ChristopherWang
asked on
Setting up XP machines for use with Redhat masquerading server : Part II
Hi everyone,
I am having difficulty getting my XP machine to access the internet through my masquerading Red Hat 7.1 box. While experimenting, I did an ipconfig /displaydns on the XP machine, and got a short list of 8 URLs. I can ping these URLs, however, *I cannot ping any other URLs.*
My setup is:
connection type: cable
Linux (two LAN cards): 192.168.0.1 (eth1) and using DHCP for eth0.
XP: 192.168.0.2, using the Linux box as gateway. An ipconfig /all in XP reveals that "IP Routing" is enabled, however, I do not see where to disable this.
The problem is, despite being able to connect to the ISP and ping any URLs from the Linux box, I cannot ping most internet sites from the XP machine. The Linux and XP machines can ping each other without problem.
My Linux firewall settings (which are minimal for testing) are:
echo 1 > /proc/sys/net/ipv4/ip_forw ard
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -j MASQUERADE
I have no firewalls enabled on the XP machine.
Does anyone know what might be the problem? This is related to an earlier question of mine, that I have not successfully worked through...
Many thanks,
C. Wang
I am having difficulty getting my XP machine to access the internet through my masquerading Red Hat 7.1 box. While experimenting, I did an ipconfig /displaydns on the XP machine, and got a short list of 8 URLs. I can ping these URLs, however, *I cannot ping any other URLs.*
My setup is:
connection type: cable
Linux (two LAN cards): 192.168.0.1 (eth1) and using DHCP for eth0.
XP: 192.168.0.2, using the Linux box as gateway. An ipconfig /all in XP reveals that "IP Routing" is enabled, however, I do not see where to disable this.
The problem is, despite being able to connect to the ISP and ping any URLs from the Linux box, I cannot ping most internet sites from the XP machine. The Linux and XP machines can ping each other without problem.
My Linux firewall settings (which are minimal for testing) are:
echo 1 > /proc/sys/net/ipv4/ip_forw
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -j MASQUERADE
I have no firewalls enabled on the XP machine.
Does anyone know what might be the problem? This is related to an earlier question of mine, that I have not successfully worked through...
Many thanks,
C. Wang
ASKER
Hi Luxana,
Yes, I've given a primary and secondary DNS, which I got from the /etc/resolv.conf.
Thanks,
C. Wang
Yes, I've given a primary and secondary DNS, which I got from the /etc/resolv.conf.
Thanks,
C. Wang
ASKER
Anyone have any other suggestions?
I can get ping responses on the handful of URLs like "ads.tripod.com" and sites like doubleclick.com or hotclick.com, which happen to be in my ipconfig /displaydns.
Thanks,
C. wang
I can get ping responses on the handful of URLs like "ads.tripod.com" and sites like doubleclick.com or hotclick.com, which happen to be in my ipconfig /displaydns.
Thanks,
C. wang
Hallo Christopher
It looks alright to me but I'm not expert in this case. That means Ithat I do not want to get you wrong. I'm also using forwarding for sharing internet. Check and try my if you want:
echo 1 > /proc/sys/net/ipv4/ip_forw ard
/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
/sbin/iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -I FORWARD -p tcp --dport 0:1023 -d 192.168.1.0/24 -j DROP
I have one win98 and winXP clients on network both working perfectly including doubleclick.com and hotclick.com .
Luxana
It looks alright to me but I'm not expert in this case. That means Ithat I do not want to get you wrong. I'm also using forwarding for sharing internet. Check and try my if you want:
echo 1 > /proc/sys/net/ipv4/ip_forw
/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
/sbin/iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -I FORWARD -p tcp --dport 0:1023 -d 192.168.1.0/24 -j DROP
I have one win98 and winXP clients on network both working perfectly including doubleclick.com and hotclick.com .
Luxana
ASKER
Thanks, Luxana.
I've replaced my firewall script with your script above. Unfortunately, now when I ping sites, I get:
"From 10.0.144.1 : Packet filtered" ...and 100% packet loss.
Any other ideas? Do I need to enter anything for "WINS server" in XP? I've kept this blank.
Thanks,
Christopher
I've replaced my firewall script with your script above. Unfortunately, now when I ping sites, I get:
"From 10.0.144.1 : Packet filtered" ...and 100% packet loss.
Any other ideas? Do I need to enter anything for "WINS server" in XP? I've kept this blank.
