<html>
<body>
Hi,<br><br>
I am still having difficulties with masquerading. The options in
Cameron's reply are confirmed.<br><br>
I include the script here (I tried with a Word doc and it got stopped ...
)<br><br>
_______________________________________________________________________________<br><br>
<font face="Courier New, Courier">#!/bin/sh<br>
#<br>
# rc.firewall-2.4<br><br>
FWVER=0.75<br><br>
#<br>
#
Initial SIMPLE IP Masquerade test for 2.4.x kernels<br>
#
using IPTABLES. <br>
#<br>
#
Once IP Masquerading has been tested, with this simple <br>
#
ruleset, it is highly recommended to use a stronger <br>
#
IPTABLES ruleset either given later in this HOWTO or <br>
#
from another reputable resource.<br>
#<br>
#<br>
#<br>
# Log:<br>
# 0.75 - Added more kernel modules to
the comments section<br>
# 0.74 - the ruleset now uses
modprobe vs. insmod<br>
# 0.73 - REJECT is not a legal policy
yet; back to DROP<br>
# 0.72 - Changed the default block
behavior to REJECT not DROP<br>
# 0.71 - Added clarification that
PPPoE users need to use<br>
#
"ppp0" instead of "eth0" for their external
interface<br>
# 0.70 - Added commented option for
IRC nat module<br>
# -
Added additional use of environment variables <br>
# -
Added additional formatting<br>
# 0.63 - Added support for the IRC
IPTABLES module<br>
# 0.62 - Fixed a typo on the MASQ
enable line that used eth0<br>
#
instead of $EXTIF<br>
# 0.61 - Changed the firewall to use
variables for the internal<br>
#
and external interfaces.<br>
# 0.60 - 0.50 had a mistake where the
ruleset had a rule to DROP<br>
#
all forwarded packets but it didn't have a rule to ACCEPT<br>
#
any packets to be forwarded either<br>
# -
Load the ip_nat_ftp and ip_conntrack_ftp modules by default<br>
# 0.50 - Initial draft<br>
#<br><br>
echo -e "\n\nLoading simple rc.firewall version
$FWVER..\n"<br><br>
# The location of the iptables and kernel module programs<br>
#<br>
# If your Linux distribution came with a copy of iptables,
<br>
# most likely all the programs will be located in
/sbin. If <br>
# you manually compiled iptables, the default location
will<br>
# be in /usr/local/sbin<br>
#<br>
# ** Please use the "whereis iptables" command to figure out
<br>
# ** where your copy is and change the path below to reflect <br>
# ** your setup<br>
#<br>
#IPTABLES=/sbin/iptables<br>
#IPTABLES=/usr/local/sbin/iptables<br><br>
IPTABLES=/sbin/iptables<br>
DEPMOD=/sbin/depmod<br>
MODPROBE=/sbin/modprobe<br><br>
<br>
#Setting the EXTERNAL and INTERNAL interfaces for the network<br>
#<br>
# Each IP Masquerade network needs to have at least one<br>
# external and one internal network. The external
network<br>
# is where the natting will occur and the internal network<br>
# should preferably be addressed with a RFC1918 private
address<br>
# scheme.<br>
#<br>
# For this example, "eth0" is external and
"eth1" is internal"<br>
#<br>
#<br>
# NOTE: If this doesnt EXACTLY fit your configuration, you
must <br>
# change the EXTIF or
INTIF variables above. For example: <br>
#<br>
# If
you are a PPPoE or analog modem user:<br>
#<br>
#
EXTIF="ppp0" <br>
#<br>
#<br><br>
EXTIF="ppp0"<br>
INTIF="eth0"<br>
echo " External Interface: $EXTIF"<br>
echo " Internal Interface: $INTIF"<br><br>
<br>
#======================================================================<br>
#== No editing beyond this line is required for initial MASQ testing
==<br><br>
<br>
#echo -en " loading modules: "<br><br>
# Need to verify that all modules have all required dependencies<br>
#<br><br>
#echo " - Verifying that all kernel modules are ok"<br>
#$DEPMOD -a<br><br>
# With the new IPTABLES code, the core MASQ functionality is now
either<br>
