On Sun, 16 Mar 2003 14:22:42 -0800 (PST) Meph Istopheles <meph@xxxxxxxxxxxxxxxxxxx> wrote: > > > Well, the "guru" typing away right now has forgotten what it > > was all about initially and got entangled into the routing > > stuff - which is rather secondary for now. I should have given > > you the command above the moment you configured the one NIC to > > talk with both networks, which was about 137 mails ago. Sorry - > > that would have saved you some frustration. > > I'd meant to steer you back there, as I'd had a feeling, but > figured you'd know better;-). Whenever you catch yourself thinking that horror knows better, consider this a sure indicator that you're loosing your mind ;-) > > > ipchains -I forward -s <private IP's> -d <public IP's> -j ACCEPT > > ipchains -A forward -s <private IP's> -d <internet - 0.0.0.0> - j MASQ > > > The precedence matters, in a chain, so a good choice whether to > > insert at the beginning (-I) or append (-A) to the chain is > > crucial. The masqing rules must come last. > > Uh, I think you're talking here of setting this so that > whenever I reboot, it all comes back up without trouble...yes? Er... no. The rules go the way of all electrons when you restart, and need to be set again when you restart. A quick and dirty approach would be to put the iptables-command I've given you into any script that's started in runlevels 3 and up (like, for instance /etc/init.d/network). A better one would be to include them in the rules set by your firewall. I believe, and I might be wrong, that RH firewall script uses the two cute utils comming with ipchains (and iptables as well): ipchains-save and ipchains-restore. ipchains-save will output to stdout a list of all current rules, which you can pipe into a file (they're basically just arguments to ipchains). ipchains-restore, surprisingly, can use the output of ipchains-save to restore the rules. You need to find the rules-file that the firewall feeds to ipchains-restore, and either add your masq rule in the forward chain, or set the masqing rule as before, verify that it works, use ipchains-save to create a new rules-file, and then replace the old one. See if you can find something firewally among the scripts in /etc/init.d/ and find out the position of the file by reading it. Or simply browse the /etc/sysconfig, I believe the rules-file is there somewhere. By the way, I'm writing this on a machine that's protected by the all-new horrorwall. I've replaced the cryptic SuSE firewall with my own script - it works, but still needs some polishing. If you have iptables userspace utils, and iptables support compiled in the kernel, it would probably work for you too. I guess that it would work with ipchains as well without a big deal of hacking. The rules I'm using are simple, but effective, as I've ran it through several port scanners, and none could see the slightest trace of me... s -- Horror Vacui Registered Linux user #257714 Go get yourself... counted: http://counter.li.org/ - and keep following the GNU. To unsubcribe send e-mail with the word unsubscribe in the body to: Linux-Anyway-Request@xxxxxxxxxxxxx?body=unsubscribe