/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
I'm trying to convert a Mandrake 8.1 box from a being a workstation that
sits behind a firewall, into a firewall and NAT router for a bunch of
windows and linux boxes to access the Internet over a single ISDN line.
So far I've managed to get it to recognise its ISDN card and connect to
the net without a firewall via ippp0. So far, so good !
The household LAN is on a 192.168.x.x subnet and hangs of eth0. I also
have some virtual machines that hang off some virtual interfaces and
share the 192.168.x.x address space.
Firewall issues --->
I want to set up a firewall and figured I'd use the built in GUI tools:
K -> Configuration -> Networking -> Netconf
I take the server tasks tab and click on Internet Services which takes
me to Basic Services.
In Basic Services I can choose Internet Firewall and Masquerade.
This indicates that the firewall daemon is active, and allows it to poll
once, ten or a hundred time a second. ( What does it poll and why ?? )
In Internet it correctly identifies the Internet interface as ippp0.
( Actually if I'm not connected it may fail to do this ! - Is there a
way to get it to retain some understanding of how to get to the net when
it's not connected ? )
I can select what look like some appropriate TCP and UDP services for
the firewall to pass..
Having configured the firewall with the GUI, it builds firewall.sh in
/etc/heimdall and this uses ipchains to effect its configuration.
Quitting Netconf doesn't seem to restart the firewall daemon, so I've
tried killing it and restarting it by hand. When I do this I get the
message:
"ipchains: Protocol not available"
Any idea what this usually indicates ? Is the script generated by the
GUI compatible with supplied 2.4.8 kernel ?
I see on http://ipmasq.cjb.net/ the wording
"Please note that IPCHAINS is no longer the primary
firewall configuration tool for the 2.4.x kernels. The new kernels
now use the IPTABLES toolkit though the new 2.4.x kernels CAN
still read and enable old IPCHAINS or IPFWADM rulesets via a
compatiblity module".
I guess I could go off and chase this compatibility module, but before I
do, I though I'd ask if I'd missed anything obvious, or if I'd be better
off forgetting the GUI which seems broken in other ways and using some
other tools for this.
Masquerade issues --->
I want to use masquerade on my Internet ippp0 interface but not on the
others which are either the in-house LAN, or virtual LANs belonging to
VmWare.
At first, all the interfaces stated "Masquerade network No" except
Internet which didn't say. I wondered if that indicated that the
Internet interface is masquerading ? In Basic Information it says
"Kernel IP forward No" but offered no way to turn it on that I can
see. I assumed I need to turn this on somehow as when I Accepted the
configuration, I got warning saying:
"Forwarding of IP traffic is not active in the Kernel. This is not
necessary for the firewall, but you may not reach the Internet from
a local network."
Is it ever sensible to have masquerading enabled without kernel IP
forwarding ? Is there any non-kernel IP forwarding ?
Having messed with the configuration some more, and without knowingly
caused the changes, I now find that Basic Information it says
"Kernel IP forward Yes"
and
"Kernel dynamic IP Yes"
which is odd as I don't use or want to use any dynamic IP addresses.
Further, all the interfaces apart from Internet now state
"Masquerade network Yes"
which seems odd because as I understand it, I only want to masquerade
the Internet ippp0 interface.
I'm beginning to think the GUI has a mind of its own.
Am I better off editing the configuration files by hand ? If so what's
the best file by file How-To ?
Is there a better tool for generating the firewall rules with 2.4
kernels ? I've used PM Firewall in the past, but I don't know if there
is something better for Mandrake 8.1 ?
Cheers, J/.
--
John Beardmore
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
- Re: [Masq] Not quite a newbie, but still confused John Beardmore
- Re: [Masq] Not quite a newbie, but still confused Jamin W. Collins
