Very Computer

I think I have my 2.4.5 kernel built right, but I could not figure out
how to load the compatibility ipchains. So, I found a script using
iptables.

My local lan eth0 works fine, i can get onto the internet via my eth1
card, but the masq stuff doesn't work anymore.

Here is what worked before, on a 2.2 kernel:
--------------------
# MASQ timeouts
/sbin/ipchains -M -S 7200 10 160

# DHCP:  For people who receive their external IP address from either DHCP or
/sbin/ipchains -A input -j ACCEPT -i eth1 -s 0/0 67 -d 0/0 68 -p udp

# Enable simple IP forwarding and Masquerading
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth1 -s 10.1.1.0/24 -j MASQ
--------------------------------------------------------------

So, I got the new script and tried to use it, below is the essential
parts of it.

-------------------------------
echo "  - Verifying that all kernel modules are ok"
/sbin/depmod -a

echo "  - Enabling packet forwarding in the kernel"
echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:
echo "  - Enabling dynamic addressing measures"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Enable simple IP forwarding and Masquerading
echo "  - Setting the default FORWARD policy to 'DROP'"
echo "  - Enabling SNAT (IPMASQ) functionality on eth0"
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/24 -j MASQUERADE
-------------------------------------------

I changed eth0 to eth1 on the last line, was that right?

I added the -s 10.1.1.0/24 as a guess
on my part, based on what worked with ipchains.
But it still does not work.
Any help most appreciated.

Also, I am starting with red hat 7.0, downloaded the latest iptables,
got a 2.4.5 kernel, might there be something else I need to get. It's
too painful right now to upgrade to rh 7.1.

thanks
eric

--

PGP Key ID: 0xAF1ACFD7

Quote:> Hi:

> I think I have my 2.4.5 kernel built right, but I could not figure out
> how to load the compatibility ipchains. So, I found a script using
> iptables.

> My local lan eth0 works fine, i can get onto the internet via my eth1
> card, but the masq stuff doesn't work anymore.

> Here is what worked before, on a 2.2 kernel:
> --------------------
> # MASQ timeouts
> /sbin/ipchains -M -S 7200 10 160

> # DHCP:  For people who receive their external IP address from either DHCP
or
> /sbin/ipchains -A input -j ACCEPT -i eth1 -s 0/0 67 -d 0/0 68 -p udp

> # Enable simple IP forwarding and Masquerading
> /sbin/ipchains -P forward DENY
> /sbin/ipchains -A forward -i eth1 -s 10.1.1.0/24 -j MASQ
> --------------------------------------------------------------

> So, I got the new script and tried to use it, below is the essential
> parts of it.

> -------------------------------
> echo "  - Verifying that all kernel modules are ok"
> /sbin/depmod -a

> echo "  - Enabling packet forwarding in the kernel"
> echo "1" > /proc/sys/net/ipv4/ip_forward

> # Dynamic IP users:
> echo "  - Enabling dynamic addressing measures"
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr

> # Enable simple IP forwarding and Masquerading
> echo "  - Setting the default FORWARD policy to 'DROP'"
> echo "  - Enabling SNAT (IPMASQ) functionality on eth0"
> $IPTABLES -P FORWARD DROP
> $IPTABLES -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/24 -j MASQUERADE
> -------------------------------------------

> I changed eth0 to eth1 on the last line, was that right?

> I added the -s 10.1.1.0/24 as a guess
> on my part, based on what worked with ipchains.
> But it still does not work.
> Any help most appreciated.

> Also, I am starting with red hat 7.0, downloaded the latest iptables,
> got a 2.4.5 kernel, might there be something else I need to get. It's
> too painful right now to upgrade to rh 7.1.

> thanks
> eric

http://boingworld.com/workshops/linux/iptables-tutorial/

Then I had to do one thing:

MY_IP=`ifconfig $INET_IFACE | head -2 | tail -1 | gawk '{print substr($2,6)}'`

which just finds my dhcp generated ip address. I changed his
STATIC_IP to MY_IP, made sure the script ran after the interface
came up and it all seems to work.

Whew, took me 3 hours of reading iptables tutorials.

Anyway, I now know enough to understand what Rob's comment
about a FORWARD rule meant. Now I also have a pretty
secure firewall as well, all described nicely in the above tutorial.

thanks
eric

Hi!,

Quote:> I think I have my 2.4.5 kernel built right, but I could not figure out
> how to load the compatibility ipchains. So, I found a script using
> iptables.

> My local lan eth0 works fine, i can get onto the internet via my eth1
> card, but the masq stuff doesn't work anymore.

 * Make sure that /etc/sysctl.conf has been set so that IP forwarding is
enabled.  It should look something similar to this:

# Enable packet forwarding
net.ipv4.ip_forward = 1
# Enables source route verification
net.ipv4.conf.all.rp_filter = 1
# Enable automatic defragmentation (needed for masquerading, LVS)
net.ipv4.ip_always_defrag = 1

 * The following set of commands should get your IP Masquerading working with
the help of iptables:

# Remove the ipchains module which RH sometimes likes to load
/sbin/rmmod ipchains

# Load the NAT module (this pulls in all the others).
modprobe iptable_nat

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out eth1 (-o eth1) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Check to make sure that your firewall is allowing packets to return to your
machine as well.  You may want to do something like: /sbin/iptables -L -n or
similar to list all the entires in your iptables.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+