Fwd: Re: ipchains
Christian Fernandez
rek2 at screamdesign.com
Mon Apr 17 17:50:06 EDT 2000
---------- Mensaje Reenviado ----------
Subject: Re: ipchains
Date: Mon, 17 Apr 2000 17:38:04 -0400
From: Christian Fernandez <rek2 at screamdesign.com>
Now that we are talking about ipchains....
I always used like a ip filtering firewall...
with masq.
now i need to put some servers inside with real ips, sure I use forwarding???
sure i put another nic card?
Thanks
El lun, 17 abr 2000, escribiste:
>
> Today, Peter Farrar gleaned this insight:
>
> > I'm not sure. I don't have any reference readily available. But I
> > believe the -P in '/sbin/ipchains -P forward DENY' is for Purge. So
> > everything preceding this line will be lost. Try putting this line in
> > the front of your script. Remember that your ipchains rules will be
> > executed in the order you declare them,
>
> No, that's not correct. The -P sets the default policy. The option you're
> thinking of is -F which flushes the ipchains tables.
>
> You should actually set the -P rules FIRST.
>
> > After upgrading to my dual CPU and having various problems I decided to
> > re-install RedHat 6.1. Well this solved all the problems except one. My
> > ipchains no longer work. The internal network appears fine (my Win95 box
> > can ping the internal card on the Linux box and see the samba shares).
> > I ran a few basic check, the Linux machine can ping the windows one,
> > The win95 machine can ping the _internal_ network card on the Linux box.
> > The win95 machine cannot ping the _external_ network card on the Linux box.
>
> As far as ping goes, you need to make sure you've got ICMP forwarding
> built into your kernel. You probably need to rebuild your kernel. Does
> anything else work? Do you get errors from your script?
>
> >
> > eth0 is my external network card
> > 90.0.0.x is my internal network (that worked fine before the upgrade)
> > The kernel is 2.2.12-20smp
>
> You shouldn't use 90.0.0.x addresses. I don't know if they are currenlty
> assigned, but that is a real network on the internet. If you want to use a
> class A address range, use 10.X.X.X instead. BUT you probably will never
> need more than a class C, so I'd suggest using 192.168.somethingorother.
>
> > Here is the script, I don't see anything wrong with it.
>
> I dunno, it looks o.k., but I'm not very awake at the moment either...
>
> > --- begin include ---
> >
> > /sbin/depmod -a
> > /sbin/modprobe ip_masq_ftp
> > /sbin/modprobe ip_masq_raudio
> > /sbin/modprobe ip_masq_irc
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> > echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> >
> > /sbin/ipchains -M -S 7200 10 160
> > /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp
> > /sbin/ipchains -P forward DENY
> > /sbin/ipchains -A forward -s 90.0.0.0/24 -j MASQ
>
>
> --
> PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
> ------------------------------------------------------
> Derek D. Martin | Unix/Linux Geek
> derekm at mediaone.net | derek at cerberus.ne.mediaone.net
> ------------------------------------------------------
>
----------------------------------------
Content-Type: TEXT/PLAIN; name="RFC822 message headers"
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
----------------------------------------
-------------------------------------------------------
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
More information about the Discuss
mailing list