On Saturday 15 February 2003 07:50 pm, Tim wrote: > ppl, > > I rebuilt my box and can't seem to FORWARD anything. The same rules > that were working with the old box into the new box and its not > working. Did I miss anything. > > Cannot traverse the chains...I ran the command lsmod to check to make > sure the modules where loading correctly and did notice something that > was not there in my old box. ppp_syntty, ppp_async, ppp_generic and > slhc which states it is a generic ppp along with jbd which I never > noticed before. > > I anyone can point me to any reason or documentation why this is so, I > would gratefully appreciate it. > > Thanks > Tim 1- Try "cat /proc/sys/net/ipv4/ip_forward" and see what it says. If it's a '0' (zero), then you need to "echo 1 >/proc/sys/net/ipv4/ip_forward" to enable forwarding. 2- Ensure that the interfaces are the same as on the old box, IE if eth0 was internal network on the old box, then double-check that it's the same on the new box. If not, you can either change your rules to reflect the difference, or change what cable is plugged into which NIC. 3- Check "/sbin/iptables -v -n -L" and "/sbin/iptables -v -n -L nat" and see if ANY rules, or chain policies (especially nat-PREROUTING, earliest hit of those listed) reports any packets. 4- If the first two aren't the problem, then: If the third shows NO traffic at all, your problem isn't iptables. If the third shows traffic, try to see what rules and what chains the traffic is appearing in, and make sense of it. Try inserting "-j LOG" rules as first in each chain for a minute or two and check the logs to track packet traversals. 5- Also confirm whether the firewall box itself is able to communicate in each direction. At the minimum, you should ping a machine out each interface. Set INPUT and OUTPUT chains to ACCEPT policy and no rules if necessary, but try to narrow down where the problem really exists. 6- Check "ip route" and "ifconfig" and ensure your interfaces are all up, and you have appropriate routes. Routes should look something like this: (eth0 is the interface ppp0 subsumes, eth1 is LAN) 10.10.21.1 dev ppp0 proto kernel scope link src 141.150.238.220 192.168.0.0/16 dev eth1 scope link 127.0.0.0/8 dev lo scope link default via 10.10.21.1 dev ppp0 6- If all this turns up no answer, then post with a bit more detail, such as what distribution you were/are running, what version, what kernel, and what version of iptables you were/are running. j