Thanks,
Christopher
Hallo Christofer
No you do not have to set up WINS on XP. All what we need is setup GATEWAY and DNS.
Filtered from 10.0.144.1? Do you have firewall in linux enabled or what?
try:
#setup
and then firewall settings
What is your DHCP range of IP's on eth0?
No you do not have to set up WINS on XP. All what we need is setup GATEWAY and DNS.
Filtered from 10.0.144.1? Do you have firewall in linux enabled or what?
try:
#setup
and then firewall settings
What is your DHCP range of IP's on eth0?
ASKER
Hi Luxana,
Well, when I installed Red Hat originally, I selected "no firewall" in the graphical install.
I just ran setup now, and in the firewall section, it defaults to "high security", but did not seem to accept my change to "no firewall". Is there a way to check if Linux is running another firewall script?
Also, where can I check the DHCP range?
Many thanks,
Christopher
Well, when I installed Red Hat originally, I selected "no firewall" in the graphical install.
I just ran setup now, and in the firewall section, it defaults to "high security", but did not seem to accept my change to "no firewall". Is there a way to check if Linux is running another firewall script?
Also, where can I check the DHCP range?
Many thanks,
Christopher
Hallo Christofer
All what I'm wondering is what IP is this: 10.0.144.1?
So just make it clear ! On your linux you are runnig DHCP service in eth0. If so the range of IP addresses you can see in /etc/dhcpd.conf.
And on your eth1 you are connected to 192.168.0.0 network?
Christofer I said that I do not want get you wrong I 'm not expert in this case I'm just comparing your situation with myone.
Luxana
All what I'm wondering is what IP is this: 10.0.144.1?
So just make it clear ! On your linux you are runnig DHCP service in eth0. If so the range of IP addresses you can see in /etc/dhcpd.conf.
And on your eth1 you are connected to 192.168.0.0 network?
Christofer I said that I do not want get you wrong I 'm not expert in this case I'm just comparing your situation with myone.
Luxana
Hallo Christofer
can you please place here your
#route
and
#netstat -r
and
#ifconfig
and
#iptables -L
thanks
Luxana
can you please place here your
#route
and
#netstat -r
and
#ifconfig
and
#iptables -L
thanks
Luxana
ASKER
Hi Luxana,
Ok, firstly, I checked for the /etc/dhcpd.conf and did not find one. I did a find on the whole system, and no dhcpd.conf was found. There were two empty directories under /etc called "dhcpc" and "dhcpcd". By the way, I connect to the net using a program called "BPALogin" which was designed to connect cable modems to my ISP while bypassing a regular "heartbeat" signal from the ISP. BPALogin uses DHCP. It does connect me, but I cannot find the "DHCP range".
Next, I ran the commands you asked me to run:
#route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
144.136.48.0 * 255.255.252.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.0.254 0.0.0.0 UG 0 0 0 eth1
default CPE-144-136-48- 0.0.0.0 UG 0 0 0 eth0
-------------------------- ---------- ---------- ---------- ---------- ---------
#netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.0 * 255.255.255.0 U 40 0 0 eth1
144.136.48.0 * 255.255.252.0 U 40 0 0 eth0
127.0.0.0 * 255.0.0.0 U 40 0 0 lo
default 192.168.0.254 0.0.0.0 UG 40 0 0 eth1
default CPE-144-136-48- 0.0.0.0 UG 40 0 0 eth0
-------------------------- ---------- ---------- ---------- ---------- ---------- --
ifconfig
eth0 Link encap:Ethernet HWaddr 00:40:F4:6E:73:A6
inet addr:144.136.51.206 Bcast:255.255.255.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6061 errors:0 dropped:0 overruns:0 frame:0
TX packets:75 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:9 Base address:0x8f00
eth1 Link encap:Ethernet HWaddr 00:40:F4:7C:04:74
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:106 errors:0 dropped:0 overruns:0 frame:0
TX packets:71 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:12 Base address:0xae00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:27 errors:0 dropped:0 overruns:0 frame:0
TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- --
iptables –L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain block (0 references)
target prot opt source destination
The inet address for eth0 was automatically generated by my connection.
Thanks very much for any help,
Christopher
Ok, firstly, I checked for the /etc/dhcpd.conf and did not find one. I did a find on the whole system, and no dhcpd.conf was found. There were two empty directories under /etc called "dhcpc" and "dhcpcd". By the way, I connect to the net using a program called "BPALogin" which was designed to connect cable modems to my ISP while bypassing a regular "heartbeat" signal from the ISP. BPALogin uses DHCP. It does connect me, but I cannot find the "DHCP range".
