On Tuesday 29 April 2003 13:09, Tom Goulet (UID0) wrote: > Okay, I'll stop requiring you to guess and reverse engineer Ipmasq and > post my small Iptables script that still doesn't work. The result is the > same change from "Connection refused" to "Connection timed out" that I > described earlier. Ok, there is only one place in your firewall that traffic can get stopped like that, and that is if it falls off the end of the FORWARD chain and hits the default "DROP" policy - which would be consistent with the "connection timed out" messages you are seeing. The first thing I would do is change the policy on the FORWARD chain to ALLOW and see if it suddenly starts working. If it does, it means that your rule in the FORWARD chain isn't matching the traffic correctly. This could be diagnosed with a tcpdump and see what the traffic actually looks like in kernel space. I've attached a modified version of the firewall script. I didn't change much, except to explicitly define the internal network for the MASQ rule, and also to enable stateful firewalling correctly (it's my understanding that if you don't have rules matching a NEW state, then the entries are never entered into the state table and corresponding RELATED/ESTABLISHED rules won't work). The important line to fiddle with will be : iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp -d $EXTIP --dport 515 \ -m state --state NEW -j ACCEPT I think the problem with your original script is that the destination actually needs to be $EXTIP, not $PRINTERIP. t -- GPG: http://n12turbo.com/tarragon/public.key
Attachment:
firewall
Description: application/shellscript