Hey, me again (for the thrid time ) Ok, i''ve given up with a script that runs at startup, the reason i was wanting that is because i thought that was what i did last time (but it wasn''t). I''m trying to set up my IPTables to allow me to use my linux PC as a firewall / router, which means i need to setup forwarding an masquerading. But it doesn''t seem to work Heres my "iptables" file so far:

# Firewall configuration file
# Modified from RedHat 9''s default for ''Medium Security''
# By Steve Macpherson

# Apply default rules
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Allow incomming FTP, HTTP, etc
-A INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT

# Dunno what this is, just allow it
-A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
-A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT

# Set up IP FORWARDing and Masquerading
#--table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
-A FORWARD --in-interface eth1 -j ACCEPT

# Allow loopback access
-A INPUT -i lo -j ACCEPT

# Accept established connections
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset

# Allow Samba connections
-A INPUT -p tcp --syn -s 192.168.0.0/24 --destination-port 139 -j ACCEPT

# Setup nat table
*nat
#:INPUT DROP [0:0]
#:FORWARD ACCEPT [0:0]
#:OUTPUT ACCEPT [0:0]
-A POSTROUTING --out-interface eth0 -j MASQUERADE

COMMIT

Bits of that are copied from various tutorials, but they all have lines starting with "iptables -A INPUT ...". I can''t seem to find any file anywhere that uses lines starting like that, but this seems to be the closest match. I think the reason its not working is that theres no rule saying what shouls happen to the packets comming in from my modem (eth0) that are targeted to the local network (eth1, ip range 192.168.0.2 - 192.168.0.254), but then i don''t know if ones needed. I''ve added the line ''echo "1" > /proc/sys/net/ipv4/ip_forward'' to /etc/rc.d/init.d/iptables, and i know its being set since "cat /proc/sys/net/ipv4/ip_forward" returns 1, and theres a line saying something like "Stopping IPv4Forwarding" when the machine shuts down. This is all using RedHat 9 Anyone know what i need to do to get this working? Cheers, Steve

Hey,

Here's a good resource for masquerading:

http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/IP-Masquerade-HOWTO.html

Specifically, this part:
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/IP-Masquerade-HOWTO.html#RC.FIREWALL-2.4.X
towards the bottom of the code section where they start doing $IPTABLES stuff.

Here's what I used to share my modem (ppp0) on RH9:

# Generated by iptables-save v1.2.7a on Tue Sep 30 17:08:19 2003*nat:PREROUTING ACCEPT [0:0]:POSTROUTING ACCEPT [0:0]:OUTPUT ACCEPT [0:0][0:0] -A POSTROUTING -o ! ppp0 -j ACCEPT[0:0] -A POSTROUTING -j MASQUERADECOMMIT# Completed on Tue Sep 30 17:08:19 2003# Generated by iptables-save v1.2.7a on Tue Sep 30 17:08:19 2003*mangle:PREROUTING ACCEPT [0:0]:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:POSTROUTING ACCEPT [0:0]COMMIT# Completed on Tue Sep 30 17:08:19 2003# Generated by iptables-save v1.2.7a on Tue Sep 30 17:08:19 2003*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT ACCEPT [0:0][0:0] -A INPUT -i eth0 -j ACCEPT[0:0] -A INPUT -i lo -j ACCEPT[0:0] -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT[0:0] -A FORWARD -i eth0 -j ACCEPT[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPTCOMMIT# Completed on Tue Sep 30 17:08:19 2003

So try that on for size and let me know how it works.

theoddbot

[edited by - theoddbot on October 12, 2003 8:35:01 PM]

[edited by - theoddbot on October 12, 2003 8:36:58 PM]

I''m an idiot >_<
The reason it wasn''t working was that i didn''t set the DNS server on my windows box. So all the connections were failing since my machine didn''t know how to get to a DNS server >_<

Thanks for the reply
Steve