This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: redhat-list@listman.redhat.com From: "Thomas E. Dukes" <edukes@alltel.net> Subject: iptables and ip masquerading Date: 01 Mar 2003 11:00:49 -0500 I was trying to setup my RH 8.0 box to act as a gateway. Currently, I'm using Win XP Pro. I just want to switch things around. I got TKppoe working but am unable to reach the internet now from the XP box. I didn't setup ip masquerading which is probably the problem. I was reading the IP Masquerade HOW-TO and got to the part about rc.firewall. My question is: Do I run iptables and rc.firewall? Or just rc.firewall? === To: redhat-list@listman.redhat.com From: Jack Bowling <jbinpg@shaw.ca> Subject: Re: iptables and ip masquerading Date: Sat, 01 Mar 2003 17:34:33 -0800 ** Reply to message from "Thomas E. Dukes" <edukes@alltel.net> on Sat, 01 Mar 2003 11:00:49 -0500 > I was trying to setup my RH 8.0 box to act as a gateway. Currently, I'm > using Win XP Pro. I just want to switch things around. > > I got TKppoe working but am unable to reach the internet now from the XP > box. I didn't setup ip masquerading which is probably the problem. > > I was reading the IP Masquerade HOW-TO and got to the part about > rc.firewall. My question is: Do I run iptables and rc.firewall? Or > just rc.firewall? This should be an FAQ. First of all, firewall rules are held in kernel memory during any one session. How those rules get there is the crux of your question. There are two main ways to get those firewall rules into memory: - use the RH supplied lokkit - run your own script such as rc.firewall The RH lokkit sets up the rules then writes them to /etc/sysconfig/iptables using the iptables-save function of the core iptables code (called from their iptables wrapper script with the "service iptables save" command). When the iptables service is started on bootup, those rules are then read back from /etc/sysconfig/iptables using the iptables-restore command. This works although lokkit itself has more than a few problems. If you are using your own script such as rc.firewall, then the same method as described above may pertain, or the script just loads the rules up at initialization without reading them back from /etc/sysconfig/iptables. The key is you should not have both the RH iptables service and your own firewall script loading at the same time since they would stomp on each other and you would run the chance of a rule being either overwritten, deleted or inserted in the wrong order. So you must do: /sbin/chkconfig --level 2345 iptables off if you are running your own script such as rc.firewall. Then your own script can do all the rules loading, saving and restoring by itself. The key here is to only have one method of rules manipulation. Pick your poison and stick with it. jb P.S. - My main beef with lokkit is that the user learns nothing from using it due to its obfuscated interface. Many of the better scripts available on the internet are copiously commented and the user can follow the logic of the rules. Anybody serious about maintaining their own firewall will one day have to get down and dirty with writing rules and they will not learn how to do it by using lokkit. ===