# modular or compiled into the kernel. This HOWTO shows ALL
IPTABLES<br>
# options as MODULES. If your kernel is compiled correctly, there
is<br>
# NO need to load the kernel modules manually. <br>
#<br>
# NOTE: The following items are listed ONLY for informational
reasons.<br>
# There is no reason to manual
load these modules unless your<br>
# kernel is either
mis-configured or you intentionally disabled<br>
# the kernel module
autoloader.<br>
#<br><br>
# Upon the commands of starting up IP Masq on the server, the<br>
# following kernel modules will be automatically loaded:<br>
#<br>
# NOTE: Only load the IP MASQ modules you need. All current
IP MASQ <br>
# modules are shown below but
are commented out from loading.<br>
#
===============================================================<br><br>
echo
"----------------------------------------------------------------------"<br><br>
#Load the main body of the IPTABLES module - "iptable"<br>
# - Loaded automatically when the "iptables" command is
invoked<br>
#<br>
# - Loaded manually to clean up kernel auto-loading timing
issues<br>
#<br><br>
#echo -en "ip_tables, "<br>
#$MODPROBE ip_tables<br><br>
<br>
#Load the IPTABLES filtering module - "iptable_filter" <br>
# - Loaded automatically when filter policies are
activated<br><br>
<br>
#Load the stateful connection tracking framework -
"ip_conntrack"<br>
#<br>
# The conntrack module in itself does nothing without other
specific <br>
# conntrack modules being loaded afterwards such as the
"ip_conntrack_ftp"<br>
# module<br>
#<br>
# - This module is loaded automatically when MASQ functionality is
<br>
# enabled <br>
#<br>
# - Loaded manually to clean up kernel auto-loading timing
issues<br>
#<br><br>
#echo -en "ip_conntrack, "<br>
#$MODPROBE ip_conntrack<br><br>
<br>
#Load the FTP tracking mechanism for full FTP tracking<br>
#<br>
# Enabled by default -- insert a "#" on the next line to
deactivate<br>
#<br><br>
#echo -en "ip_conntrack_ftp, "<br>
#$MODPROBE ip_conntrack_ftp<br><br>
<br>
#Load the IRC tracking mechanism for full IRC tracking<br>
#<br>
# Enabled by default -- insert a "#" on the next line to
deactivate<br>
#<br><br>
#echo -en "ip_conntrack_irc, "<br>
#$MODPROBE ip_conntrack_irc<br><br>
<br>
#Load the general IPTABLES NAT code - "iptable_nat"<br>
# - Loaded automatically when MASQ functionality is turned on<br>
# <br>
# - Loaded manually to clean up kernel auto-loading timing
issues<br>
#<br><br>
#echo -en "iptable_nat, "<br>
#$MODPROBE iptable_nat<br><br>
<br>
#Loads the FTP NAT functionality into the core IPTABLES code<br>
# Required to support non-PASV FTP.<br>
#<br>
# Enabled by default -- insert a "#" on the next line to
deactivate<br>
#<br><br>
#echo -en "ip_nat_ftp, "<br>
#$MODPROBE ip_nat_ftp<br><br>
<br>
#Loads the IRC NAT functionality into the core IPTABLES code<br>
# Required to support NAT of IRC DCC requests<br>
#<br>
# Disabled by default -- remove the "#" on the next line to
activate<br>
#<br>
#echo -e "ip_nat_irc"<br>
#$MODPROBE ip_nat_irc<br><br>
echo
"----------------------------------------------------------------------"<br><br>
# Just to be complete, here is a partial list of some of the other
<br>
# IPTABLES kernel modules and their function. Please note that most
<br>
# of these modules (the ipt ones) are automatically loaded by the <br>
# master kernel module for proper operation and don't need to be <br>
# manually loaded.<br>
#
--------------------------------------------------------------------<br>
#<br>
# ip_nat_snmp_basic - this module allows for proper
NATing of some <br>
#
SNMP traffic<br>
#<br>
# iptable_mangle - this target allows
for packets to be <br>
