[ale] iptables problems

Rick Huebner fehuebner at mediaone.net
Fri Dec 28 13:40:45 EST 2001 

I've been trying to get my ipchains 2.4.16 Redhat box over to iptables and
am having difficulties.  I'm working from a script that a friend gave me,
changed where appropriate based on the original.  My Linux box is setup as a
dual homed machine with eth0 facing my cable modem and eth1 facing the
internal network.  The internal network is 192.168.2.0/24 and the ipaddr of
eth1 is 192.168.2.1.  eth0 is using dhcpc to get its IP from MediaOne.  The
Linux box itself is providing DHCP to the internal network.

All seems to function as expected on the Linux box although I did not do an
ifdown ifup on eth0 to test the ability to get DHCP address.  The problems
are with the Windoze machines on the internal network.  They can talk to
192.168.2.1 without any problems.  They cannot, however, send to the
internet.  I've pasted in my iptables.sh and am open to any suggestions.

In Messages, I had this error once:
Dec 27 22:29:09 linuxserver modprobe: modprobe: Can't locate module
iptable_FORWARD

I could not find a module called iptable_FORWARD in /usr/src/linux.

Also, the common error that I get in my log file is like this, where
1.2.3.78 is my external IP:
Dec 27 22:30:09 linuxserver kernel: IN=eth0 OUT= MAC= SRC=1.2.3.4
DST=1.2.4.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138
DPT=138 LEN=221
Dec 27 22:30:09 linuxserver kernel: IN=eth0 OUT= MAC= SRC=1.2.3.78
DST=1.2.4.255 LEN=240 TOS=0x00 PREC=x00 TTL=64 ID=0 DF PROTO=UDP SPT=138
DPT=138 LEN=220

The DST address seems to have a problem.  Why is it being sent to the
broadcast address of 1.2.4.255 instead of 1.2.3.255?

This is another error that I get in messages where the MAC and DST
correspond to eth0:
Dec 27 23:08:47 linuxserver kernel: IN=eth0 OUT= MAC=THE_MAC_ADDR_OF_ETH0
SRC=24.181.208.4 DST=IPADDR_OF_eth0 LEN=
48 TOS=0x00 PREC=0x00 TTL=113 ID=40796 DF PROTO=TCP SPT=3749 DPT=27374
WINDOW=16384 RES=0x00 SYN URGP=0

I'm open to any suggestions.  I think that the majority of the problems are
in the last section for FORWARD, but I may be way off here.



---
Rick Huebner
****PLEASE NOTE MY NEW EMAIL ADDRESS BELOW****
rick at rhuebner.com
http://ditchdoctor.dyndns.org:15001

 rc.firewall

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list