 | | | synchronizing failed | synchronizing failed 2003-07-04 - By Tough Guy
Back
hi folks,
im tring to set RH8.0 as router. i ve 1 LAN card. and i set 2 ips
on it, one for local area and another one is valid ip frm my
isp.
internet is working fine and this server is acting as squid proxy
server as well and running fine...and now i want this server to
act as router too.. i configure the script as AS directed by HOWTO
on TLDP.org.
now the problem is i can ping the external ip frm the LAN client
but im not able to reach out to internet...
this is the script in including..
-- ---- ---- ---- ---- ---- ---- ----
#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.74
#
# Initial SIMPLE IP Masquerade test for 2.4.x
kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this
simple
# ruleset, it is highly recommended to use a
stronger
# IPTABLES ruleset either given later in this HOWTO
or
# from another reputable resource.
#
#
#
# Log:
# 0.74 - the ruleset now uses modprobe vs. insmod
# 0.73 - REJECT is not a legal policy yet; back to DROP
# 0.72 - Changed the default block behavior to REJECT not
DROP
# 0.71 - Added clarification that PPPoE users need to use
# "ppp0" instead of "eth0" for their external
interface
# 0.70 - Added commented option for IRC nat module
# - Added additional use of environment variables
# - Added additional formatting
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that used
eth0
# instead of $EXTIF
# 0.61 - Changed the firewall to use variables for the
internal
# and external interfaces.
# 0.60 - 0.50 had a mistake where the ruleset had a rule to
DROP
# all forwarded packets but it didn't have a rule to
ACCEPT
# any packets to be forwarded either
# - Load the ip_nat_ftp and ip_conntrack_ftp modules by
default
# 0.50 - Initial draft
#
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
# The location of the iptables and kernel module programs
#
# If your Linux distribution came with a copy of iptables,
# most likely all the programs will be located in /sbin. If
# you manually compiled iptables, the default location will
# be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
#IPTABLES=/sbin/iptables
IPTABLES=/usr/local/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
#
# NOTE: If this doesnt EXACTLY fit your configuration, you
must
# change the EXTIF or INTIF variables above. For
example:
#
# If you are a PPPoE or analog modem user:
#
# EXTIF="ppp0"
#
#
EXTIF=202.x.x.x
INTIF=192.168.10.222
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
#======================================================================
#== No editing beyond this line is required for initial MASQ
testing ==
echo -en " loading modules: "
# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
# With the new IPTABLES code, the core MASQ functionality is now
either
# modular or compiled into the kernel. This HOWTO shows ALL
IPTABLES
# options as MODULES. If your kernel is compiled correctly, there
is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational
reasons.
# There is no reason to manual load these modules unless
your
# kernel is either mis-configured or you intentionally
disabled
# the kernel module autoloader.
#
# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current IP
MASQ
# modules are shown below but are commented out from
loading.
#
===============================================================
echo
"-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --"
#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing
issues
#
echo -en "ip_tables, "
$MODPROBE ip_tables
#Load the IPTABLES filtering module - "iptable_filter"
# - Loaded automatically when filter policies are activated
#Load the stateful connection tracking framework -
"ip_conntrack"
#
# The conntrack module in itself does nothing without other
specific
# conntrack modules being loaded afterwards such as the
"ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality
is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing
issues
#
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to
deactivate
#
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to
deactivate
#
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc
#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing
issues
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to
deactivate
#
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp
#Loads the IRC NAT functionality into the core IPTABLES code
# Require to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to
activate
#
#echo -e "ip_nat_irc"
#$MODPROBE ip_nat_irc
echo
"-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --"
# Just to be complete, here is a list of the remaining kernel
modules
# and their function. Please note that several modules should be
only
# loaded by the correct master kernel module for proper
operation.
#
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- -----
#
# ipt_mark - this target marks a given packet for future
action.
# This automatically loads the ipt_MARK
module
#
# ipt_tcpmss - this target allows to manipulate the TCP
MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS
module
#
# ipt_limit - this target allows for packets to be limited
to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a
range
# of port numbers vs. listing each port
individually
#
# ipt_state - this match allows to catch packets with
various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have
invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be
DROPped,
# REJECTed, or LOGged. This module
automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to
be
# logged
#
# ipt_REJECT - this target DROPs the packet
and returns
# a configurable ICMP packet back
to the
# sender.
#
# iptable_mangle - this target allows for packets to be
manipulated
# for things like the TCPMSS option, etc.
echo -e " Done loading modules.\n"
#CRITICAL: Enable IP forwarding since it is disabled by default
since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or
DHCP,
# enable this following option. This enables dynamic-address
hacking
# which makes the life with Diald and similar programs much
easier.
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable simple IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of
SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN
address in the
# 192.168.0.x network with a 255.255.255.0 or a "24"
bit subnet mask
# connecting to the Internet on external interface
"eth0". This
# example will MASQ internal traffic out to the
Internet but not
# allow non-initiated traffic into your internal
network.
#
#
# ** Please change the above network numbers, subnet mask,
and your
# *** Internet connection interface name to match your
setup
#
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid
policy)
#
echo " Clearing any existing rules and setting default
policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and
related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
-- ---- ---- --
Thanks
Tough guy
__ ____ ____ ____ ____ ____ ____ ____ ____ ____ ___
Click below to experience Sooraj R Barjatya's latest offering
'Main Prem Ki Diwani Hoon' starring Hrithik, Abhishek
& Kareena http://www.mpkdh.com
Earn $52 per hosting referral at Lunarpages.
|
|
|