/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */ Hi all, I am new to the list. I tried searching the archives and couldn't find a solution for my problem so I am posting here. I will try and give as much info as possible. Setup: Debian unstable with kernel 2.2.12 with ipchains 1.3.9. My Debian box can connect to any and all sites over my dialup ppp connection. I have 2 internal win98 machines that for the most part can get to all sites on the web. However there are a few that fail to connect and timeout, I can connect to these fine on the Debian box. Debian has a package called ipmasq which does basic setup of the ipchain rules and I am using that(rules posted below). When I am dialed in with my dynamic ip assignment my setup is: % ifconfig eth0 Link encap:Ethernet HWaddr 00:80:AD:70:3F:20 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1975658 errors:0 dropped:0 overruns:0 frame:0 TX packets:1991680 errors:0 dropped:0 overruns:0 carrier:0 collisions:17 txqueuelen:100 Interrupt:10 Base address:0x280 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:32007 errors:0 dropped:0 overruns:0 frame:0 TX packets:32007 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 ppp0 Link encap:Point-to-Point Protocol inet addr:128.46.112.44 P-t-P:128.46.112.98 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:552 Metric:1 RX packets:7913 errors:0 dropped:0 overruns:0 frame:0 TX packets:6080 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 % route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 128.46.112.98 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 128.46.112.98 0.0.0.0 UG 0 0 0 ppp0 and the ipchains rules that are called after the connection in /etc/ppp/ip-up are, % ipmasq -v Interfaces found: ppp0 128.46.112.44/255.255.255.255 eth0 192.168.1.1/255.255.255.0 /sbin/ipchains -P input DENY /sbin/ipchains -P output DENY /sbin/ipchains -P forward DENY /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward /sbin/ipchains -A input -j ACCEPT -i lo /sbin/ipchains -A input -j DENY -i !lo -s 127.0.0.1/255.0.0.0 -l /sbin/ipchains -A input -j ACCEPT -i eth0 -s 192.168.1.1/255.255.255.0 /sbin/ipchains -A input -j ACCEPT -i ppp0 -d 128.46.112.44/32 /sbin/ipchains -A input -j DENY -i ppp0 -s 192.168.1.1/255.255.255.0 -l /sbin/ipchains -A forward -j MASQ -i ppp0 -s 192.168.1.1/255.255.255.0 /sbin/ipchains -A output -j ACCEPT -i lo /sbin/ipchains -A output -j ACCEPT -i eth0 -d 192.168.1.1/255.255.255.0 /sbin/ipchains -A output -j ACCEPT -i eth0 -d 224.0.0.0/240.0.0.0 -p ! tcp /sbin/ipchains -A output -j ACCEPT -i ppp0 -s 128.46.112.44/255.255.255.255 /sbin/ipchains -A output -j DENY -i ppp0 -d 192.168.1.1/255.255.255.0 -l echo "1" > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l /sbin/ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l /sbin/ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l I tried watching the output from tcpdump and iptraf on the linux box but I am not literate in that area to understand what was being shown. I can post some logs of the traffic during a failed connect. One site that I know for sure that does not get connected to on the masq'd machines is http://www.realtor.com/, after a few minutes a message is displayed that the connection was reset by the peer. I would really appreciate any feedback on this. I will help in any way I can to get this resolved. Thanks, -- Brian Servis -- ------------------------------------------------------------------------ Mechanical Engineering | Never criticize anybody until you Purdue University | have walked a mile in their shoes, [EMAIL PROTECTED] | because by that time you will be a http://www.ecn.purdue.edu/~servis | mile away and have their shoes. _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
