 | | | Testing internal MASQ client PC connectivity | Testing internal MASQ client PC connectivity 2002-07-04 - By ? -
Back
when i try to ping the external ip ,
no reaction
what errors?thanks!!!
the following is my rc.firewall config:
///////////////////////////////////////////////
#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.63
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this
simple
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
#
#
#
# Log:
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that
used eth0
# instead of $EXTIF
# 0.61 - Changed the firewall to use variables for the
internal
# and external interfaces.
# 0.60 - 0.50 had a mistake where the ruleset had a
rule to DROP
# all forwarded packets but it didn 't have a rule to
ACCEPT
# any packets to be forwarded either
# - Load the ip_nat_ftp and ip_conntrack_ftp modules
by default
# 0.50 - Initial draft
#
echo -e "\n\nLoading simple rc.firewall version
$FWVER..\n "
# The location of the 'iptables ' program
#
# If your Linux distribution came with a copy of
iptables, most
# likely it is located in /sbin. If you manually
compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables " command to
figure out
# ** where your copy is and change the path below to
reflect
# ** your setup
#
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables
#Setting the EXTERNAL and INTERNAL interfaces for the
network
#
# Each IP Masquerade network needs to have at least
one
# external and one internal network. The external
network
# is where the natting will occur and the internal
network
# should preferably be addressed with a RFC1918
private address
# scheme.
#
# For this example, "eth0 " is external and "eth1 " is
internal "
#
# NOTE: If this doesnt EXACTLY fit your configuration,
you must
# change the EXTIF or INTIF variables above. For
example:
#
# EXTIF= "ppp0 "
#
# if you are a modem user.
#
EXTIF= "eth1 "
INTIF= "eth0 "
echo " External Interface: $EXTIF "
echo " Internal Interface: $INTIF "
#======================================================================
#== No editing beyond this line is required for
initial MASQ testing ==
echo -en " loading modules: "
# Need to verify that all modules have all required
dependencies
#
echo " - Verifying that all kernel modules are ok "
/sbin/depmod -a
# With the new IPTABLES code, the core MASQ
functionality is now either
# modular or compiled into the kernel. This HOWTO
shows ALL IPTABLES
# options as MODULES. If your kernel is compiled
correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for
informational reasons.
# There is no reason to manual load these modules
unless your
# kernel is either mis-configured or you intentionally
disabled
# the kernel module autoloader.
#
# Upon the commands of starting up IP Masq on the
server, the
# following kernel modules will be automatically
loaded:
#
# NOTE: Only load the IP MASQ modules you need. All
current IP MASQ
# modules are shown below but are commented out from
loading.
#
===============================================================
#Load the main body of the IPTABLES module - "iptable "
# - Loaded automatically when the "iptables " command
is invoked
#
# - Loaded manually to clean up kernel auto-loading
timing issues
#
echo -en "ip_tables, "
/sbin/insmod ip_tables
#Load the IPTABLES filtering module - "iptable_filter "
# - Loaded automatically when filter policies are
activated
#Load the stateful connection tracking framework -
"ip_conntrack "
#
# The conntrack module in itself does nothing without
other specific
# conntrack modules being loaded afterwards such as
the "ip_conntrack_ftp "
# module
#
# - This module is loaded automatically when MASQ
functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading
timing issues
#
echo -en "ip_conntrack, "
/sbin/insmod ip_conntrack
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "# " on the next line
to deactivate
#
echo -en "ip_conntrack_ftp, "
/sbin/insmod ip_conntrack_ftp
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "# " on the next line
to deactivate
#
echo -en "ip_conntrack_irc, "
/sbin/insmod ip_conntrack_irc
#Load the general IPTABLES NAT code - "iptable_nat "
# - Loaded automatically when MASQ functionality is
turned on
#
# - Loaded manually to clean up kernel auto-loading
timing issues
#
echo -en "iptable_nat, "
/sbin/insmod iptable_nat
#Loads the FTP NAT functionality into the core
IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "# " on the next line
to deactivate
#
echo -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp
# Just to be complete, here is a list of the remaining
kernel modules
# and their function. Please note that several modules
should be only
# loaded by the correct master kernel module for
proper operation.
#
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- -----
#
# ipt_mark - this target marks a given packet for
future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the
TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be
limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within
a range
# of port numbers vs. listing each port individually
#
# ipt_state - this match allows to catch packets with
various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets
that have invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to
be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and
returns
# a configurable ICMP packet back to the
# sender.
#
# iptable_mangle - this target allows for packets to
be manipulated
# for things like the TCPMSS option, etc.
echo ". Done loading modules. "
#CRITICAL: Enable IP forwarding since it is disabled
by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " enabling forwarding.. "
echo "1 " > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP,
PPP, or DHCP,
# enable this following option. This enables
dynamic-address hacking
# which makes the life with Diald and similar programs
much easier.
#
echo " enabling DynamicAddr.. "
echo "1 " > /proc/sys/net/ipv4/ip_dynaddr
# Enable simple IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form
of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal
LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a "24 "
bit subnet mask
# connecting to the Internet on external interface
"eth0 ". This
# example will MASQ internal traffic out to the
Internet but not
# allow non-initiated traffic into your internal
network.
#
#
# ** Please change the above network numbers, subnet
mask, and your
# *** Internet connection interface name to match your
setup
#
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT
is ACCEPT
# The default for FORWARD is DROP
#
echo " clearing any existing rules and setting default
policy.. "
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only
existing and related ones IN "
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state
--state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on
$EXTIF "
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j
MASQUERADE
echo -e "\nrc.firewall-2.4 v$FWVER done.\n "
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
< �C�ѳ� Yahoo!�_�� > www.yahoo.com.tw
|
|
|