/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ here is the layout: <172.17.201.0>------<router c2500>--<t1-circuit>---<router c7206> -----<172.20.0.0>----<masq (2.2x)>----<INTERNET> PC's on the 172.20 network can access the internet fine PCs on the 172.17.201 network cannot I can ping the masq box from the 172.17.201 network -no problem I can ping the 172.17.201 network from the masq box -no problem here is my ipchains script: # #eth0 is the internal interface (good) (172.20 address) #eth1 is the external interface (bad) (REAL IP ADDRESS) # for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done echo 1 > /proc/sys/net/ipv4/ip_forward # ipchains -F ipchains -A forward -s 172.20.0.0/16 -i eth1 -j good-bad ipchains -A forward -s 172.17.201.0/24 -i eth1 -j good-bad ipchains -A forward -i eth0 -j bad-good ipchains -A forward -j DENY -l # ipchains -A good-bad -j MASQ ipchains -A bad-good -j REJECT # ########################## #Access to firewall box itself # ########################## # ipchains -A input -d 172.20.100.203 -j good-if ipchains -A input -d 63.66.240.106 -j bad-if # ipchains -A bad-if -i ! eth1 -j DENY -l ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT ipchains -A bad-if -j icmp-acc ipchains -A bad-if -j DENY # ipchains -A good-if -i ! eth0 -j DENY ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT ipchains -A good-if -p TCP --dport 23 -j ACCEPT ipchains -A good-if -j icmp-acc ipchains -A good-if -j DENY -l +--------------------------------------------------------------------+ WARNING: All E-Mail sent to or from this user address will be accepted by the Lind-Waldock corporate E-Mail system and is subject to archival and review by someone other than the recipient. +--------------------------------------------------------------------+ _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
