Next
Previous
Contents
You're probably blocking DNS lookups; it will eventually time out.
Try using the `-n' (numeric) flag to ipchains, which suppresses the
lookup of names.
You must put the `!' option by itself, with spaces either side. A
classic mistake (warned about in 1.3.10) is:
# ipchains -A input -i !eth0 -j DENY
#
There will never be an interface called `!eth0', but ipchains doesn't
know that.
Make sure that packet forwarding is enabled (in recent kernels it is
disabled by default, meaning that packets never even try to traverse
the `forward' chain). You can override this (as root) by typing
# echo 1 > /proc/sys/net/ipv4/ip_forward
#
If this works for you, you can put this somewhere in your bootup
scripts so it is enabled every time; you'll want to set up your
firewalling before this command runs though, otherwise there's an
opportunity for packets to slip through.
You must allow forwarding packets (see above) for redirect to work;
otherwise the routing code drops the packet. So if you are just using
redirect, and don't have any forwarding at all, you should be aware of
that.
Note that REDIR (being in the input chain) doesn't effect connections
from a local process.
There was a bug in versions 2.1.102 and 2.1.103 of the kernel (and
some old patches I produced) which made ipchains commands which
specified a wildcard interface (such as -i ppp+) fail.
This is fixed in recent kernels, and in the 2.0.34 patch on the web
site. You can also fix it by hand in the kernel source by changing
line 63 or so in include/linux/ip_fw.h:
#define IP_FW_F_MASK 0x002F /* All possible flag bits mask */
This should read ``0x003F''. Fix this and recompile the kernel.
This was my mistake: setting the Type of Service field did not
actually set the Type of Service in kernel versions 2.1.102 through
2.1.111. This problem was fixed in 2.1.112.
For 2.0.x, this is true; I haven't time to create and maintain a jumbo
patch for ipchains and ipautofw/ipportfw.
For 2.1.x, download Juan Ciarlante's ipmasqadm from
<url url="http://juanjox.linuxhq.com/"
name="http://juanjox.linuxhq.com/">
and use it exactly as you would have used ipautofw or
ipportfw, except instead of ipportfw you type ipmasqadm
portfw, and instead of ipautofw you type ipmasqadm autofw.
Upgrade to version 1.6.0 or above, which doesn't require any firewall
rules at all for 2.1.x kernels. This seems to have broken again in
the 1.6.1 release; please bug the author (it's not my fault!).
This was a bug in ipchains version 1.3.3. Please upgrade.
True (for 2.1.x kernels) up to 2.1.123. In 2.1.124, trying to set the
masquerading timeouts causes a kernel lockup (change return
to ret = on line 1328 of net/ipv4/ip_fw.c). In 2.1.125, it
works fine.
So do a number of others, it seems. My code only covers IP,
unfortunately. On the good side, all the hooks are there to firewall
IPX! You just need to write the code; I will happily help where
possible.
Next
Previous
Contents
| 
Take our 
