------------------------------
> # Input Rules for packets from the Internet to the local network
> #------------------------------------
>
> /sbin/ipchains -A input -j ACCEPT -p icmp -s $UNIVERSE/0 -d
> $INTERFACE_IP/32
> /sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE/0 -d
> $INTERFACE_IP/32 $UNPRIVPORTS
> /sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE/0 -d
> $INTERFACE_IP/32 $UNPRIVPORTS
>
> #------------------------------------
> # Output Rules for packets from the local network to the Internet
> #------------------------------------
> /sbin/ipchains -A forward -s $INTERFACE_IP/255.255.255.0 -j MASQ
> /sbin/ipchains -A forward -s $LOOPBACK_IP/255.255.255.0 -j MASQ
>
>
> -------------------------------------------------------------------
>
> Thanks,
>
> Stephen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
