[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ADSL Masuerading with 2.4.7-10 and ipchains Q



Hi Dani,

Please see my questions regarding your comments, below.
(And thanks for your help).

-----Original Message-----
From: Dani Arbel [mailto:darbel@techunix.technion.ac.il]
Sent: Tuesday, October 30, 2001 8:05 AM
To: Shosh Kalson
Cc: linux-il@linux.org.il
Subject: RE: ADSL Masuerading with 2.4.7-10 and ipchains Q


Hi!

On Tue, 30 Oct 2001, Shosh Kalson wrote:

> LAN is on eth1.
>
> I found that in order to get the masqerading to work I had to add the
> following to my firewall script:
>
> ipchains -A input -i eth0 -s 10.0.0.138 -d 10.200.1.1 -j ACCEPT
> ipchains -A output -i eth0 -s 10.200.1.1 -d 10.0.0.138 -j ACCEPT

You probably needed it anyway. In the iptables example you can find
similar lines for the gre tunnel (protocol 47).

Where can I find the iptables example?

>
> I really have no idea if I've opened up a security hole or not (I sure
hope
> somebody will tell me if I have <g>)), but it works.

If you do not run the echo service on the linux box you do not risk too
much.

This is probably a pretty stupid question, but I'll ask it anyway...  What
is the
echo service?

>
> BTW, I notice that I'm blocking packets on eth0 going from
> 10.200.1.1:1025/1026/64715 to 10.0.0.1:53 (PROTO=17).  Can anybody tell me

these are probably DNS lookup queries. did you define 10.0.0.1 as a dns
server
somewhere in 10.200.1.1 ?

Yes, I thought that it might be DNS (that's the :53, right?).  10.200.1.1 is
the address of eth0, which is connected to the adsl modem.  As far as I know
(but I'm
still so new at this I not entirely sure), I didn't define anything for
10.0.0.1.  I've noticed
that the modem needs to "talk" to eth0, otherwise it drops the connection.
Perhaps
this is related to that?

> what this might be?
>
> Regarding loading modules -- I have the same problem as you -- couldn't
load
> the FTP module for example.  So I just commented out it out, figuring I'd
> deal with it later.  And, what do you know?  I'm able to FTP from my
windows
> boxes.  Maybe somebody can explain/comment?
Sounds like a distro problem (or installation? maybe you did not ask for
iptables/ipchains at install time?).

My distro is RedHat 7.1.  It didn't ask me about iptables/ipchains at
install.
It just asked if I wanted a strong, medium or no firewall.  By the third
time doing
the installation <g> I told it no firewall, and setup my own (compiled from
various
examples) script.  In all cases however, it set up ipchains.

But anyway, it doesn't seem to matter that I can't tell it to load the ftp
module.  Perhaps
it's already loaded or compiled into the kernel or something?

Again, thanks for your help.  I RTFM but sometimes (a lot) it's a little
"hard to see the forest
for all the trees."

Regards,
Shosh


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il