On Mon, 2002-02-25 at 05:32, Steve Holmes wrote: > I'm running a 2.2.20 kernel thus use ipchains for the firewall. What I am > trying to do is fairly basic; I have a recent copy of endoshield, a common > firewall script which I ported to use ipchains as well as iptables. My > problem is when I run the script, I lose all connectivity with the outside > world. The behavior completely changes as soon as the default policy is > changed on the input chain. When it is ACCEPT, all gets through fine; > obviously not good for firewall purposes but I can get out. As soon as it > goes to DENY, I can no longer get through. The default policy for forward > chain is always set to DENY and the output chain is ACCEPT. The > /proc/sys/net/ip_farward is set to 1 for ip masquerade and I have a > variety of rules set to open desired ports. Those rules are a part of a > custom chain called inet-in and inet-in is linked to the input chain. > > I know this all sounds veague at the moment but if anyone knows much about > ipchains, I'll be glad to share the script I am using with them to compare > for any possible errors. I could post it to the list but is quite lengthy > so I think I'll hold off unless there is enough interest:). > > Any ideas or help would be greately appriciated. BTW, I have an ip > masqueraded network of several machines and the masquerade portion has > been working great all along and still does when I can this new firewall > implementation:). > ----- It is unclear as to which cannot get out when your firewall scripts are running - your firewall box or the masqueraded machines on the local lan behind the firewall. If the firewall box can get to the internet no problem, then the first thing I would check would be the forward script for masquerading which should look something like... /sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE obviously you need to replace the $variables with something that matches for you. if you don't want to show us your scripts, it's simply a guess as to the problem but remember - ping/telnet/traceroute are your friends. Craig