On Sunday 28 March 2004 21:59, Cody Harris wrote: > On Sun, 28 Mar 2004 21:48:46 +0100, > Someone named Antony Stone <Antony@xxxxxxxxxxxxxxxxxxxx> wrote: > > 1. Is any other protocol being forwarded correctly? > I'm only forwarding tcp, i don't know what the deal is with ICMP. What about other application level protocols, such as HTTP, FTP or IMAP? Note that you should try to connect to something other than your netfilter machine, for the reasons described below. > > 2. What does "cat /proc/sys/net/ipv4/ip_forward" return? > 1 This is fine. > > 3. What do you mean by "properly"? Does ssh work at all? > > Sometimes? From some machines? Only for a certain time, then > > stops? What? > It logs into my firewall. We've tested that by creating "phoneyuser" on > the firewall and logging in as that. You can log in to the firewall because your INPUT chain has a default ACCEPT policy and you don't drop packets coming in on 22. Can you connect to SSH servers on the other side of the netfilter machine? This is where the FORWARD chain comes into action. As an aside, note that creating "phoneyuser" doesn't really test netfilter at all. You either can or can't connect to the port, netfilter wont stop any specific user from logging in. As Anthony asked, please paste at least your FORWARD chain using the -v switch to iptables so we can see the counters. David
