[Linux-Anyway] Re: Uh-oh -- what have I done?
- From: horrorvacui@xxxxxxx
- To: Linux-Anyway@xxxxxxxxxxxxx
- Date: Mon, 17 Mar 2003 01:30:28 +0100
On Sun, 16 Mar 2003 14:22:42 -0800 (PST)
Meph Istopheles <meph@xxxxxxxxxxxxxxxxxxx> wrote:
>
> > Well, the "guru" typing away right now has forgotten what it
> > was all about initially and got entangled into the routing
> > stuff - which is rather secondary for now. I should have given
> > you the command above the moment you configured the one NIC to
> > talk with both networks, which was about 137 mails ago. Sorry -
> > that would have saved you some frustration.
>
> I'd meant to steer you back there, as I'd had a feeling, but
> figured you'd know better;-).
Whenever you catch yourself thinking that horror knows better, consider
this a sure indicator that you're loosing your mind ;-)
>
> > ipchains -I forward -s <private IP's> -d <public IP's> -j ACCEPT
> > ipchains -A forward -s <private IP's> -d <internet - 0.0.0.0> - j MASQ
>
> > The precedence matters, in a chain, so a good choice whether to
> > insert at the beginning (-I) or append (-A) to the chain is
> > crucial. The masqing rules must come last.
>
> Uh, I think you're talking here of setting this so that
> whenever I reboot, it all comes back up without trouble...yes?
Er... no. The rules go the way of all electrons when you restart, and need
to be set again when you restart. A quick and dirty approach would be to
put the iptables-command I've given you into any script that's started in
runlevels 3 and up (like, for instance /etc/init.d/network). A better one
would be to include them in the rules set by your firewall. I believe, and
I might be wrong, that RH firewall script uses the two cute utils comming
with ipchains (and iptables as well): ipchains-save and ipchains-restore.
ipchains-save will output to stdout a list of all current rules, which you
can pipe into a file (they're basically just arguments to ipchains).
ipchains-restore, surprisingly, can use the output of ipchains-save to
restore the rules. You need to find the rules-file that the firewall feeds
to ipchains-restore, and either add your masq rule in the forward chain,
or set the masqing rule as before, verify that it works, use ipchains-save
to create a new rules-file, and then replace the old one. See if you can
find something firewally among the scripts in /etc/init.d/ and find out
the position of the file by reading it. Or simply browse the
/etc/sysconfig, I believe the rules-file is there somewhere.
By the way, I'm writing this on a machine that's protected by the all-new
horrorwall. I've replaced the cryptic SuSE firewall with my own script -
it works, but still needs some polishing. If you have iptables userspace
utils, and iptables support compiled in the kernel, it would probably work
for you too. I guess that it would work with ipchains as well without a
big deal of hacking. The rules I'm using are simple, but effective, as
I've ran it through several port scanners, and none could see the
slightest trace of me...
s
--
Horror Vacui
Registered Linux user #257714
Go get yourself... counted: http://counter.li.org/
- and keep following the GNU.
To unsubcribe send e-mail with the word unsubscribe in the body to:
Linux-Anyway-Request@xxxxxxxxxxxxx?body=unsubscribe
Other related posts:
