[ale] next stupid ipchains question
Joe Knapka
jknapka at earthlink.net
Thu Sep 7 13:25:57 EDT 2000
Wandered Inn wrote:
>
> Joe Knapka wrote:
> >
> > Wandered Inn wrote:
> > >
> > >
> > > $IPCHAINS -F
> > > $IPCHAINS -P forward DENY
> > >
> > > $IPCHAINS -A forward -i eth0 -j MASQ
> > > $IPCHAINS -A forward -i eth1 -j MASQ
> > >
> > > I've attempted to change the MASQ to ACCEPT and when I do, I no longer
> > > am able to get from 192.168.255.0 to 192.168.10.0.
> >
> > Is there a rule in the output chain that might be killing
> > off packets that aren't masqueraded?
>
> No. What you see above are all the chains.
That's... interesting. In that case I'd bet that it's a route
problem. Do all the machines on both subnets have a default
route pointed at the firewall? If not, they need routes
telling them to reach the other subnet via the firewall.
> >
> > Add the -l flag to every "DENY" or "REJECT" rule, make sure
> > you have a final rule in each chain that unconditionally does
> > a "DENY" or "REJECT" (so you can tell if packets are just falling
> > all the way through the chain), and look at the syslog output
> > when trying to ping from one subnet to the other.
>
> Based on the above, I guess I'll add an '$IPCHAINS -A forward -j DENY
> -l' ??
Yep. That way you'll get a log event if the packet is denied by
the firewall. Without the DENY rule, you can't be sure that the
reason the packet isn't getting to its destination is because
the firewall is killing it, since when a packet hits the chain
policy it just gets silently denied.
-- Joe
*** Joseph Knapka ***
In any formula, constants (especially those obtained from handbooks)
are to be treated as variables.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list