I've tried below to answer some of your questions, but I fear I haven't done
enough to point you right at your actual problems. Now that I know that this
is in large part a learning exercise for you, I'd encourage you to look at
some of the HowTos I mention about halfway into the response. This may help
you to troubleshoot more successfully ... if not, it will help you to frame
specific questions. Good luck.
You also may want to look at how you are setting up the firewall. I don't
know how the RH init scripts do it ... these things vary in detail from one
distribution to another, and I mainly use Debian myself ... but your
comments make me suspect that two scripts are doing the firewalling -- one
created during the RH install, the other set up by you. The two may be
interacting in unexpected ways.
Finally, ipchains has the -C option, which lets you specify a packet, then
tests it against the ruleset. (Read the ipchains man page for the details.)
You may find it a useful diagnostic tool.
At 11:56 AM 5/9/00 +0800, [EMAIL PROTECTED] wrote [in part]:
>> Since it cannot ping the Internet, it would be
>> helpful to know if this failure were occurring in the router or in a client.
>> For the moment, I will assume that mr_bumpy is the RH router.
>
>Correct, The machine can send the ping, and according to the modem lights the
>ping is comming back, but the server isn't alowed to see it.. (firewall is
>blocking??)
Maybe. Your ruleset could be blocking the reply, as I said earlier.
>> 2. Can you ping the ppp0 default gateway (203.57.130.22 in the ifconfig
>> output you sent) or not? Both from the router and from a client. I don't see
>> where you report the results of this test.
>
>Ok I'm a little confused here.. I have given the server a gateway of
>192.168.100.1 Why is it picking up a second IP address from my ISP (in the
>203.57.130.* range) and calling it the gateway? This is going to make the
>firewall even harder to setup.. every time I dial up it changes... All of the
>windoze machines inside the LAN have 192.168.100.1 as their gateway..
OK, you need some of the basics. A host's gateway is the IP address of
another host ON THE SAME NETWORK (the LAN, in your case) as the host that is
where the host should send all packets going to hosts not on the same
network. So, from the standpoint of the Windows hosts, 192.168.100.1 is the
gateway.
But from the standpoint of the RH router, its gateway isn't a path back to
the LAN; it is the path to the Internet (i.e., the ppp connection) ...
specifically, the address at the other end. Thankfully, you don't need to
set this up; pppd, when it makes a ppp connection, does this for you, based
on information it gets while setting up the connection (technically, doing
LCP negotiation).
...
>The only firewalls I've ever
>seen going are ones inside of /etc/rc.d/ and are called rc.firewall or
>firewall. In my mind a firewall is basicly a text file with rules in it. All
>that goes through it must first be run past the file.. if it matches all then
>it may continue.. Is this right or am I missing a large part of the picture
>here... ( I feel I am)
No. The firewall itself is set up within the Linux kernel. Roughly speaking,
it has three parts --
ipchains, which does the actual packet filtering
ip masq, which does the Network Address Translation
that permits the private-address LAN hosts to
"share" the router's public (in your case, ppp)
IP address when accessing the Internet.
ip port forwarding, which is one way for you to run a
service server (e.g., a mail server, a DNS server,
a Web server) on a private-address host behind
the firewall and have it appear to be at the
firewall's IP address.
The scripts you are familiar with are not the firewall itself; they contain
a set of commands ("ipchains blah blah blah" and "ipmasqadm blah blah blah")
that set up the firewall. To find out more about how they work, your best
resources are
the man pages for ipchains and ipmasqadm
the IP Masquerading HowTo
the Firewall HowTo
The Ipchains HowTo
maybe a couple of other HowTos I've forgotten
The HowTos may be on your RH server. If not, find them at URL
http://www.linuxdoc.org .
The rules themselves also work roughly the opposite of the way you assume.
What happens is that a given packet starts at the top of the rule chain,
then gets compared against each rule in order. The first time it MATCHES a
rule, the firewall does what the rule says to do (typically ACCEPT, REJECT,
or DENY, which mean pretty much what they sound like) and exits the chain.
If the packet reaches the end of the rule chain without matching, the
DEFAULT policy (again, ACCEPT, REJECT, or DENY) for that chain applies.
>
>My server is behaving a nameserver to the lan as well as a few other MAJOR
>ISP in My country (Australia) I assume that is where the windoze clients are
>getting their info from..
I'm sorry, but I don't understand this. Do you mean that the RH server is
running the BIND package, and that the WinXX workstations use it as their
nameserver? If so, does the RH server use a forwarder, or does it go
directly to the root nameservers? In any case, if it can access ANY
nameserver off the LAN, it is getting some traffic through.
...
>NOTE: When I say that modem lights indicate somthing I am 99.99999% sure that
>this is a good indication. The amount of activity that the modem does when no-
>one is trying to access the web is VERY quiet, There is a LARGE difference
>between ping/surfing/telneting and sever updateing DNS titles.
Do you mean that both the TX and the RX lights flash? If you do, then return
traffic is coming in and the firewall is (somehow) blocking it.
>
>> 1. Your routing table shows TWO default gateways, in these lines:
>>
>> >0.0.0.0 203.57.130.22 0.0.0.0 UG 0 0 0
>ppp0
>> >0.0.0.0 192.168.100.1 0.0.0.0 UG 1 0 0
>eth0
>>
>> You want to delete the second of these, since the internal interface is only
>> a static route to the LAN. (This routing table *should* work okay, since it
>> is supposed to get traversed in order ... but I wouldn't count on its
>> complete reliability in the face of this error, in any case.)
>
>A few questions on this, The first gateway is not static, it changes every
>time the server has to dial up again,
That's okay. pppd will take care of setting this up for you. Remember, this
routing table reports the gateway for the RH server/router, not for the
other clients on the LAN.
>If I remove the second (static) what
>should I set the windoze machines to point at ? (is it really important for
>the windoze machines to have agateway to point at?)
Yes, it is very important. And leaving them pointing to 192.168.100.1 as
their gateway is just fine.
>Also, How do I remove a gateway? I assume that I should be able to do that in
>the "linuxconf" ?
Beats me (as to linuxconf, that is). List regulars know that I'm not a Red
Hat user, so I don't know linuxconf except very superficially. For the
moment, you can remove it from the command line using the "route" command.
Check the man page for exact syntax; it's something close to this:
route del gw default eth0
For the next reboot, you want to look in your rc directory (/sbin/rc.d
maybe? I forget where RH puts this stuff) for cripts that call the "route"
command. Comment out the one that reads "route add default blah blah blah".
>I am VERY gratefull for the help you have given me, I Realise that the help
>you have been giving me has probably taken a large amount of your time and
>been no small headache, so if you would permit me to have a snail mail
>address that I could send a small token of my gratitude to, I would like to
>repay you for your effort. Your help has been worth more to me than the
>amount I fork out for books, and feel a debt to you for the imparted
>knowledge you have given.
You are too kind, and I am certainly as susceptable to flattery (more so, my
friends tell me) as the average man. Better than paying back, though, is
"paying forward" ... 6 months from now, when you understand this stuff well,
take the time to help the next beginner ...
... or you could always send a postcard. I was only in Australia once - 5
days in Sydney, mainly working, about 15 years ago - and I do remember it
fondly. Loved the harbour, the zoo, the Opera House, the big tower (I forget
its name), and just walking around downtown.
My address is in my "whois" record (good practice for you, if you're
learning to manage systems).
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA [EMAIL PROTECTED]
----------------------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.linux-learn.org/faqs
