Saskatoon Linux Group Mailing List Archive: Re: Two questions

From: Dean Gakis <dean.gakis_at_no.spam.please>
Date: Tue Jun 15 1999 - 21:57:50 CST

Why do you have ipchains -M -S 7200 10 60? Here is the rules that I use
(eth1 is my outside device:

# Turn on forwarding in the kernel
echo 1 >/proc/sys/net/ipv4/ip_forward

ipchains -F input # flush "Input" rules
ipchains -F output # flush "Output" rules
ipchains -F forward # flush "Forwarding" rules

/sbin/ipchains -P forward DENY

#Masq inside networks to outside
ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0

#Forward VNC
ipchains -A input -i eth1 -p TCP -d 0/0 5800 -s ! 139.142.0.0/16 -j DENY
ipchains -A input -i eth1 -p TCP -y -d 0/0 5800 -m 2
ipmasqadm mfw -A -m 2 -r 192.168.0.2 5800

ipchains -A input -i eth1 -p TCP -d 0/0 5900 -s ! 139.142.0.0/16 -j DENY
ipchains -A input -i eth1 -p TCP -y -d 0/0 5900 -m 3
ipmasqadm mfw -A -m 3 -r 192.168.0.2 5900

###Block services

#sunrpc
ipchains -A input -i eth1 -p TCP -d 0/0 111 -j DENY
ipchains -A input -i eth1 -p UDP -d 0/0 111 -j DENY

#imap
ipchains -A input -i eth1 -p TCP -d 0/0 143 -j DENY
ipchains -A input -i eth1 -p UDP -d 0/0 143 -j DENY

#domain/DNS
ipchains -A input -i eth1 -p TCP -d 0/0 53 -j DENY
ipchains -A input -i eth1 -p UDP -d 0/0 53 -j DENY

#printer
ipchains -A input -i eth1 -p TCP -d 0/0 515 -j DENY
ipchains -A input -i eth1 -p UDP -d 0/0 515 -j DENY

> Question 1:
> As soon as I set up IP-masquerading on pingu (2.2.x kernel, using IPChains),
> the IP masq'ing works well (ie the win98 box can use it and browse the
> net), but then a telnet or ftp from chimay pauses for what I guess is a DNS
> timeout before giving me a prompt (at least a minute). This is true even
> when both boxes are running linux. My /etc/hosts on both boxes list
> themselves and the other box (this is a frequent answer to this very FAQ on
> the net), so that is not the problem. (Yes, /etc/host.conf has order hosts,
> bind.) If it were the problem, the delay should exist before IPmasq'ing,
> no? Why does the ipchaining create the need for DNS lookups, if indeed
> that is what is happening. My IPchain set is minimal and simple - for
> testing now it is only:
> /sbin/modprobe ip_masq_ftp
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> /sbin/ipchains -M -S 7200 10 60
> /sbin/ipchains -P forward DENY
> /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ
>
> Any ideas?
-
Saskatoon Linux Group Mailing List.
-
To unsubscribe, send mail to
'linux-request@slg.org' with
'unsubscribe' in the body.
Received on Tue Jun 15 21:57:50 1999

This archive was generated by hypermail 2.1.8 : Sun Jan 09 2005 - 13:53:59 CST