Re: Annoying Packet Queuing Issue

Mon, 15 Apr 2002 00:07:19 -0700 

On Mon, 15 Apr 2002, Frank Gore wrote:

> Can someone please help me figure out what's wrong with my network
> setup? I REALLY need to be able to do multiple things on the Internet
> ...
>
You should set up and use some other queueing discipline on your
RH 7.2 gateway bow, rather than default pfifo_fast discipline.
Look at the Advanced-Routing-HOWTO for more informations how to do
that.

A little comment about your iptables configuration:

> modprobe ipt_MASQUERADE
> iptables -F; iptables -t nat -F; iptables -t mangle -F
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
OK, you are doing masquerading.

> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
> iptables -P INPUT DROP
> iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
>
OK, with default policy ACCEPT, you are using a statefull config,
disallowing any incoming connection from interface ppp0, and
allowing new connections originating from lo and eth0. Also, you
disallow "gatewaying" anything on your ppp0.

> iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT
> iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT
> iptables -A INPUT --protocol tcp --dport 113 -j ACCEPT
> iptables -A INPUT --protocol tcp --dport 21 -j ACCEPT
> iptables -A INPUT --protocol tcp --dport 23 -j ACCEPT
>
Because you allowed all "NEW" connections on interfaces lo and eth0,
these rules are irrelevant. To be clear, this configuration allows
connections to all ports, originating from interfaces lo or eth0, NOT
only to ports 21,23,...,443 as you wished to. BTW, you should use
-p tcp -m multiport --dports <ports list> when doing something like
this.


-- 

.----------------------------------------------------------------------------.
| Pozdrav / Best Wishes,     [EMAIL PROTECTED]  | LL   The Choice of       |
| Dragan Simic                 RS.BA Hostmaster   | LL            GNU        |
| URC B.Luka / RSKoming.NET  System/Network Admin | LLLL i n u x  Generation |
`----------------------------------------------------------------------------'

Reply via email to