On 15 Jan 99, at 0:01, benjamin j snyder wrote about
"[masq] getting close":
|...
| Which leads me to the other problem. it doesnt work. I am using the script
| in the ip_masquerading how to (section 4.4 of the how to?), although I have
| modified it somewhat. Here it is:
|
|
| #!/bin/sh
|... <comments snipped>
| ipfwadm -I -f
| ipfwadm -I -p deny
|
| # local intreface, local machines, going anywhere is valid
| ipfwadm -I -a accept -V 192.168.60.69 -S 192.168.0.0/16 -D 0.0.0.0/0
|
| # remote inteface, claiming to be local machines is invalid, deny
| ipfwadm -I -a deny -W eth0 -S 0.0.0.0/0
You broke this one. "-S 0.0.0.0/0" says source from *anywhere*, so
this rule will deny *all* incoming traffic on the remote interface.
| # remote interface, any source, going to roadrunner IP is fine
| ipfwadm -I -a accept -W eth0 -S 0.0.0.0/0 -D my.static.ip.addy/32
The previous rule already denied incoming, so this one does nothing.
| # loopback device is valid
| ipfwadm -I -a accept 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
What happened to the "-V" in front of 127.0.0.1?
| # here's the catch all, all other incoming i7.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
This line is munged.
| # here's the catch-all rule, all other is denied and logged
| ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
What happened to the flush and policy lines for output? Also, you
have *no* accept rules for output. This rule will deny *all* output,
so your box shouldn't be doing much talking to anybody. Unless some
un-flushed previous rule is accepting it...
| # forwarding, flush and set all to dny, which is useless
| # because of the catch-all
| ipfwadm -F -f
| ipfwadm -F -p deny
|
| # Masquerade from local net on local interace to anywhere
| ipfwadm -F -a masquerade -W tcp -S 192.168.0.0/16 -D 0.0.0.0/0
OK, nut doesn't matter with output denied.
| # here's the catch-all rule, all others denied and logged
| ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
|
|...
| FYI, the linux box can telnet, ftp, use www etc, and can ping the local
| machines (and they can ping the linux boc), but they cant see the outside
| world.
I'm surprised the local net communication is working.
|...
| Just in case, I am using RH5.0, with 2.0.36 kernel, and the ipfwadm that
| came in RH5.0 (sorry, dont know the version)
I'm looking at the howto that comes with RH5.2, not 5.0. But unless
the 5.0 version is pretty broken, it looks like you made a few too
many changes to it.
HTH...
- Fred Viles <mailto:[EMAIL PROTECTED]>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
