On Thu, 13 Mar 2003 10:28:30 -0800 (PST) Meph Istopheles <meph@xxxxxxxxxxx> wrote: > > Horror, > > > You've probably set it to masq packets from the private > > network, which (though it doesn't seem very logical) might be > > preventing the private network from getting ICMP packets back. > > Try turning off the firewall and pinging to help localise the > > problem. > > Uh, before doing this, I'd opted to look at what masq is doing: > > /sbin/ipchains -L > Chain input (policy ACCEPT): > target prot opt source destination > ports > icmp icmp ------ anywhere anywhere > any -> any > ACCEPT tcp ----l- 192.168.0.0/24 192.168.0.3 > any -> any > ACCEPT tcp ----l- 192.168.0.3 192.168.0.0/24 > any -> any > Chain forward (policy ACCEPT): > target prot opt source destination > ports > MASQ all ------ 192.168.0.0/24 anywhere > n/a > MASQ all ------ 10.0.0.0/24 anywhere > n/a > Chain output (policy ACCEPT): > Chain icmp (1 references): > target prot opt source destination > ports > ACCEPT all ------ anywhere anywhere > n/a > > While I don't know what the deal iw with the 192's -- know how > I remove them & replace with 10.etc's -- if necessary. Anyway, > is this normal? Hm, where do the rules come from at all? Do you use some firewall script that automatically generates rules? There might be some residue of previous setting orgies you forgot to remove, that makes the firewall script think there is a 192.168/24 network which needs them. Well, anyway, I don't think they're a problem since your chains all have a default policy of ACCEPT, so packets which match no rules are accepted (which is not very secure, by the way - it's better to do it the other way around and DENY everything except explicitly allowed communications). There is a rule to masq packets from 10.0/24, so that's fine. But this rule masquerades also the packets intended for your public addresses. This is unnecessary and can be resolved by adding rules that allow simple forwarding before the masquerading rule. For now, temporarily turning off the firewall while trying to ping should be enough to exclude the firewall as the source of trouble. > > Hm, I think configuring it as eth0:1 is better, since eth0 is > > already eth0:0. I could imagine that your change didn't change > > the kernel routing tables, which might be the cause of some > > problems. > > OK. Well, I've switched it back to :1 now. But nothing still. > Where, exactly, should I find the routing tables? I've looked & > looked, but I can't find them. route -n will display you the routing tables in numerical form. They're set automatically based on subnets the box is a member of, to configure additional, non-volatile routes you can use the /etc/route.conf file. Cheers -- Horror Vacui Registered Linux user #257714 Go get yourself... counted: http://counter.li.org/ - and keep following the GNU. To unsubcribe send e-mail with the word unsubscribe in the body to: Linux-Anyway-Request@xxxxxxxxxxxxx?body=unsubscribe