ipchains problem
Peter Farrar
pfarrar at learningco.com
Tue Apr 18 19:05:51 EDT 2000
Oops. Well, perhaps the ipchains -F should start the process. And I
agree the default should come before the rest of the chain,
______________________________ Reply Separator _________________________________
Subject: Re: ipchains problem
Author: Derek Martin <derek at cerberus.ne.mediaone.net> at INTERNET
Date: 04/17/2000 5:00 PM
Today, Peter Farrar gleaned this insight:
> I'm not sure. I don't have any reference readily available. But I
> believe the -P in '/sbin/ipchains -P forward DENY' is for Purge. So
> everything preceding this line will be lost. Try putting this line in
> the front of your script. Remember that your ipchains rules will be
> executed in the order you declare them,
No, that's not correct. The -P sets the default policy. The option you're
thinking of is -F which flushes the ipchains tables.
You should actually set the -P rules FIRST.
> After upgrading to my dual CPU and having various problems I decided to
> re-install RedHat 6.1. Well this solved all the problems except one. My
> ipchains no longer work. The internal network appears fine (my Win95 box
> can ping the internal card on the Linux box and see the samba shares).
> I ran a few basic check, the Linux machine can ping the windows one,
> The win95 machine can ping the _internal_ network card on the Linux box.
> The win95 machine cannot ping the _external_ network card on the Linux box.
As far as ping goes, you need to make sure you've got ICMP forwarding
built into your kernel. You probably need to rebuild your kernel. Does
anything else work? Do you get errors from your script?
>
> eth0 is my external network card
> 90.0.0.x is my internal network (that worked fine before the upgrade)
> The kernel is 2.2.12-20smp
You shouldn't use 90.0.0.x addresses. I don't know if they are currenlty
assigned, but that is a real network on the internet. If you want to use a
class A address range, use 10.X.X.X instead. BUT you probably will never
need more than a class C, so I'd suggest using 192.168.somethingorother.
> Here is the script, I don't see anything wrong with it.
I dunno, it looks o.k., but I'm not very awake at the moment either...
> --- begin include ---
>
> /sbin/depmod -a
> /sbin/modprobe ip_masq_ftp
> /sbin/modprobe ip_masq_raudio
> /sbin/modprobe ip_masq_irc
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
> /sbin/ipchains -M -S 7200 10 160
> /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp
> /sbin/ipchains -P forward DENY
> /sbin/ipchains -A forward -s 90.0.0.0/24 -j MASQ
--
PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
------------------------------------------------------
Derek D. Martin | Unix/Linux Geek
derekm at mediaone.net | derek at cerberus.ne.mediaone.net
------------------------------------------------------
-------------- next part --------------
Received: from eagle.fremont.learningco.com ([206.5.54.10]) by
mail.learningco.com with SMTP
(IMA Internet Exchange 3.12) id 0005A810; Sat, 15 Apr 2000 18:46:50 -0700
Received: from fremont.learningco.com ([12.16.192.116]) by
eagle.fremont.learningco.com
via smtpd (for mail.learningco.com [206.5.52.32]) with SMTP; 16 Apr
2000 01:44:07 UT
Received: from tarnhelm.blu.org (tarnhelm.blu.org [207.31.228.20])
by fremont.learningco.com (8.9.3/8.8.7) with ESMTP id RAA23144
for <pfarrar at learningco.com>; Sat, 15 Apr 2000 17:43:11 -0700
Received: (from majordom at localhost)
by tarnhelm.blu.org (8.9.3/8.9.3) id VAA32354
for discuss-outgoing; Sat, 15 Apr 2000 21:33:14 -0400
Received: from marsdome.penguinpowered.com
(IDENT:root at r93aag001561.sbo-smr.ma.cable.rcn.com [146.115.122.40])
by tarnhelm.blu.org (8.9.3/8.9.3) with ESMTP id VAA32351
for <discuss at Blu.Org>; Sat, 15 Apr 2000 21:33:08 -0400
Received: from localhost (localhost [[UNIX: localhost]])
by marsdome.penguinpowered.com (8.9.3/8.8.7) id VAA02116
for discuss at Blu.Org; Sat, 15 Apr 2000 21:34:22 -0400
From: Frank Ramsay <fjr at marsdome.penguinpowered.com>
To: discuss at Blu.Org
Subject: ipchains problem
Date: Sat, 15 Apr 2000 21:23:40 -0400
X-Mailer: KMail [version 1.0.28]
Content-Type: text/plain
MIME-Version: 1.0
Message-Id: <00041521342200.02070 at marsdome.penguinpowered.com>
Content-Transfer-Encoding: 8bit
Sender: owner-discuss at Blu.Org
Precedence: bulk
X-List-Info: discuss at blu.org; Majordomo 1.94.4
X-Sender: Frank Ramsay <fjr at marsdome.penguinpowered.com>
-------------- next part --------------
Received: from eagle.fremont.learningco.com ([206.5.54.10]) by
mail.learningco.com with SMTP
(IMA Internet Exchange 3.12) id 0005EBCA; Mon, 17 Apr 2000 14:22:03 -0700
Received: from fremont.learningco.com ([12.16.192.116]) by
eagle.fremont.learningco.com
via smtpd (for mail.learningco.com [206.5.52.32]) with SMTP; 17 Apr
2000 21:19:15 UT
Received: from tarnhelm.blu.org (tarnhelm.blu.org [207.31.228.20])
by fremont.learningco.com (8.9.3/8.8.7) with ESMTP id NAA13008
for <pfarrar at learningco.com>; Mon, 17 Apr 2000 13:18:18 -0700
Received: (from majordom at localhost)
by tarnhelm.blu.org (8.9.3/8.9.3) id RAA05047
for discuss-outgoing; Mon, 17 Apr 2000 17:04:14 -0400
Received: from cerberus.ne.mediaone.net (cerberus.ne.mediaone.net
[24.128.221.6])
by tarnhelm.blu.org (8.9.3/8.9.3) with ESMTP id RAA05044
for <discuss at Blu.Org>; Mon, 17 Apr 2000 17:03:57 -0400
Received: from sol.netria.com (sol.netria.com [172.16.1.1])
by cerberus.ne.mediaone.net (8.9.3/8.9.3) with ESMTP id PAA01158;
Mon, 17 Apr 2000 15:59:21 -0400
Date: Mon, 17 Apr 2000 17:00:33 -0400 (EDT)
From: Derek Martin <derek at cerberus.ne.mediaone.net>
X-Sender: derek at sol.netria.com
To: Peter Farrar <pfarrar at learningco.com>
cc: discuss at Blu.Org, Frank Ramsay <fjr at marsdome.penguinpowered.com>
Subject: Re: ipchains problem
In-Reply-To: <0005CF7D.C22103 at learningco.com>
Message-ID: <Pine.LNX.4.10.10004171650550.782-200000 at sol.netria.com>
MIME-Version: 1.0
Content-Type: MULTIPART/Mixed; BOUNDARY="IMA.Boundary.1348795590"
Content-ID: <Pine.LNX.4.10.10004171650551.782 at sol.netria.com>
Sender: owner-discuss at Blu.Org
Precedence: bulk
X-List-Info: discuss at blu.org; Majordomo 1.94.4
X-Sender: Derek Martin <derek at cerberus.ne.mediaone.net>
More information about the Discuss
mailing list