[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
On Sunday 29 August 2004 17:44, Tony Sumner wrote:
On Sun, Aug 29, 2004 at 12:36:22PM +0100, Robin Cornelius wrote:Your iptables is not setup exactly the same way as the example. OK a few questions:- what kernel are you running 'uname -r' 2.4.19 what iptables are you running 'iptables -V' 1.2.11 are you running any firewall distributions eg shorewall, smoothwall or any other tool that sets up your iptables rules? No What are your iptables rules : use the following iptables -t filter --list iptables -t nat --list iptables -t mangle --list(slightly edited) filter: Chain INPUT (policy ACCEPT) Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT) ------------------------------------------------------- mangle: Chain PREROUTING (policy ACCEPT) Chain INPUT (policy ACCEPT) Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT) Chain POSTROUTING (policy ACCEPT) ---------------------------------------------------- nat: iptables v1.2.11: can't initialize iptables table `nat': Table does not exist This looks a bit bald; the actual rules are in /etc/sysconfig/iptables. I could list them (20 lines) but maybe the absence of nat is the main problem. Should I compile the kernel with nat support included? What's the module called?
No you don't need NAT for this box, your router-modem does NAT you only need filter and mangle. Filter does what it says and is the "real" firewall part, mangle is what you are attempting to play with and does trafic shaping and other stuff. If that is the output of iptables then IMHO your firewall is totaly open, the rules in /etc/sysconfig/iptables are NOT active, somthing is missing from your setup to invoke those rules. Is /etc/sysconfig/iptables a shell script that will set the tables or is it just rules for some other script? for the issue at hand change the command to :- iptables --table mangle --append OUTPUT --jump TOS --set-tos 0x0 the dscp is only on 2.6 kernel iptables it was called tos , that should ensure that you have no interactive packets. Regards Robin -- Robin Cornelius --------------------------------------------------- robin@xxxxxxxxxxxxxxxxxxxxx GPG Key ID: 0x729A79A23B7EE764 http://www.biglumber.com/x/web?qs=0x729A79A23B7EE764
Attachment:
pgp00050.pgp
Description: signature