[Masq] ipchains problem

[Ashley M. Kirchner]

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */


    Using TrinityOS version firewall script version 3.70.  I have the
following set in these sections (lines wrapped for legibility):

#--------------------------------------------------------------------
# Explicit INPUT Access from external LAN Hosts
#--------------------------------------------------------------------
# The secure host
#
echo "     * Allowing $SECUREHOST INPUT for ftp/-data, ssh, and shell"
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST \
    -d $EXTIP ftp
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST \
    -d $EXTIP ftp-data
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST \
    -d $EXTIP ssh
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST \
    -d $EXTIP shell


#--------------------------------------------------------------------
# Output to Explicit Hosts
#--------------------------------------------------------------------
echo "   * Allowing $SECUREHOST OUTPUT for ftp/-data, ssh, and shell"
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp      \

    -d $SECUREHOST $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data \

    -d $SECUREHOST $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh      \

    -d $SECUREHOST $UNPRIVPORTS
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP shell    \

    -d $SECUREHOST $UNPRIVPORTS

    Let's see what ipchains -L tells me:

ACCEPT tcp ------ mail.pcraft.com  yeehaw.csd.net   any ->   shell
ACCEPT tcp ------ yeehaw.csd.net   mail.pcraft.com  shell -> 1024:65535

    ...so, theoretically, it should work, right?  Well, FTP and SSH both
work.  But, when I try a shell command (such as 'rcp'), I get the
following in my logs:

    Sep  5 01:50:00 celerity kernel: Packet log: output REJECT ppp0 \
        PROTO=6 204.151.43.203:1023 206.168.220.51:514 L=60 S=0x00  \
        I=13684 F=0x0000 T=64 SYN (#98)

    ...and it repeats 4...5 times.

    Now, before you tell me to check permissions and stuff on the
$SECUREHOST, I already went through that.  There's another machine with
the identical setup, and it works.  So, why is this one not working?

    AMK4

--
H | Hi, I'm currently out of my mind.  Please leave a message.  BEEEEP!
  |____________________________________________________________________
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Ashley M. Kirchner <mailto:[EMAIL PROTECTED]>   .   303.442.6410 x130
  Director of Internet Operations / SysAdmin    .     800.441.3873 x130
  Photo Craft Laboratories, Inc.             .        eFax 248.671.0909
  http://www.pcraft.com                  .         3550 Arapahoe Ave #6
  .................. .  .  .     .               Boulder, CO 80303, USA

_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.