IP Masq on Slackware 4.0

[krose at theory.lcs.mit.edu (Kyle Rose)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Phil <1918 at 1918.com> writes:

> Boy, what timing. I am having the exact same problem with RH6. I set up
> a small LAN (with Glen Burkhardt's help) over the weekend. All of the PC
> clients running Windows 9* can connect to the RH6 server to accomplish
> file sharing and print sharing services. The linux box I have is
> assigned the IP 192.168.1.100. All of the windows clients have
> 192.168.1.100 in as their gateway for their TCP/IP settings, and the DNS
> settings are set to use our ISP's nameservers.. I connect the linux box
> via PPP to our local ISP. After the connection is established, if I run
> ifconfig, I see eth0, lo, and ppp0, all seemingly up and running fine.
> 
> The problem comes trying to use ipchains to allow packet forwarding. I
> can't get it up and running. Is there anyone who has IPCHAINS actually
> doing any work? I' beat my head against the wall all day yesterday
> trying to get it to work. I have a feeling I;m missing something simple.
> 
> One the ppp connection is up I use:
> 
> ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
> and
> ipchains -A input -j ACCEPT -i ppp0 -s 192.168.1.0/24 -d 0.0.0.0/0

This last one seems to be saying that you are accepting packets on
interface ppp0 from 192.168.1.x for any desination.  As far as I can
tell, you would never get a packet from 192.168.1.x over ppp.
Your IP chains rules should be simply

ipchains -P forward DENY
(to deny packets as the default forward rule)

ipchains -A forward -s 192.168.1.0/24 -j MASQ
(to override the default when seeing packets from the 192.168.1.x
subnet)

You might want to add -i eth0 to the second rule to limit forwarded
packets to those from eth0; I'm not sure what kind of spoofing is
possible here.  Make sure you echo 1 > /proc/sys/net/ipv4/ip_forward
to turn on IP forwarding and, of course, make sure you're running
2.3.x, 2.2.x, or late 2.1.x to use ipchains; otherwise, use ipfwadm.

Kyle

- -- 
Kyle R. Rose                      "They can try to bind our arms,
Laboratory for Computer Science    But they cannot chain our minds
MIT NE43-309, 617-253-5883             or hearts..."
http://web.mit.edu/krr/www/                           Stratovarius
krose at theory.lcs.mit.edu                              Forever Free
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE3e5Va66jzSko6g9wRAj7tAJ9egXF4L2dSE9RPbQlX82IIhluLLACeLdV/
gEPy6nqvjs+eGHHsf/Q5SYU=
=lbp8
-----END PGP SIGNATURE-----
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).