Next, I ran the commands you asked me to run:
#route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
144.136.48.0 * 255.255.252.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.0.254 0.0.0.0 UG 0 0 0 eth1
default CPE-144-136-48- 0.0.0.0 UG 0 0 0 eth0
--------------------------
#netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.0 * 255.255.255.0 U 40 0 0 eth1
144.136.48.0 * 255.255.252.0 U 40 0 0 eth0
127.0.0.0 * 255.0.0.0 U 40 0 0 lo
default 192.168.0.254 0.0.0.0 UG 40 0 0 eth1
default CPE-144-136-48- 0.0.0.0 UG 40 0 0 eth0
--------------------------
ifconfig
eth0 Link encap:Ethernet HWaddr 00:40:F4:6E:73:A6
inet addr:144.136.51.206 Bcast:255.255.255.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6061 errors:0 dropped:0 overruns:0 frame:0
TX packets:75 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:9 Base address:0x8f00
eth1 Link encap:Ethernet HWaddr 00:40:F4:7C:04:74
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:106 errors:0 dropped:0 overruns:0 frame:0
TX packets:71 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:12 Base address:0xae00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:27 errors:0 dropped:0 overruns:0 frame:0
TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
--------------------------
iptables –L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain block (0 references)
target prot opt source destination
The inet address for eth0 was automatically generated by my connection.
Thanks very much for any help,
Christopher
Hi Christopher,
A couple questions for you. Are you able to surf the web from the linux machine or can you just ping out? Do you have anything in your hosts file under /etc? What is the full contents of /etc/rc.d/rc.firewall? What is the contents of /etc/rc.d/rc.local? The reason I ask about rc.local is that I reference /etc/rc.d/rc.firewall in it. Below is a clipping from my firewall. Give it a shot and see if you can ping outside from the xp machine to somewhere other then the ones in your displaydns (i.e. ping www.yahoo.com).
-----------------------Cop y Below--------------------- ----------
ETHOUTSIDE="`/sbin/ifconfi g eth1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
echo 0 > /proc/sys/net/ipv4/ip_forw ard
# Run modprobes
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
# Initial Flush of Rules
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t nat
# DEFAULT RULES
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
# IP SPOOFING, Deny any packets on the internal network side
# that have an external source address
/sbin/iptables -A INPUT -i eth1 -s ! 192.168.0.0/24 -j LOG --log-prefix "DENY SPOOF 1:"
/sbin/iptables -A INPUT -i eth1 -s ! 192.168.0.0/24 -j DROP
/sbin/iptables -A FORWARD -i eth1 -s ! 192.168.0.0/24 -j DROP
# IP Spoofing, Deny any outside packets with localhost address,
# packets not on the lo interface, any on eth0 and eth1, that have
# the address or localhost.
/sbin/iptables -A INPUT -i ! lo -s 127.0.0.0/255.0.0.0 -j LOG --log-prefix "DENY SPOOF 2:"
/sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.0/255.0.0.0
/sbin/iptables -A FORWARD -j DROP -i ! lo -s 127.0.0.0/255.0.0.0
# Accept internal Network to lo interface
#/sbin/iptables -A INPUT -j LOG -i lo
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -A FORWARD -j ACCEPT -p all -i eth1
/sbin/iptables -A INPUT -j ACCEPT -p all -i eth1 -s 192.168.0.0/24
# Allow Established and related outside communication to your system
# Allow outside communication to the firewall except ICMP packets
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth1 -p ! icmp -j ACCEPT
# Prevent Outside initiated connections
/sbin/iptables -A INPUT -m state --state NEW -i eth0 -j LOG --log-prefix "DENY OUTSIDE CONNECTION:"
/sbin/iptables -A INPUT -m state --state NEW -i eth0 -j DROP
/sbin/iptables -A FORWARD -m state --state NEW -i eth0 -j DROP
# Allow local internal network to access outside networks
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Accept ICMP ping (0 and 8) and destination unreachable (3) messages
# others will be rejected by INPUT and OUTPUT DROP policy
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-reply -d $ETHOUTSIDE
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-request -d $ETHOUTSIDE
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type destination-unreachable -d $ETHOUTSIDE
A couple questions for you. Are you able to surf the web from the linux machine or can you just ping out? Do you have anything in your hosts file under /etc? What is the full contents of /etc/rc.d/rc.firewall? What is the contents of /etc/rc.d/rc.local? The reason I ask about rc.local is that I reference /etc/rc.d/rc.firewall in it. Below is a clipping from my firewall. Give it a shot and see if you can ping outside from the xp machine to somewhere other then the ones in your displaydns (i.e. ping www.yahoo.com).
