sslug-teknik team mailing list archive
-
sslug-teknik team
-
Mailing list archive
-
Message #32584
MASQ firewall...
System :
RedHat 7.0
eth0 : 3com 905b
eth1 : D-Link 538TX
----------------------------
Jeg har et kabel modem koblet til eth0 og en intern net til eth1.
eth0 = faar sin adr fra DHCP, lige nu er den vist 194.239.205.121
eth1 = 192.168.1.1
jeg har ogsaa installeret ndc..det virker.
Fra serveren :
Kan jeg pinge alt..dvs alt paa det interne net og alt paa internettet..
Fra intern net :
Kan jeg pinge baade eth1 og eth0.
Men naar jeg pinger en www adresse faar jeg godt nok ip nummeret og og den
foerste linje er noget i stil med "192.168.1.1 adressen er uopnaaelig",
hvorefter der kommer 3 "forespoergelsen fik timeout".
(maskinen er en WindowsME ip = 192.168.1.5).
Her er hvordan min firewall fil ser ud..
#!/bin/sh
/sbin/depmod -a
#
/sbin/modprobe ip_masq_ftp
#
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable
this
# following option. This enables dynamic-ip address hacking in IP MASQ,
# making the life with Diald and similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
/sbin/ipchains -M -S 7200 10 160
# DHCP: For people who receive their external IP address from either DHCP
or
# BOOTP such as ADSL or Cablemodem users, it is necessary to use the
# following before the deny command. The "bootp_client_net_if_name"
# should be replaced the name of the link that the DHCP/BOOTP server
# will put an address on to? This will be something like "eth0",
# "eth1", etc.
#
# This example is currently commented out.
#
/sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth0 -s 192.168.1.1/24 -j MASQ
----------------------------------------------------------------------------
--------------
Haaber den er nogle der kan hjaelp mig..
/KonGe
Follow ups