Re: ipfwadm help?

From: Riley Williams (rhw@@MemAlpha.cx)
Date: Tue Aug 14 2001 - 03:31:28 EEST

Next message: Jeff Tranter: "Re: Offer to work on AX25 and HAM HOWTOs"

Previous message: Hamish Moffatt: "Re: Offer to work on AX25 and HAM HOWTOs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Paul.

> I could use some advice on a problem I am having here on my gateway.

I'll see what I can do...

> I am unable to get packets out from from my ampr.org address.
Incoming
> packets are working OK.

> For the incoming rule:
> /sbin/ipfwadm -F -p accept
> /sbin/ipfwadm -F -a a -P all -S 0.0.0.0/0 -D 44.16.2.32/27

> For the outgoing rule:
> /sbin/ipfwadm -F -a m -P all -S 44.16.2.32/27 -D 0.0.0.0/0

> With the 'm' in place packets can go out but are masqueraded as my
dynamic
> IP address. If I remove the 'm' no packets go out. What rule do I
need to
> get packets out with my ampr.org IP address?

I have to admit to using ipchains here with the 2.2 kernels, and I
think ipfwadm goes with the 2.0 kernels (you don't say which).
However, here's the rules I would use, with explanation:

First, start with a clean slate.

Q> ipchains -F
Q> ipchains -X

Next, set the default policies for input, forward and output.

Q> ipchains -P input DENY
Q> ipchains -P forward DENY
Q> ipchains -P output ACCEPT

Next, ensure that only valid IP sources arrive on each interface.

Q> ipchains -A input -i lo -j ACCEPT
Q> ipchains -A input -i eth+ -j ACCEPT -s 192.168.0.0/16
Q> ipchains -A input -i sl+ -j ACCEPT -s 44.0.0.0/8

Next, ensure that internal ports are correctly forwarded. This deals
with all traffic internal to your local network.

Q> ipchains -A forward -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
Q> ipchains -A forward -s 192.168.0.0/16 -d 44.0.0.0/8 -j ACCEPT
Q> ipchains -A forward -s 44.0.0.0/8 -d 192.168.0.0/16 -j ACCEPT

Next, ensure that traffic to the Internet is correctly masqueraded.
Traffic internal to your local network never gets down to this rule,
so can be ignored.

Q> ipchains -A forward -s 192.168.0.0/16 -j MASQ

That's all that should be needed.

> Any and all comments are most welcome!

Hope the above helps.

Best wishes from Riley.

-
To unsubscribe from this list: send the line "unsubscribe linux-hams" in
the body of a message to ppy.ienvd@oss.ru
More majordomo info at http://vger.kernel.org/majordomo-info.html

Next message: Jeff Tranter: "Re: Offer to work on AX25 and HAM HOWTOs"
Previous message: Hamish Moffatt: "Re: Offer to work on AX25 and HAM HOWTOs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 03:36:07 EEST