On Wednesday 29 January 2003 06:05 pm, seberino@spawar.navy.mil wrote: > This firewall has 2 NICs for private LAN and 1 to connect > to Internet. I can access Internet from firewall > fine with new DSL service if I kill iptables filtering. > > I tried to modify old static ip script for DSL. > (eth2 became ppp0) > > Now I have a new guess... > > Does DSL/PPPoE need to open certain other ports, etc. > I don't know about?? If so that would explain why > it don't work with old static ip script that closes > all ports it don't need. No other communications needed, unless there's some custom client that the ISP has made you install. You are going to have problems with $INTERNET_ADDRESS in your rules, though, since that is now subject to change. Is it truly dynamic? If it usually only changes on reboot, you can get around it by setting $INTERNET_ADDRESS in the start of the script equal to: $(/sbin/ifconfig "$EXTIF" | grep inet | cut -d":" -f 2 | cut -d" " -f 1) ($EXTIF is what I use, I believe you had INTERNET_INTERFACE?) If your IP is 'really' dynamic, you will probably need to remove that match from the rules, and change "-j SNAT --to $INTERNET_ADDRESS" to "-j MASQUERADE", also adding "echo 1 > /proc/sys/net/ipv4/ip_dynaddr" to enable automatic tracking of the dynamic IP. I also have a suspicion, which will take you but a moment to explore. With your connection up, go to console and try "ifconfig ppp0" and "cat /etc/resolv.conf" and see if you have any conflict with your "reserved_networks" list. For my service, my own IP and the nameservers are public, but the P-t-P server (the 'gateway' that I talk to) is a 10.10.x.x IP. I have encountered setups before where the assigned IP or the nameservers are also in a 'reserved' private range, which would mean problems with your script. j
