On Tue, 15 May 2001, stephane parenton wrote:
hi,
I have a SuSE 7.0 linux box that runs as DNS, filter and gateway. The filter is quite simple. and I 'experiencing troubles... The public ip adress is 62.161.161.253, and the internal lan is nat'ed and use the 192.168.0.x adresses. The computers from the lan can see almost all the internet except the sites that have ip's beginning with 62.*... What can be the trouble ?....
here's the filter i use.
#!/bin/sh echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F forward /sbin/ipchains -P forward DENY
route add -net 62.161.161.192 netmask 255.255.255.224 gw 62.161.161.222 tr0:0 This, I think, is your problem. You've told us that your local IP address is 62.161.161.253, but this line tells me that all hosts between .192 and .223 are behind a gateway which is within that LAN! What is the netmask defined on your tr0 interface?
route add 192.168.0.3 gw 62.161.161.253 here's your NAT'd host (did you want to make that a LAN?) I trust .253 is within your LAN
route add default gw 62.161.161.254 ...and .254 must also be within your LAN
/sbin/ipchains -A forward -s 0.0.0.0/0.0.0.0 -d 62.161.161.194/255.255.255.255 -j ACCEPT /sbin/ipchains -A forward -s 0.0.0.0/0.0.0.0 -d 62.161.161.195/255.255.255.255 -j ACCEPT /sbin/ipchains -A forward -s 62.161.161.194/255.255.255.255 -d 0.0.0.0/0.0.0.0 -j ACCEPT /sbin/ipchains -A forward -s 62.161.161.195/255.255.255.255 -d 0.0.0.0/0.0.0.0 -j ACCEPT /sbin/ipchains -A forward -s 192.168.0.0/255.255.0.0 -d 0.0.0.0/0.0.0.0 -j MASQ Here you're masquerading a /16 LAN, but you've only defined a route for one host!
-- Rick Green "I have the heart of a little child, and the brain of a genius. ... and I keep them in a jar under my bed"