-----------------------Cop
ETHOUTSIDE="`/sbin/ifconfi
echo 0 > /proc/sys/net/ipv4/ip_forw
# Run modprobes
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
# Initial Flush of Rules
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t nat
# DEFAULT RULES
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
# IP SPOOFING, Deny any packets on the internal network side
# that have an external source address
/sbin/iptables -A INPUT -i eth1 -s ! 192.168.0.0/24 -j LOG --log-prefix "DENY SPOOF 1:"
/sbin/iptables -A INPUT -i eth1 -s ! 192.168.0.0/24 -j DROP
/sbin/iptables -A FORWARD -i eth1 -s ! 192.168.0.0/24 -j DROP
# IP Spoofing, Deny any outside packets with localhost address,
# packets not on the lo interface, any on eth0 and eth1, that have
# the address or localhost.
/sbin/iptables -A INPUT -i ! lo -s 127.0.0.0/255.0.0.0 -j LOG --log-prefix "DENY SPOOF 2:"
/sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.0/255.0.0.0
/sbin/iptables -A FORWARD -j DROP -i ! lo -s 127.0.0.0/255.0.0.0
# Accept internal Network to lo interface
#/sbin/iptables -A INPUT -j LOG -i lo
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -A FORWARD -j ACCEPT -p all -i eth1
/sbin/iptables -A INPUT -j ACCEPT -p all -i eth1 -s 192.168.0.0/24
# Allow Established and related outside communication to your system
# Allow outside communication to the firewall except ICMP packets
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth1 -p ! icmp -j ACCEPT
# Prevent Outside initiated connections
/sbin/iptables -A INPUT -m state --state NEW -i eth0 -j LOG --log-prefix "DENY OUTSIDE CONNECTION:"
/sbin/iptables -A INPUT -m state --state NEW -i eth0 -j DROP
/sbin/iptables -A FORWARD -m state --state NEW -i eth0 -j DROP
# Allow local internal network to access outside networks
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Accept ICMP ping (0 and 8) and destination unreachable (3) messages
# others will be rejected by INPUT and OUTPUT DROP policy
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-reply -d $ETHOUTSIDE
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-request -d $ETHOUTSIDE
/sbin/iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type destination-unreachable -d $ETHOUTSIDE
ASKER
Thanks jsvor,
No, I have not tried surfing from Linux, and am not sure I have browsing software for my shell (I'm not using X Windows, and I didn't plan to surf from the Linux box.) If it would help the troubleshooting, I would be glad to install a browser.
Okay, under my /etc/hosts, I have:
127.0.0.1 localhost.localdomain localhost
I have named my firewall "rc.firewall1" under /etc/rc.d. I have tried two different firewall scripts: The one in my original post above, and the following script that I got from Luxana:
echo 1 > /proc/sys/net/ipv4/ip_forw ard
/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
/sbin/iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -I FORWARD -p tcp --dport 0:1023 -d 192.168.1.0/24 -j DROP
My rc.local is as follows:
-------------------------- ---------- ---------- ---------- ---------- --
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
if [ -f /etc/redhat-release ]; then
R=$(cat /etc/redhat-release)
arch=$(uname -m)
a="a"
case "_$arch" in
_a*) a="an";;
_i*) a="an";;
esac
NUMPROC=`egrep -c "^cpu[0-9]+" /proc/stat`
if [ "$NUMPROC" -gt "1" ]; then
SMP="$NUMPROC-processor "
if [ "$NUMPROC" = "8" -o "$NUMPROC" = "11" ]; then
a="an"
else
a="a"
fi
fi
# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.
