/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Okay I've read through various howtos and examples and I think I've got this configured right, but I'm still experincing a strange problem. I'm running RedHat 6.2 with the 2.2.19 Kernel installed. Masquing works fine in that any internal machines can see the outside work. The Linux box can ping the outside work fine as well. The other machines can ping the Linux box, but the Linux box cannot ping the inside machines or itself very well. If I leave ping going long enough I seem to get some packets through but with like 85% or more loss. Whereas if I ping from a windows 2k box the Linux box I get no packet loss, so I don't think its a physical network problem. I've went through my rules and it seems okay, anyone have any ideas what I might be overlooking. Here is my edited start up script (ip addresses changed) Any thoughts or suggestions will be greatly appreciated. #!/bin/sh # # PATH=/sbin:/bin:/usr/sbin:/usr/bin # LOAD all required IP MASQ Modules # Needed to initially load modules /sbin/depmod -a # FTP /sbin/modprobe ip_masq_ftp # ENABLE IP FORWARDING echo "1" > /proc/sys/net/ipv4/ip_forward # Enable auto defragging echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Set Variables for firewall rules # External IP Address extip="192.168.10.1" ### THIS IS CHANGED IT IS REALLY A REAL IP ADDRESS # External Interface Name extint="eth0" # Internal IP Network intnet="192.168.1.0/24" intint="eth1" # MASQ Timeouts # 2 hours for tcp sessions # 10 sec for traffic after the tcp/ip FIN packet is recieved # 60 sec for UDP traffic ipchains -M -S 7200 10 60 #### BEGIN FIREWALL RULES #### # First flush and set default to deny ipchains -F input ipchains -P input REJECT echo "Input Rules\n" # local interface local machine going anywhere is valid ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT # remote interface claiming to be local machines IP spoofing get lost ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT # remote interface, any source going to external ip is valid ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT # loopback interface is valid ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # catch all rule all other incoming is denied and logged ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT # Outgoing flush and set default ipchains -F output ipchains -P output REJECT echo "output\n" # local interface any source going to local net is valid ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT # outgoing to local net on remote interface, stuffed routing deny ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT # outgoing from local net on remote interface stuffed masq deny ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT # anything else outgoing on remote interface is valid ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT # loopback interface is valid ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # catch all rule all other is denied and logged ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT echo "Forwarding\n" ## Forwarding flush and set default policy of deny ipchains -F forward ipchains -P forward DENY # # ipchains -A forward -s $intnet -d $intnet -j ACCEPT ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ # catch all rule all other forwarding is denied and logged. ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT echo "All Done" _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
