[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ipchians forwarding error

Hi gang,

Our network has recently gone from a ISDN router (with an IP on out
class C) to a ppp modem link (with an IP that is not part of our class
C) for its gateway. The machine that is the new gateway has an ipchains
firewall running, which I'd managed to munge together, which was broken
quite badly by this change.

This gateway machine also has a MASQ network connected to it via another
nic, and lots of IP addresses for virtual hosting, so the setup is
reasonably complex, considering my relatively limited understanding of
all things firewall related (hey, I'm learning, but not quickly enough).

The most significant of the ways in which the firewall broke when we
changed to the modem was that none of the other machines on the public
class C (as opposed to the MASQ'd one) were able to connect out through
the gateway. They could connect to the gateway machine, but could go no
further. Obviously, this caused a few small problems, especially for our
PPP users!

I came to the conclusion that it was the state of the forward chain
which was the problem, as it was set to DENY. It was my impression that
anything else was a Bad Thing (tm). Not knowing what else to do, I
changed the default policy to ACCEPT, and it all worked again, but I
fear that this is compromising the integrity of our firewall.

Here are the relevant bits from ipchains -L (trimmed of all else):

Chain forward (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     all  ------        n/a
ACCEPT     all  ------  localnet/24          anywhere              n/a
MASQ       all  ------       anywhere              n/a

I would have thought that the ACCEPT all from localnet to anywhere
should have covered it, but obviously it doesn't.

Can anyone let me know what I'm doing wrong, or even if I am correct in
not wanting my default forward policy to be ACCEPT. Do I need to do
something like ACCEPT all from localnet to gateway?

Thanks for any suggestions,



Damon Muller (dm-sig6@empire.net.au) /  It's not a sense of humor.
* Criminologist                     /  It's a sense of irony
* Webmeister                       /  disguised as one.
* Linux Geek                      /     - Bruce Sterling 

- Running Debian GNU/Linux: Doing my bit for World Domination (tm) -

Attachment: pgpMR8_FVcTjt.pgp
Description: PGP signature

Reply to: