ipchains help??

[Louie1961]

I am running three boxes on my home ethernet network. The network is basically a D-link 5 port switch, and three 100mbps nic cards. one machine is my wife's win 98 box, the other is my linux workstation and the third is a server of sorts (or will be someday) that I want to run Samba off of as well as to connect to the internet and act as a firewall, NAT/masquerade box. Right now the last box is connecting via a PPP connection, until I decide on a broadband provider.

I am running red hat 7.0.9?? (the wolverine beta) on both of my linux systems. With all firewalling disabled, all of the boxes on the network can ping each other..no connectivity issues there. Also, with the PPP connection up and running, my "server" box can see the internet, and netscape is getting DNS service from my ISP and works propperly.

My problem is the minute I try to configure ipchains, I lose everything. None of the boxes on the network can ping the server box, and I am also obviously not getting any masquerading. I have IP forwarding enabled on the server box, and have tried several suggested configurations from the various "how to's" without success. I have even tried to take all of the commands out of my config file, and use the basic:

echo 1 > /proc/sys/net/ipv4/ip_forward
ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0

Still no luck.

Any suggestions, or better yet, sources of some good basic ipchains scripts (so I know it's not something I screwed up in configuring ipchains) would be greatly appreciated. I have combed through the IPCHAINS-HOWTO, the IP-Masquerade-HOWTO, the Net-HOWTO, and the Linux Network Administrators Guide, and there is still something I am missing.

Thanks in advance.

 

[Damaged]

I'm not sure why you're using that line, but it won't work.

Try:

ipchains -A forward -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASQ

You want it to jump to Masquerading those packets.

 

[Phil21]

So let me get this straight..

the moment you add that ipchains line to your box, your internal LAN folk cannot ping the machines IP? Or can they not EVER ping it.

your ipchains line looks fine, the order of the -j does not matter.

heres my simple startup script..

# Setup eth0 with the cable modem IP addres, etc.
ifconfig eth0 24.25.120.208 netmask 255.255.252.0 broadcast 24.25.123.255
# Setup internal network interface on NIC
ifconfig eth0:1 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
# Flush ipchains rules. Start clean.
ipchains -F
# Deny all forwarding unless implicity allowing them.
ipchains -P forward DENY -l
# Masquerade any connections from 192.168.0.x to anywhere
ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
# Turn on forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Added the comments for you to help you better understand what exactly I'm doing.

This is with one NIC. but the ipchains commands would remain the same if you had two.


-Phil

 

[Damaged]

<< your ipchains line looks fine, the order of the -j does not matter. >>


heh, you're right. it doesn't matter. Been too long since I had to think about the rules and their ordering. So, I stand corrected. That line should work then. Unless you're not actually using ipchains and you're using ipnatctl, new stuff in kernel 2.4, which I haven't messed with, but, as I recall, there is an option to make it understand the ipchains syntax, and the old ipfwdm syntax as well.

uname -a should tell you what verion of the kernel you're running.

My masquerading statemnt is a little different:

ipchains -A forward -s 192.168.1.0/24 -d 0/any -i eth0 -j MASQ

basically the same difference though.