/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Paul Rabinowitz wrote: > here is the layout: > > <172.17.201.0>------<router c2500>--<t1-circuit>---<router c7206> > -----<172.20.0.0>----<masq (2.2x)>----<INTERNET> > > PC's on the 172.20 network can access the internet fine > PCs on the 172.17.201 network cannot > > I can ping the masq box from the 172.17.201 network -no problem > I can ping the 172.17.201 network from the masq box -no problem > > here is my ipchains script: > # > #eth0 is the internal interface (good) (172.20 address) > #eth1 is the external interface (bad) (REAL IP ADDRESS) > # > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done > echo 1 > /proc/sys/net/ipv4/ip_forward > # > ipchains -F > ipchains -A forward -s 172.20.0.0/16 -i eth1 -j good-bad > ipchains -A forward -s 172.17.201.0/24 -i eth1 -j good-bad > ipchains -A forward -i eth0 -j bad-good > ipchains -A forward -j DENY -l > # > ipchains -A good-bad -j MASQ > ipchains -A bad-good -j REJECT > # > ########################## > #Access to firewall box itself # > ########################## > # > ipchains -A input -d 172.20.100.203 -j good-if > ipchains -A input -d 63.66.240.106 -j bad-if > # > ipchains -A bad-if -i ! eth1 -j DENY -l > ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT > ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT > ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT > ipchains -A bad-if -j icmp-acc > ipchains -A bad-if -j DENY > # > ipchains -A good-if -i ! eth0 -j DENY > ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT > ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT > ipchains -A good-if -p TCP --dport 23 -j ACCEPT > ipchains -A good-if -j icmp-acc > ipchains -A good-if -j DENY -l looks ok except for the lack of user chain creation (-N) commands. i'll assume you just left them out of the message for brevity. what do the packets look like when you try to get out from the 172.17.201 network? do a "tcpdump -i eth0" and a "tcpdump -i eth1". do any packet log messages appear in /var/log/messages when you try this? raf _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