echo "" > /etc/issue
echo "$R" >> /etc/issue
echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/issue
cp -f /etc/issue /etc/issue.net
echo >> /etc/issue
fi
touch /var/lock/subsys/local
/etc/rc.d/init.d/bpalogin start
/bin/sh /etc/rc.d/rc.firewall1
-------------------------- ---------- ---------- ---------- ---------- ---------- -
Also, I tried your firewall clipping, and error messages followed:
-------------------------- ---------- ---------- ---------- -----
: no such file or directoryoc/sys/net/ipv4/i p_forward
:command not foundll1
modprobe: can't locate module ip_tables
modprobe: can't locate modeule iptable_filter
modprobe: can't locate module ip_conntrack
modprobe: can't locate module ip_conntrack_ftp
modprobe: can't locate module ip_nat_ftp
:command not foundll1
ip_tables (c)2000 Netfilter core team
iptables: No chain/target/match by that name
': tables does not exist (do you need to insmod?)e 'nat
Perhaps iptables or your kernel needs to be upgraded
iptables: Bad policy name
iptables v1.2.1a: invalid target name 'DROP'
-------------------------- ---------- ---------- ---------- ----------
The other firewall scripts I have used (mentioned above) don't give any error messages, so I wonder if your script requires an iptables version > 1.2.1a. ?
C. Wang
No, I have not tried surfing from Linux, and am not sure I have browsing software for my shell (I'm not using X Windows, and I didn't plan to surf from the Linux box.) If it would help the troubleshooting, I would be glad to install a browser.
Okay, under my /etc/hosts, I have:
127.0.0.1 localhost.localdomain localhost
I have named my firewall "rc.firewall1" under /etc/rc.d. I have tried two different firewall scripts: The one in my original post above, and the following script that I got from Luxana:
echo 1 > /proc/sys/net/ipv4/ip_forw
/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
/sbin/iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -I FORWARD -p tcp --dport 0:1023 -d 192.168.1.0/24 -j DROP
My rc.local is as follows:
--------------------------
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
if [ -f /etc/redhat-release ]; then
R=$(cat /etc/redhat-release)
arch=$(uname -m)
a="a"
case "_$arch" in
_a*) a="an";;
_i*) a="an";;
esac
NUMPROC=`egrep -c "^cpu[0-9]+" /proc/stat`
if [ "$NUMPROC" -gt "1" ]; then
SMP="$NUMPROC-processor "
if [ "$NUMPROC" = "8" -o "$NUMPROC" = "11" ]; then
a="an"
else
a="a"
fi
fi
# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.
echo "" > /etc/issue
echo "$R" >> /etc/issue
echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/issue
cp -f /etc/issue /etc/issue.net
echo >> /etc/issue
fi
touch /var/lock/subsys/local
/etc/rc.d/init.d/bpalogin start
/bin/sh /etc/rc.d/rc.firewall1
--------------------------
Also, I tried your firewall clipping, and error messages followed:
--------------------------
: no such file or directoryoc/sys/net/ipv4/i
:command not foundll1
modprobe: can't locate module ip_tables
modprobe: can't locate modeule iptable_filter
modprobe: can't locate module ip_conntrack
modprobe: can't locate module ip_conntrack_ftp
modprobe: can't locate module ip_nat_ftp
:command not foundll1
ip_tables (c)2000 Netfilter core team
iptables: No chain/target/match by that name
': tables does not exist (do you need to insmod?)e 'nat
Perhaps iptables or your kernel needs to be upgraded
iptables: Bad policy name
iptables v1.2.1a: invalid target name 'DROP'
--------------------------
The other firewall scripts I have used (mentioned above) don't give any error messages, so I wonder if your script requires an iptables version > 1.2.1a. ?
C. Wang
Did you copy the whole clipping? The first line of your error message seems like you missed the beginning of the script. My iptables version is 1.2.8. Let me know about the clipping and in the mean time I'll look around for an older script I had.
ASKER
Hi jsvor,
Sorry for the lull -- I've also been studying for an exam.
Yep, I copied your entire clipping.
Many thanks for your help,
C. Wang
Sorry for the lull -- I've also been studying for an exam.
Yep, I copied your entire clipping.
Many thanks for your help,
C. Wang
ASKER
Can anyone suggest anything else I might try? Even general principles that should be minded for networking with windows nodes.
Also, please note that I am not being lazy in asking for help with these configurations -- there are a lot of variables and modules to learn, and I've been reading a lot of the literature when I have the time.
Thanks for any help.
C.Wang
Also, please note that I am not being lazy in asking for help with these configurations -- there are a lot of variables and modules to learn, and I've been reading a lot of the literature when I have the time.
Thanks for any help.
C.Wang
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you tried this?
On windowsXP: set DNS address given from linux /etc/resolv.conf