/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
John Chambers wrote:
> Well, as you might guess, this is another newbie who is trying to set
> up your basic gateway/firewall, and has
>
> 1) spent a week reading the HOWTOs and TFM pages, to no avail.
> 2) dug around in the archive, also to no avail.
>
> However:
>
> 3) I got masq to work by making the "common mistake" that the HOWTO
> warns against.
>
> Here's the output of "sh -x rc.firewall" that works:
>
> + /sbin/depmod -a
> + /sbin/modprobe ip_masq_ftp
> + echo 1
> + echo 1
> + echo 1
> + /sbin/ipchains -F input
> + /sbin/ipchains -F output
> + /sbin/ipchains -F forward
> + /sbin/ipchains -M -S 7200 10 160
> + /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp
> + /sbin/ipchains -P forward MASQ
> + /sbin/ipchains -A forward -i eth1 -s 192.168.1.0/24 -j MASQ
>
> That next-to-last line had been as recommended by the HOWTO:
>
> + /sbin/ipchains -P forward DENY
>
> This utterly fails, and blocks all traffic from the internal network
> to the Internet. I spent a week assuming that I was doing something
> wrong, checking everything, following the HOWTOs line by line, and
> coming up with no other conclusion but "It oughta work." After a week
> of this frustration, I decided, what the hell, I'll try the "common
> mistake" and see what happens.
>
> I changed the "DENY" to "MASQ", and instantly everything worked.
that must mean that the rule you add to the forward chain
doesn't match the packets that you think it should match.
otherwise they'd get masqueraded and you'd be happy.
/sbin/ipchains -A forward -i eth1 -s 192.168.1.0/24 -j MASQ
so either your internal network is not 192.168.1.0/24
or the external interface is not eth1 (is it ppp0?)
also note that you don't need the "ipchains -A input ..."
command because you are leaving your input policy as ACCEPT
so there's no need to write any accept rules.
also note that the best way to clean up the rules is:
ipchains -F
ipchains -X
which flushes all chains, and then deletes any user chains
(but you don't need that).
do not leave your rules the way they are. currently, you are
allowing anyone to forward packets through your host and
those packets will be masqueraded to look like they came
from your masquerading host.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