#
manipulated for things like the TCPMSS <br>
#
option, etc.<br>
#<br>
# --<br>
#<br>
# ipt_mark - this
target marks a given packet for future action.<br>
#
This automatically loads the ipt_MARK module<br>
#<br>
# ipt_tcpmss - this target
allows to manipulate the TCP MSS<br>
#
option for braindead remote firewalls.<br>
#
This automatically loads the ipt_TCPMSS module<br>
#<br>
# ipt_limit - this target
allows for packets to be limited to<br>
#
to many hits per sec/min/hr<br>
#<br>
# ipt_multiport - this match allows for targets
within a range<br>
#
of port numbers vs. listing each port individually<br>
#<br>
# ipt_state - this match
allows to catch packets with various<br>
#
IP and TCP flags set/unset<br>
#<br>
# ipt_unclean - this match allows to
catch packets that have invalid<br>
#
IP/TCP flags set<br>
#<br>
# iptable_filter - this module allows for packets to be
DROPped, <br>
#
REJECTed, or LOGged. This module automatically <br>
#
loads the following modules:<br>
#<br>
#
ipt_LOG - this target allows for packets to be <br>
#
logged<br>
#<br>
#
ipt_REJECT - this target DROPs the packet and returns <br>
#
a configurable ICMP packet back to the <br>
#
sender.<br>
# <br><br>
#echo -e " Done loading modules.\n"<br><br>
<br><br>
#CRITICAL: Enable IP forwarding since it is disabled by default
since<br>
#<br>
# Redhat
Users: you may try changing the options in<br>
#
/etc/sysconfig/network from:<br>
#<br>
#
FORWARD_IPV4=false<br>
#
to<br>
#
FORWARD_IPV4=true<br>
#<br><br>
echo " Enabling forwarding.."<br>
echo "1" > /proc/sys/net/ipv4/ip_forward<br><br>
<br>
# Dynamic IP users:<br>
#<br>
# If you get your IP address dynamically from SLIP, PPP, or
DHCP, <br>
# enable this following option. This enables
dynamic-address hacking<br>
# which makes the life with Diald and similar programs much
easier.<br>
#<br><br>
echo " Enabling DynamicAddr.."<br>
echo "1" > /proc/sys/net/ipv4/ip_dynaddr<br><br>
<br>
# Enable simple IP forwarding and Masquerading<br>
#<br>
# NOTE: In IPTABLES speak, IP Masquerading is a form of
SourceNAT or SNAT.<br>
#<br>
# NOTE #2: The following is an example for an internal LAN
address in the<br>
#
192.168.0.x network with a 255.255.255.0 or a "24" bit subnet
mask<br>
#
connecting to the Internet on external interface "eth0".
This<br>
#
example will MASQ internal traffic out to the Internet but not<br>
# allow
non-initiated traffic into your internal network.<br>
#<br>
#
<br>
# ** Please change the
above network numbers, subnet mask, and your <br>
# *** Internet connection
interface name to match your setup<br>
# <br><br>
<br>
#Clearing any previous configuration<br>
#<br>
# Unless specified, the defaults for INPUT and OUTPUT is
ACCEPT<br>
# The default for FORWARD is DROP (REJECT is not a
valid policy)<br>
#<br><br>
echo " Clearing any existing rules and setting default
policy.."<br>
$IPTABLES -P INPUT ACCEPT<br>
$IPTABLES -F INPUT <br>
$IPTABLES -P OUTPUT ACCEPT<br>
$IPTABLES -F OUTPUT <br>
$IPTABLES -P FORWARD DROP<br>
$IPTABLES -F FORWARD <br>
$IPTABLES -t nat -F<br><br>
echo " FWD: Allow all connections OUT and only existing
and related ones IN"<br>
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT<br>
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT<br>
$IPTABLES -A FORWARD -j LOG<br><br>
echo " Enabling SNAT (MASQUERADE) functionality on
$EXTIF"<br>
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE<br><br>
echo -e "\nrc.firewall-2.4 v$FWVER done.\n"<br><br>
</font>_______________________________________________________________________________________<br><br>
Any help would be appreciated as I'm at a stop on this thing
...<br><br>
Ciao,<br><br>
Steve<br>
</body>
</html>