> Whenever you catch yourself thinking that horror knows better, > consider this a sure indicator that you're loosing your mind > ;-) Sounds familiar;-). > > > ipchains -I forward -s <private IP's> -d <public IP's> -j ACCEPT > > > ipchains -A forward -s <private IP's> -d <internet - 0.0.0.0> - j MASQ > > > The precedence matters, in a chain, so a good choice > > > whether to insert at the beginning (-I) or append (-A) to > > > the chain is crucial. The masqing rules must come last. > > Uh, I think you're talking here of setting this so that > > whenever I reboot, it all comes back up without > > trouble...yes? > Er... no. The rules go the way of all electrons when you > restart, and need to be set again when you restart. Sheesh. OK. It's not like I don't have other things to do too.... > A quick and dirty approach would be to put the iptables-command > I've given you into any script that's started in runlevels 3 > and up (like, for instance /etc/init.d/network). A better one > would be to include them in the rules set by your firewall. Well, there are means & means. > I believe, and I might be wrong, that RH firewall script uses > the two cute utils comming with ipchains (and iptables as > well): ipchains-save and ipchains-restore. ipchains-save will > output to stdout a list of all current rules, which you can > pipe into a file (they're basically just arguments to > ipchains). ipchains-restore, surprisingly, can use the output > of ipchains-save to restore the rules. You need to find the > rules-file that the firewall feeds to ipchains-restore, and > either add your masq rule in the forward chain, or set the > masqing rule as before, verify that it works, use ipchains-save > to create a new rules-file, and then replace the old one. See > if you can find something firewally among the scripts in > /etc/init.d/ and find out the position of the file by reading > it. Or simply browse the /etc/sysconfig, I believe the > rules-file is there somewhere. I'll see if Scott's been following this thread. I may be able to jog his chains memory, or, if not.... > By the way, I'm writing this on a machine that's protected by > the all-new horrorwall. I've replaced the cryptic SuSE firewall > with my own script - it works, but still needs some polishing. > If you have iptables userspace utils, and iptables support > compiled in the kernel, it would probably work for you too. I > guess that it would work with ipchains as well without a big > deal of hacking. The rules I'm using are simple, but effective, > as I've ran it through several port scanners, and none could > see the slightest trace of me... I may see what's necessary to get table support & try your script. Let's try to keep it simple for now, as I still know almost nothing of chains (or tables) & I also have other stuff on tap. Lately I've been getting lots of returned mail. It's nothing I've done -- other than to own a domain. Some unscrupulous spammers have decided to use my .com as their reply-to address so that they don't get the returns for user unknowns, etc. My Web host tells me my only recourse is to complain to SpamCop, so I have to study their site & forward header info from many of the returns I've filtered into another folder. Fun, fun, fun. -- I see a good deal of talk from Washington about lowering taxes. I hope they do get 'em lowered down enough so people can afford to pay 'em. -The Best of Will Rogers To unsubcribe send e-mail with the word unsubscribe in the body to: Linux-Anyway-Request@xxxxxxxxxxxxx?body=unsubscribe