Hi gang, Our network has recently gone from a ISDN router (with an IP on out class C) to a ppp modem link (with an IP that is not part of our class C) for its gateway. The machine that is the new gateway has an ipchains firewall running, which I'd managed to munge together, which was broken quite badly by this change. This gateway machine also has a MASQ network connected to it via another nic, and lots of IP addresses for virtual hosting, so the setup is reasonably complex, considering my relatively limited understanding of all things firewall related (hey, I'm learning, but not quickly enough). The most significant of the ways in which the firewall broke when we changed to the modem was that none of the other machines on the public class C (as opposed to the MASQ'd one) were able to connect out through the gateway. They could connect to the gateway machine, but could go no further. Obviously, this caused a few small problems, especially for our PPP users! I came to the conclusion that it was the state of the forward chain which was the problem, as it was set to DENY. It was my impression that anything else was a Bad Thing (tm). Not knowing what else to do, I changed the default policy to ACCEPT, and it all worked again, but I fear that this is compromising the integrity of our firewall. Here are the relevant bits from ipchains -L (trimmed of all else): Chain forward (policy ACCEPT): target prot opt source destination ports ACCEPT all ------ 192.168.1.0/24 192.168.1.0/24 n/a ACCEPT all ------ localnet/24 anywhere n/a MASQ all ------ 192.168.1.0/24 anywhere n/a I would have thought that the ACCEPT all from localnet to anywhere should have covered it, but obviously it doesn't. Can anyone let me know what I'm doing wrong, or even if I am correct in not wanting my default forward policy to be ACCEPT. Do I need to do something like ACCEPT all from localnet to gateway? Thanks for any suggestions, cheers, damon -- Damon Muller (dm-sig6@empire.net.au) / It's not a sense of humor. * Criminologist / It's a sense of irony * Webmeister / disguised as one. * Linux Geek / - Bruce Sterling - Running Debian GNU/Linux: Doing my bit for World Domination (tm) -
Attachment:
pgpMR8_FVcTjt.pgp
Description: PGP signature