Mailinglist Archive: opensuse (4570 mails)
| < Previous | Next > |
Re: [SLE] SuSE 10.0 masquerade changes?
- From: Darryl Gregorash <raven@xxxxxxxxxxxxx>
- Date: Fri, 18 Nov 2005 01:49:53 +0000 (UTC)
- Message-id: <437D333E.8080908@xxxxxxxxxxxxx>
On 11/17/2005 08:54 AM, Peter A. Taylor wrote:
>On Wednesday 16 November 2005 22:10, Darryl Gregorash wrote:
>
>>Mea culpa; there are actually 3 independent tables in the firewall
>>(filter, nat and mangle), and the command as I gave it to you only gives
>>the state of the "filter" table. All the masquerading rules are in the
>>"nat" table. Perhaps we really need to be looking at the raw rules
>>anyway, for which there is the "iptables-save" command. Each line of the
>>output is essentially the parameters of a single "iptables" commandline
>>as the firewall script created it. Just run "iptables-save" as root,
>>with no parameters, and post the results. This command outputs all three
>>of the tables by default.
>>
>
> Thanks. The output is enclosed below. I tried this with SuSE 8.2 and 9.3
>as well. Several things jump out at me.
Grrrr
First, put your actual internal netmask, eg. 192.168.1.0/24, into
FW_MASQ_NETS in the firewall config file -- you can simply edit the file
to do this, but run "/etc/init.d/SuSEfirewall_setup restart" immediately
after, if you are already connect to the internet.
Next, while connected to the internet, as root, run "/sbin/SuSEfirewall2
debug" and see what you get. Your output *should* include lines like these:
iptables -A forward_int -j ACCEPT -m state --state
NEW,ESTABLISHED,RELATED -s 192.168.1.0/24 -o eth1
iptables -A forward_int -d 192.168.1.0/24 -i eth1 -j ACCEPT -m state
--state ESTABLISHED,RELATED
iptables -A forward_ext -j ACCEPT -m state --state
NEW,ESTABLISHED,RELATED -s 192.168.1.0/24 -o eth1
iptables -A forward_ext -d 192.168.1.0/24 -i eth1 -j ACCEPT -m state
--state ESTABLISHED,RELATED
iptables -A POSTROUTING -j MASQUERADE -t nat -s 192.168.1.0/24 -o eth1
Don't simply pipe the firewall debug output through grep, because I'd
like to see the complete output.
>On Wednesday 16 November 2005 22:10, Darryl Gregorash wrote:
>
>>Mea culpa; there are actually 3 independent tables in the firewall
>>(filter, nat and mangle), and the command as I gave it to you only gives
>>the state of the "filter" table. All the masquerading rules are in the
>>"nat" table. Perhaps we really need to be looking at the raw rules
>>anyway, for which there is the "iptables-save" command. Each line of the
>>output is essentially the parameters of a single "iptables" commandline
>>as the firewall script created it. Just run "iptables-save" as root,
>>with no parameters, and post the results. This command outputs all three
>>of the tables by default.
>>
>
> Thanks. The output is enclosed below. I tried this with SuSE 8.2 and 9.3
>as well. Several things jump out at me.
Grrrr
First, put your actual internal netmask, eg. 192.168.1.0/24, into
FW_MASQ_NETS in the firewall config file -- you can simply edit the file
to do this, but run "/etc/init.d/SuSEfirewall_setup restart" immediately
after, if you are already connect to the internet.
Next, while connected to the internet, as root, run "/sbin/SuSEfirewall2
debug" and see what you get. Your output *should* include lines like these:
iptables -A forward_int -j ACCEPT -m state --state
NEW,ESTABLISHED,RELATED -s 192.168.1.0/24 -o eth1
iptables -A forward_int -d 192.168.1.0/24 -i eth1 -j ACCEPT -m state
--state ESTABLISHED,RELATED
iptables -A forward_ext -j ACCEPT -m state --state
NEW,ESTABLISHED,RELATED -s 192.168.1.0/24 -o eth1
iptables -A forward_ext -d 192.168.1.0/24 -i eth1 -j ACCEPT -m state
--state ESTABLISHED,RELATED
iptables -A POSTROUTING -j MASQUERADE -t nat -s 192.168.1.0/24 -o eth1
Don't simply pipe the firewall debug output through grep, because I'd
like to see the complete output.
| < Previous | Next > |