On Monday 28 October 2002 11:26 am, bigman@monster-solutions.net wrote: > my comments for each question are in BOLD... thanks for all of the help. > > > iptables -A FORWARD -i eth2 -o eth2 -j lan2-lan1-fwd > > > > I don't like the look of that rule ! > > IT SHOULD BE -O ETH1 AND NOT -O ETH2 I know. I just thought you should check whether this was a typo in your email, or a typo in the original script... > > the best thing might be to add a LOGging > > rule just before the DROP rule in each of your lan1-lan2-fwd and > > lan2-lan1-fwd chains so you can see if anything's being blocked... > > SO DHCRELAY WILL USE FORWARDING INSTEAD OF OUTPUT AND INPUT FOR IT TO WORK? No, sorry, I should have suggested adding the LOGging rules to the chains lan1-in lan2-in and lan1-lan2. You are correct that dhcrelay is supposed to pick up broadcasts on the source network (which will come in to the firewall via the INPUT chain) and the dhcrelay application then generates its own packet to send to the dhcp server (which will go out via the OUTPUT chain). Replies should come back in from the dhcp server through the INPUT chain, and then go back out to the original client through the OUTPUT chain. No packets are expected to be FORWARDed (routed). Antony. -- KDE 3.0.3 contains an important fix for handling SSL certificates. Users of Internet Explorer, which suffers from the same problem but which does not yet have a fix available, are also encouraged to switch to KDE 3.0.3. http://www.kde.org/announcements/announce-3.0.3.html
