[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: ADSL Masuerading with 2.4.7-10 and ipchains Q
- To: "Dani Arbel" <darbel(at-nospam)techunix.technion.ac.il>
- Subject: RE: ADSL Masuerading with 2.4.7-10 and ipchains Q
- From: "Shosh Kalson" <kalson(at-nospam)bezeqint.net>
- Date: Wed, 31 Oct 2001 00:13:37 +0200
- Cc: <linux-il(at-nospam)linux.org.il>
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Importance: Normal
- In-Reply-To: <Pine.GSO.4.33.0110300759090.24635-100000@techunix.technion.ac.il>
- Reply-To: <kalson(at-nospam)bezeqint.net>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
Hi Dani,
Please see my questions regarding your comments, below.
(And thanks for your help).
-----Original Message-----
From: Dani Arbel [mailto:darbel@techunix.technion.ac.il]
Sent: Tuesday, October 30, 2001 8:05 AM
To: Shosh Kalson
Cc: linux-il@linux.org.il
Subject: RE: ADSL Masuerading with 2.4.7-10 and ipchains Q
Hi!
On Tue, 30 Oct 2001, Shosh Kalson wrote:
> LAN is on eth1.
>
> I found that in order to get the masqerading to work I had to add the
> following to my firewall script:
>
> ipchains -A input -i eth0 -s 10.0.0.138 -d 10.200.1.1 -j ACCEPT
> ipchains -A output -i eth0 -s 10.200.1.1 -d 10.0.0.138 -j ACCEPT
You probably needed it anyway. In the iptables example you can find
similar lines for the gre tunnel (protocol 47).
Where can I find the iptables example?
>
> I really have no idea if I've opened up a security hole or not (I sure
hope
> somebody will tell me if I have <g>)), but it works.
If you do not run the echo service on the linux box you do not risk too
much.
This is probably a pretty stupid question, but I'll ask it anyway... What
is the
echo service?
>
> BTW, I notice that I'm blocking packets on eth0 going from
> 10.200.1.1:1025/1026/64715 to 10.0.0.1:53 (PROTO=17). Can anybody tell me
these are probably DNS lookup queries. did you define 10.0.0.1 as a dns
server
somewhere in 10.200.1.1 ?
Yes, I thought that it might be DNS (that's the :53, right?). 10.200.1.1 is
the address of eth0, which is connected to the adsl modem. As far as I know
(but I'm
still so new at this I not entirely sure), I didn't define anything for
10.0.0.1. I've noticed
that the modem needs to "talk" to eth0, otherwise it drops the connection.
Perhaps
this is related to that?
> what this might be?
>
> Regarding loading modules -- I have the same problem as you -- couldn't
load
> the FTP module for example. So I just commented out it out, figuring I'd
> deal with it later. And, what do you know? I'm able to FTP from my
windows
> boxes. Maybe somebody can explain/comment?
Sounds like a distro problem (or installation? maybe you did not ask for
iptables/ipchains at install time?).
My distro is RedHat 7.1. It didn't ask me about iptables/ipchains at
install.
It just asked if I wanted a strong, medium or no firewall. By the third
time doing
the installation <g> I told it no firewall, and setup my own (compiled from
various
examples) script. In all cases however, it set up ipchains.
But anyway, it doesn't seem to matter that I can't tell it to load the ftp
module. Perhaps
it's already loaded or compiled into the kernel or something?
Again, thanks for your help. I RTFM but sometimes (a lot) it's a little
"hard to see the forest
for all the trees."
Regards,
Shosh
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il