RE: FW: Help! ipmasqadm problem - Help its still not working
Thanks, for the advice. Actually I do need to MASQ both incoming and
outgoing packets. I have not mentioned this in previous postings but this
new firewall is set up on a second T-1 line. I have an old T-1 and firewall
that will be dropped a few weeks after this one is up. If I don't mask the
incoming then when the web server responds the routers will send that
traffic out through the old T-1. In the final product I was going to set
the forward policy to DENY or REJECT and have two lines that would MASQ port
80 incoming and outgoing. After the old T-1 is dropped then that could be
changed. I had not thought of it before you mentioned it but is it possible
to MASQ both incoming and outgoing?
Thanks for the input,
Brian
> -----Original Message-----
> From: Michael Wood [mailto:wood@kingsley.co.za]
> Sent: Wednesday, February 14, 2001 1:36 AM
> To: debian-firewall@lists.debian.org
> Subject: Re: FW: Help! ipmasqadm problem - Help its still not working
>
>
> I don't think you want to set the forward policy to MASQ.
>
> I have never used ipmasqadm, but how about trying this:
>
> ipchains -F # flush all rules
> ipchains -X # get rid of any user defined chains too
> ipmasqadm portfw -f
> ipchains -P output ACCEPT
> ipchains -P forward ACCEPT
> ipchains -P output ACCEPT
> echo 1 > /proc/sys/net/ipv4/ipforward
> ipchains -A forward -s 192.168.56.0/24 -d 0.0.0.0/0 -i eth1 -j MASQ
> ipmasqadm portfw -a -P tcp -L 207.202.255.134 80 -R 192.168.56.10 80
>
> if you have ipchains -P forward MASQ it will "masqerade"
> incoming stuff and outgoing stuff instead of just outgoing
> stuff.
>
> On Tue, Feb 13, 2001 at 02:24:00PM -0500, Brian Kimsey-Hickman wrote:
> > The strange thing is, it seems to make sense. But, it is
> > still not forwarding. I thought if I set the policy to MASK
> > and everything else to ACCEPT that would leave it wide open.
> > Once I got the firewall to forward then I could tighten the
> > script. It just seems that no matter what I do I cannot
> > forward to my web server. I did set the forward policy to
> > DENY. It still does not work.
> [snip]
>
> --
> Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
> wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
Reply to: