/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Well, as you might guess, this is another newbie who is trying to set
up your basic gateway/firewall, and has
1) spent a week reading the HOWTOs and TFM pages, to no avail.
2) dug around in the archive, also to no avail.
However:
3) I got masq to work by making the "common mistake" that the HOWTO
warns against.
Here's the output of "sh -x rc.firewall" that works:
+ /sbin/depmod -a
+ /sbin/modprobe ip_masq_ftp
+ echo 1
+ echo 1
+ echo 1
+ /sbin/ipchains -F input
+ /sbin/ipchains -F output
+ /sbin/ipchains -F forward
+ /sbin/ipchains -M -S 7200 10 160
+ /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp
+ /sbin/ipchains -P forward MASQ
+ /sbin/ipchains -A forward -i eth1 -s 192.168.1.0/24 -j MASQ
That next-to-last line had been as recommended by the HOWTO:
+ /sbin/ipchains -P forward DENY
This utterly fails, and blocks all traffic from the internal network
to the Internet. I spent a week assuming that I was doing something
wrong, checking everything, following the HOWTOs line by line, and
coming up with no other conclusion but "It oughta work." After a week
of this frustration, I decided, what the hell, I'll try the "common
mistake" and see what happens.
I changed the "DENY" to "MASQ", and instantly everything worked.
I'd conclude from this that my kernel setup isn't screwed up; it
works as it's supposed to. The masq module is there, the relevant
variables are set to 1 like they should be, and so on. Also, all the
hardware is set up correctly, since the messages do now pass through
like they're supposed to and all the right LEDs light up. The silly
Windows machines are correctly configured, since they now talk to the
outside world like they're supposed to. I've got all the addresses
and netmasks etc set up right, since they work as they're supposed
to. It looks like everything is configured right, since with this
ipchains script everything works smoothly. But according to the
HOWTO, it should work with "DENY".
I can verify that it's those four letters "MASQ" and "DENY" that are
the critical difference. If I change them, I can switch all the
masquerading on and off at will.
The HOWTO says that using "MASQ" here is wrong, but it's the only way
I can make it work. I'd love to make things more secure, but first it
seems like I need to learn why this basic case fails when I do it
like the HOWTO says I should do it.
This has gotta be a FAQ. If it's covered somewhere in the HOWTO or
man pages or archive, how might I have found it when I was looking? I
don't seem to be able to guess any keywords that work. When I tell
the archive to look for "ipchains -P forward masq" it says there are
no matches. "ipchains forward masq" gets lots of matches, but none of
them seem to be relevant.
This is on a valinux machine that seems to be running 2.2.12 and/or
2.2.13 plus some set of patches that are mostly security related,
though I wouldn't pretend to understand what they're about. Upgrading
to the latest release is probably a task that should wait until I
have some sort of handle on the low-level "masq for dummies" level
and can make it do roughly what I want.
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
