Ipchains Woes
Craig White
plug-discuss@lists.plug.phoenix.az.us
25 Feb 2002 11:09:21 -0700
On Mon, 2002-02-25 at 05:32, Steve Holmes wrote:
> I'm running a 2.2.20 kernel thus use ipchains for the firewall. What I am
> trying to do is fairly basic; I have a recent copy of endoshield, a common
> firewall script which I ported to use ipchains as well as iptables. My
> problem is when I run the script, I lose all connectivity with the outside
> world. The behavior completely changes as soon as the default policy is
> changed on the input chain. When it is ACCEPT, all gets through fine;
> obviously not good for firewall purposes but I can get out. As soon as it
> goes to DENY, I can no longer get through. The default policy for forward
> chain is always set to DENY and the output chain is ACCEPT. The
> /proc/sys/net/ip_farward is set to 1 for ip masquerade and I have a
> variety of rules set to open desired ports. Those rules are a part of a
> custom chain called inet-in and inet-in is linked to the input chain.
>
> I know this all sounds veague at the moment but if anyone knows much about
> ipchains, I'll be glad to share the script I am using with them to compare
> for any possible errors. I could post it to the list but is quite lengthy
> so I think I'll hold off unless there is enough interest:).
>
> Any ideas or help would be greately appriciated. BTW, I have an ip
> masqueraded network of several machines and the masquerade portion has
> been working great all along and still does when I can this new firewall
> implementation:).
>
-----
It is unclear as to which cannot get out when your firewall scripts are
running - your firewall box or the masqueraded machines on the local lan
behind the firewall.
If the firewall box can get to the internet no problem, then the first
thing I would check would be the forward script for masquerading which
should look something like...
/sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE
obviously you need to replace the $variables with something that matches
for you.
if you don't want to show us your scripts, it's simply a guess as to the
problem but remember - ping/telnet/traceroute are your friends.
Craig