Re: Setting up masquerading (not sure where the problem is happening)

To: debian-firewall@lists.debian.org
Subject: Re: Setting up masquerading (not sure where the problem is happening)
From: Gary Lucas <lucasg@telus.net>
Date: Mon, 09 Sep 2002 09:52:47 -0700
Message-id: <[🔎] 3D7CD1DF.44AA86D8@telus.net>
References: <[🔎] 3D7C62F8.FC0B40D@telus.net> <[🔎] 20020909095939.GA6336@robian> <[🔎] 20020909155129.GB14797@bob.n7xy.net> <[🔎] 20020909102500.G14190@kinaole.org>

Hmm, ok...

I have never had problems getting the box connected to my ISP,  I am haveing
problems getting the ethernet working on eth1...
IE:  No connection between linux box and the pc's it's connected to..




A couple of people have had suggestions that I am going to try later on today.


Dave Price wrote:

> On Mon, Sep 09, 2002 at 08:51:29AM -0700, Bob Nielsen wrote:
> >
> > It is quite possible that you will need a crossover cable between the
> > firewall and the ADSL modem.  I do in my installation (Cisco 678
> > modem).
> >
> If his ISP is anything like US-Worst, who sold me my cisco, an
> appropriate cable was almost certainly provided.  The link lights on the
> ADSL connected ethernet card will confirm that.  The linux box/firewall
> will be able to use the net independent of iptable/masq working at any
> rate; that is step one.
>
> As a side note, I have built 'firewalls' that did masquerading with a
> single ethernet card and ip-aliasing (eth0:1, etc) it works fine with
> ipfwadmin (kernel 2.0) or ipchains (kernel 2.2); i have never tried it
> with iptables, but there is know reason why it would not;
>
> I got a toshiba laptop that came with two ethernet cards at a garage
> sale for $50 - that is what my ip tables runs on - rock solid, but it
> took 4 hours plus to built a 2.4.18 kernel and modules on it; had i
> known, i would have compiled on a different box.  But I had a golf date,
> and just let it run, I was shocked that it was not finished when I got
> home.  At that, I had to run the compile on a 300mb pcmcia drive that
> came along with the $50 laptop - there is no room for the pcmcia drive
> in the machine when the two LAN cards are installed, but it was a good
> hack, and debian woody will run in less than 150mb on a 486/66 with 16mb
> ram - no X, just a firewall a minimal samba setup and dhcp services for
> braindead windoze clients, sound works as does the _built_in_ scsi
> that toshiba used to use (adaptec 1520 chipset); out of the box on
> debian woody.  Also can do wireless; but i don't use that ny more since
> I got a netgear access point (which the laptop feed dhcp to) debian
> rocks.
>
> Filesystem           1k-blocks      Used Available Use% Mounted on
> /dev/hda1               236268    148262     75807  67% /
> /dev/hda2                47326     24224     20659  54% /home
> davep@fw:~$ uname -a
> Linux fw 2.4.18 #1 Sun May 26 10:23:53 MDT 2002 i486 unknown
>
> davep@fw:~$ uptime
>  10:08:54 up 98 days, 13:39,  4 users,  load average: 0.13, 0.05, 0.01
>
> Here is /root/iptables script that works fine for this box
>
> #!/bin/bash
> ####
> # default table :
>
>     # setup the default policies -- DROP everything
>     iptables -P OUTPUT  ACCEPT
>     iptables -P INPUT   ACCEPT
>     iptables -P FORWARD ACCEPT
>
>     # flush out all the old chains and delete user chains
>     iptables -F
>     iptables -X
>
>     ####
>     # INPUT chain -- what can come into the system
>
>         # allow loopback
>         iptables -A INPUT -i lo -j ACCEPT
>         #iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
>
>         # allow replies
>         iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
>         iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT
>
>         # take all input from the LAN (assumes addresses are correct)
>         iptables -A INPUT -i eth0 -j ACCEPT
>
>         # allow ping
>         iptables -A INPUT -p icmp -j ACCEPT
>
>     ####
>     # OUTPUT chain -- what is allowed to get out
>
>         # allow loopback
>         iptables -A OUTPUT -o lo -j ACCEPT
>       # stop all samba stuff going out the DSL line, but tell the host (me)
>         iptables -A OUTPUT -o eth1 -p tcp --dport 137:139 -j REJECT
>
>         iptables -A OUTPUT -o eth0 -j ACCEPT
>         iptables -A OUTPUT -o eth1 -j ACCEPT
>
> ####
> # nat table -- how we translate (masq) stuff
>
>     # flush out all the old chains
>     iptables -t nat -F
>
>     ####
>     # POSTROUTING chain
>
>         # allow loopback
>         iptables -A OUTPUT -o lo -j ACCEPT
>
>         # masquerade stuff from the LAN to the WAN
>         iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
>         # enable forwarding in the kernel
>         echo "1" > /proc/sys/net/ipv4/ip_forward
>
> Hope this helps - Have a lot of fun!
>
> aloha,
> dave
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Setting up masquerading (not sure where the problem is happening)
  - From: Dave Price <davep@kinaole.org>

References:
- Setting up masquerading (not sure where the problem is happening)
  - From: Gary Lucas <lucasg@telus.net>
- Re: Setting up masquerading (not sure where the problem is happening)
  - From: Robert Ian Smit <robian@wanadoo.nl>
- Re: Setting up masquerading (not sure where the problem is happening)
  - From: Bob Nielsen <nielsen@oz.net>
- Re: Setting up masquerading (not sure where the problem is happening)
  - From: Dave Price <davep@kinaole.org>

Prev by Date: Re: Setting up masquerading (not sure where the problem is happening)
Next by Date: Bits of honeypot (LaBrea)
Previous by thread: Re: Setting up masquerading (not sure where the problem is happening)
Next by thread: Re: Setting up masquerading (not sure where the problem is happening)
Index(es):
- Date
- Thread