 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
---------- Mensaje Reenviado ---------- Subject: Re: ipchains Date: Mon, 17 Apr 2000 17:38:04 -0400 From: Christian Fernandez <rek2 at screamdesign.com> Now that we are talking about ipchains.... I always used like a ip filtering firewall... with masq. now i need to put some servers inside with real ips, sure I use forwarding??? sure i put another nic card? Thanks El lun, 17 abr 2000, escribiste: > > Today, Peter Farrar gleaned this insight: > > > I'm not sure. I don't have any reference readily available. But I > > believe the -P in '/sbin/ipchains -P forward DENY' is for Purge. So > > everything preceding this line will be lost. Try putting this line in > > the front of your script. Remember that your ipchains rules will be > > executed in the order you declare them, > > No, that's not correct. The -P sets the default policy. The option you're > thinking of is -F which flushes the ipchains tables. > > You should actually set the -P rules FIRST. > > > After upgrading to my dual CPU and having various problems I decided to > > re-install RedHat 6.1. Well this solved all the problems except one. My > > ipchains no longer work. The internal network appears fine (my Win95 box > > can ping the internal card on the Linux box and see the samba shares). > > I ran a few basic check, the Linux machine can ping the windows one, > > The win95 machine can ping the _internal_ network card on the Linux box. > > The win95 machine cannot ping the _external_ network card on the Linux box. > > As far as ping goes, you need to make sure you've got ICMP forwarding > built into your kernel. You probably need to rebuild your kernel. Does > anything else work? Do you get errors from your script? > > > > > eth0 is my external network card > > 90.0.0.x is my internal network (that worked fine before the upgrade) > > The kernel is 2.2.12-20smp > > You shouldn't use 90.0.0.x addresses. I don't know if they are currenlty > assigned, but that is a real network on the internet. If you want to use a > class A address range, use 10.X.X.X instead. BUT you probably will never > need more than a class C, so I'd suggest using 192.168.somethingorother. > > > Here is the script, I don't see anything wrong with it. > > I dunno, it looks o.k., but I'm not very awake at the moment either... > > > --- begin include --- > > > > /sbin/depmod -a > > /sbin/modprobe ip_masq_ftp > > /sbin/modprobe ip_masq_raudio > > /sbin/modprobe ip_masq_irc > > echo "1" > /proc/sys/net/ipv4/ip_forward > > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > > > /sbin/ipchains -M -S 7200 10 160 > > /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp > > /sbin/ipchains -P forward DENY > > /sbin/ipchains -A forward -s 90.0.0.0/24 -j MASQ > > > -- > PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt > ------------------------------------------------------ > Derek D. Martin | Unix/Linux Geek > derekm at mediaone.net | derek at cerberus.ne.mediaone.net > ------------------------------------------------------ > ---------------------------------------- Content-Type: TEXT/PLAIN; name="RFC822 message headers" Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part ---------------------------------------- ------------------------------------------------------- - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
