I have a LINUX box and several windows servers, all with two network cards, one connected to our internal network and one connected to the real internet (via an ADSL switching port). We do not have any masquerading /NAT enabled - nor ip forwardinng, nor socks proxies running. I changed the /etc/sysconfig/sysctl line with IP-FORWARD to state "yes" and resaved it. (Actually I think there is a misprint in the descriptions as it refers to this as ipv6 which should be the descriptor for the following parameter) I did echo 1 > /proc/sys/net/ipv4/ip_forward and checked by cat'ing' the same file that it had written 1. I changed the default gateway on a PC on my internal network from nothing to my linux box, and I could NOT ping anything on the external side. I restarted the LINUX box and then found I could ping the external address of my Windows servers but not the external address of anything else - which suggests to me that it is now forwarding the packets but the replies are coming back through the internal side of the window boxes rather than through the Linux box. Question 1: Why did I need to restart the LINUX box. The documentation states that I could either restart OR echo 1 to the proc/sys file. I now did iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 217.204.233.8 which is an unused address in real internet space. Eth1 is the external ethernet card with ip address 217.204.233.9 iptables -L fails to list anything but empty descriptors after issuing this command - when I rather expected it to show what I had entered. Question 2: Why does iptables not list this rule and Question 3: Why can I still not get echo replies from external ip addresses (except our servers). I suspect I am overlooking the obvious - and of course I lay open my ignorance in these matters for you to chuckle about as a reward for pointing me in the right direction (probably retirement!). -- Alan Davies Head of Computing Birkenhead School
Alan Davies
Question 1: Why did I need to restart the LINUX box. The documentation = states that I could either restart OR echo 1 to the proc/sys file.
You didn't, but maybe you needed to rerun one of the init.d scripts that was looking at that file and doing something else with it.
iptables -L fails to list anything but empty descriptors after issuing = this command - when I rather expected it to show what I had entered.
What exactly does it show? I have never had a message about empty descriptors from iptables, as far as I can recall.
Question 2: Why does iptables not list this rule and
AFAICT, it should.
Question 3: Why can I still not get echo replies from external ip = addresses (except our servers).
Something isn't yet configured correctly?
I suspect I am overlooking the obvious - and of course I lay open my = ignorance in these matters for you to chuckle about as a reward for = pointing me in the right direction (probably retirement!).
You may prefer to set this up through another program like shorewall, as getting iptables just right can be a bit of an ordeal, while things like shorewall have tests and can point out some errors before they are put into the filters. shorewall is definitely available for Mandrake and Debian, and probably much else. Can you please not send HTML to the list? Thanks. -- MJR/slef My Opinion Only and possibly not of any group I know. http://mjr.towers.org.uk/ jabber://slef@jabber.at Creative copyleft computing services via http://www.ttllp.co.uk/ Thought: "Changeset algebra is really difficult."
participants (2)
-
Alan Davies
-
MJ Ray