Re: Setting up masquerading (not sure where the problem is happening)
Hmm, ok...
I have never had problems getting the box connected to my ISP, I am haveing
problems getting the ethernet working on eth1...
IE: No connection between linux box and the pc's it's connected to..
A couple of people have had suggestions that I am going to try later on today.
Dave Price wrote:
> On Mon, Sep 09, 2002 at 08:51:29AM -0700, Bob Nielsen wrote:
> >
> > It is quite possible that you will need a crossover cable between the
> > firewall and the ADSL modem. I do in my installation (Cisco 678
> > modem).
> >
> If his ISP is anything like US-Worst, who sold me my cisco, an
> appropriate cable was almost certainly provided. The link lights on the
> ADSL connected ethernet card will confirm that. The linux box/firewall
> will be able to use the net independent of iptable/masq working at any
> rate; that is step one.
>
> As a side note, I have built 'firewalls' that did masquerading with a
> single ethernet card and ip-aliasing (eth0:1, etc) it works fine with
> ipfwadmin (kernel 2.0) or ipchains (kernel 2.2); i have never tried it
> with iptables, but there is know reason why it would not;
>
> I got a toshiba laptop that came with two ethernet cards at a garage
> sale for $50 - that is what my ip tables runs on - rock solid, but it
> took 4 hours plus to built a 2.4.18 kernel and modules on it; had i
> known, i would have compiled on a different box. But I had a golf date,
> and just let it run, I was shocked that it was not finished when I got
> home. At that, I had to run the compile on a 300mb pcmcia drive that
> came along with the $50 laptop - there is no room for the pcmcia drive
> in the machine when the two LAN cards are installed, but it was a good
> hack, and debian woody will run in less than 150mb on a 486/66 with 16mb
> ram - no X, just a firewall a minimal samba setup and dhcp services for
> braindead windoze clients, sound works as does the _built_in_ scsi
> that toshiba used to use (adaptec 1520 chipset); out of the box on
> debian woody. Also can do wireless; but i don't use that ny more since
> I got a netgear access point (which the laptop feed dhcp to) debian
> rocks.
>
> Filesystem 1k-blocks Used Available Use% Mounted on
> /dev/hda1 236268 148262 75807 67% /
> /dev/hda2 47326 24224 20659 54% /home
> davep@fw:~$ uname -a
> Linux fw 2.4.18 #1 Sun May 26 10:23:53 MDT 2002 i486 unknown
>
> davep@fw:~$ uptime
> 10:08:54 up 98 days, 13:39, 4 users, load average: 0.13, 0.05, 0.01
>
> Here is /root/iptables script that works fine for this box
>
> #!/bin/bash
> ####
> # default table :
>
> # setup the default policies -- DROP everything
> iptables -P OUTPUT ACCEPT
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
>
> # flush out all the old chains and delete user chains
> iptables -F
> iptables -X
>
> ####
> # INPUT chain -- what can come into the system
>
> # allow loopback
> iptables -A INPUT -i lo -j ACCEPT
> #iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
>
> # allow replies
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT
>
> # take all input from the LAN (assumes addresses are correct)
> iptables -A INPUT -i eth0 -j ACCEPT
>
> # allow ping
> iptables -A INPUT -p icmp -j ACCEPT
>
> ####
> # OUTPUT chain -- what is allowed to get out
>
> # allow loopback
> iptables -A OUTPUT -o lo -j ACCEPT
> # stop all samba stuff going out the DSL line, but tell the host (me)
> iptables -A OUTPUT -o eth1 -p tcp --dport 137:139 -j REJECT
>
> iptables -A OUTPUT -o eth0 -j ACCEPT
> iptables -A OUTPUT -o eth1 -j ACCEPT
>
> ####
> # nat table -- how we translate (masq) stuff
>
> # flush out all the old chains
> iptables -t nat -F
>
> ####
> # POSTROUTING chain
>
> # allow loopback
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # masquerade stuff from the LAN to the WAN
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
> # enable forwarding in the kernel
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> Hope this helps - Have a lot of fun!
>
> aloha,
> dave
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: