Re: Request help with simple network

From: Tim (Tim_at_mail.localhost)
Date: 01/05/04


Date: Tue, 06 Jan 2004 00:03:41 +1030

Anthony Segredo <segredo@att.net> wrote:
 
>>> I can also ping 152.2.210.81 (metalab.unc.edu)and 216.109.118.64
>>> (www.yahoo.com) by address on both boxes. I got the yahoo address from
>>> running 'host www.yahoo.com' on galileo. On galileo when I put the ip
>>> address into mozilla, it takes me to yahoo. On fermi, when I try that
>>> I get "Connection refused by 216.109.118.64". Also on fermi, host and
>>> dig terminate with errors.

Tim wrote:
 
>> Name resolution isn't working then, if dig and host can't resolve
>> addresses. Networking isn't working if you can't browse to IPs, which
>> could be firewalling or proxy issues. Are you using proxies? And are
>> you using firewalls on both machines? If so, what's both of their
>> configurations. You do need to let DNS queries through the firewall, as
>> well as web browser connections.

> No proxies. Firewall on Galileo is Red Hat 9.0 default "Medium
> Security", with eth1 checked as a trusted host (eth0 is the one
> connected to the internet). No firewall on fermi.

I really don't remember what it sets for the "medium" security, but I've
had systems working fine that were set that way.
 
>> You can do an iptables-list > some-filename-you-choose to include them
>> in a message.

> iptables -list doesn't work on my version (1.27a)

Oops, I typed that very badly. It's really: iptables --list > filename

Now you can tell us what's really in your firewall. Sorry for leading
you down the garden path with the wrong command line.

>> One of the main references that I used was:
>>
>> <http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworkGateway.html>

> From that site, I added 'iptables -A FORWARD -i eth1 -j ACCEPT' on
> galileo, but it didn't help. Something is definitely wrong with DNS.

I'm quite in the dark about what the problem is, I don't recall having
any DNS issues with my network, nor having to do anything special with
the machines behind the network to get them working (they just had the
gateway computer's IP address in the gateway parameter, and suitable
IPs in the DNS entries (either my ISP's, or my local DNS server).

> Running netstat -nr on galileo gives:
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 67.167.94.128 0.0.0.0 255.255.255.128 U 0 0 0 eth0
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 67.167.94.129 0.0.0.0 UG 0 0 0 eth0
>
> I have no idea where the 169.254.0.0 line comes from, I didn't use that
> IP address anywhere. The 67... address came from DHCP.

169.254.x.x are link-local addresses. When a network adaptor is expecting
to be assigned an IP, but isn't, it can automatically pick a random address
beginning with 169.254. for itself. Other computers on the same network,
which may have done the same thing, too, can then network together.

It sounds like you've got a network adaptor without an assigned address
somewhere. What's your output from: /sbin/ifconfig

> Running ps -A on galileo gives (do I need all these processes? And how
> did I get two sendmails?):

I couldn't say, as I'm not familiar with them all (many of the tasks
starting with a k are kernel processses, though it's confusing that kde
processes might also start with a k), but there's a lot of things going
on in the background that you won't need to worry about, and I don't see
anything glaringly unusual. You might have two sendmails because a new
process spawned to do a task for a moment.

> Running ps -A on fermi gives (Am I missing a process that I should have?):

Again, I'm not too familiar with the processes to go by that list.

Below is my networking script, I run it *ONCE* on my gateway PC, whenever
I change any of the parameters inside it. You wouldn't need most of it,
certainly none of the experimenting, and much of it would need modifying
to suit you, but it might give you some tips for a script that would work
on Red Hat 8.0 or 9.0 Linux.

This script worked, as is, on a newly installed Red Hat 9.0 Linux system,
to get networking running, without having to do anything other than configure
the dial-up networking for my ISP.

--- begin script, watch out for bad line wraps, it was sent unwrapped ----

#!/bin/bash

## iptables rules script
## ---------------------
##
## Written by Tim (2002/2003), not copyright, primarily based on information
## from the Osborne Linux reference book (page 1049), and using
## <http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworkGateway.html>.
##
## -------------------------------------------------------------------------
##
## Running this script clears current iptables rules, sets firewall rules to
## protect the system, allow things that you want, and sets up IP NAT
## masquerading (internet connection sharing).
##
## To change rules, edit the script, then run it again.
##
## When the script is run, it stores the settings in the place that Red Hat
## 8.0 and 9.0 Linux looks for iptable settings, as it boots up (i.e. You
## don't need to run this script each time you reboot). Change the last
## line of the script to suit your system.
##
## Red Hat 7.3:
## "/etc/iptables.rules"
##
## Red Hat 8.0:
## "/etc/sysconfig/iptables"
##
## Notes:
## -----
##
## I've written comments after double hashes, disabled filters behind single
## hashes, and made temporary changes behind triple hashes (so as to be
## quick to find). These comments are for humans, the computer ignores
## them, with the exception of the very first line in this script (above).
##
## Some entries are just my experimenting, and aren't my normal networking.
##
## *MY* internet connections are via dial-up PPP, and my LAN uses eth0 and
## eth1; so the "ppp+" parameters refer to my link to the WWW, and eth+ to
## my LAN; and my gateway computer has an ethernet IP of 192.168.0.2.
## You'll *NEED* to modify all of them to suit your system.
##
## I've taken the simple approach of denying all incoming connections,
## except some things which I feel are okay, or know need allowing (may
## require some fiddling to get instant messaging clients working).
##
## Some services listen for TCP and UDP connections, so I've blocked both.
##
## I've logged some things as a curiosity. Don't bother to do this, unless
## you want to, are going to read the logs, and know what they mean. Note
## that you need to log things *before* you "block" them, else there's not
## going to be anything to log (unproven idea, but it's logically sound).
##
## Be careful copying this file through web browsers. If they add CR+LF to
## the end of lines (EOLs), unlike Unix's solo LF at the EOL, the script may
## stuff up. I've experienced this. I had to re-save the file, modifying
## the EOLs, before the script would work (it didn't give any error messages
## that made it obvious that this was the cause of the problem, either).
##
## Be careful of line wrapping. All command lines must be on a single line,
## or steps taken to allow multiple command lines to be interpreted as one
## line, according to your command interpreter. Almost all command lines
## start with "iptables," a couple start with "echo." If you see any line
## start in another way, it's really part of the prior line.
##
## -------------------------------------------------------------------------
##
## Firewall logging to /var/log/messages uses the following prefix labels:
## (Note that log-prefix has 29 char limit; as long as that -- and == line.)
##
## -----=====-----=====-----====
##
## Label: Refers to:
## ----- ---------
##
## firewall{LAN-ext-addr}: - An attempt was tried to use an external,
## address from inside the network (on the
## LAN).
## firewall{ext-LAN-addr}: - An attempt was tried to use an internal
## (LAN) address, from the outside world.
## firewall{new-ext-access}: - A new attempt was made to connect from
## the outside world (uninvited).
## firewall{new-WWW-access}: - An new attempt was made to connect by a
## WWW server from the outside world.
## firewall{WWW-return}: - A connection back from a WWW server.
## firewall{ICMP}: - An ICMP connection.
##
## To read firewall logs, run: grep firewall /var/log/messages
## Or, to find a specific type: grep ext-access /var/log/messages
##
## End of notes, the script follows:
## -------------------------------------------------------------------------

## May not be needed for new kernels (already present, without doing this):

# modprobe iptable_nat
# modprobe iptable_filter

## Turn off IP forwarding while altering configuration:
##
## (Educated guess: To stop things sneaking through, while your
## firewall isn't operating.)

echo 0 > /proc/sys/net/ipv4/ip_forward

## Flush any pre-existing rules:

iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD

iptables --flush
iptables --table nat --flush

iptables --delete-chain
iptables --table nat --delete-chain

## Set default (policy) rules:

iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

#################################
## Anti - Denial Of Service: ##
#################################

## Accept ICMP ping (0 and 8) and destination unreachable (3) messages
## (others will be rejected by INPUT and OUTPUT DROP policies):

###iptables --append INPUT --jump LOG --protocol icmp --in-interface ppp+ --log-prefix "firewall{ICMP}: "

##iptables --append INPUT --jump ACCEPT --protocol icmp --in-interface ppp+ --icmp-type echo-reply
##iptables --append INPUT --jump ACCEPT --protocol icmp --in-interface ppp+ --icmp-type echo-request
iptables --append INPUT --jump ACCEPT --protocol icmp --in-interface ppp+ --icmp-type destination-unreachable
iptables --append INPUT --jump LOG --protocol icmp --in-interface ppp+ --icmp-type destination-unreachable --log-prefix "firewall{ICMP-unreachable}: "

##################################
## Guard against IP spoofing: ##
##################################

## Log and deny any packets on the internal network,
## that don't have internal source addresses:

iptables --append INPUT --jump LOG --log-prefix "firewall{LAN-ext-addr}: " --in-interface eth+ \! --source 192.168.0.0/16
iptables --append INPUT --jump DROP --in-interface eth+ \! --source 192.168.0.0/16

## Log and deny any outside packets (any not on the ETHernet)
## that have a source address of an internal network:
##
## (Without my inserted ACCEPT rule, was preventing this machine connecting
## to 192.168.0.2 - not understood why; perhaps the "\!" (not) should be
## before the IP instead of the interface.)

iptables --append INPUT --jump ACCEPT --in-interface lo --source 192.168.0.0/16
iptables --append INPUT --jump LOG --log-prefix "firewall{ext-LAN-addr}: " \! --in-interface eth+ --source 192.168.0.0/16
iptables --append INPUT --jump DROP \! --in-interface eth+ --source 192.168.0.0/16

## Log and deny any outside packets with a localhost address:

iptables --append INPUT --jump LOG --log-prefix "firewall{ext-LAN-addr}: " --in-interface \! lo --source 127.0.0.1/255.0.0.0
iptables --append INPUT --jump DROP --in-interface \! lo --source 127.0.0.1/255.0.0.0

## Allow all incoming messages for users actually on the firewall system:
##
## Added: --source 127.0.0.1/255.0.0.0
## Was seeing an accept anything, anywhere, regardless, entry in the
## iptables --list results.

iptables --append INPUT --jump ACCEPT --in-interface lo --source 127.0.0.1/255.0.0.0

##################################
## ##
## Handle specific addresses: ##
## ##
##################################

## Allow one user to connect:
##
## (Order is important, a user must be "allowed" before a general rejection rule.)
##
## Allow any type of connection, allow a range of ports, or allow a specific port:

### iptables --append INPUT --jump ACCEPT --in-interface ppp+ --source 192.0.34.166
### iptables --append INPUT --jump ACCEPT --protocol tcp --in-interface ppp+ --source 192.0.34.166 --destination-port 1024:65535
### iptables --append INPUT --jump ACCEPT --protocol udp --in-interface ppp+ --source 192.0.34.166 --destination-port 1024:65535
### iptables --append INPUT --jump ACCEPT --protocol tcp --in-interface ppp+ --source 192.0.34.166 --destination-port 8000

## Block outgoing connections to a particular address:
##
## May be able to use named addresses, but DNS look-ups would need to be
## do-able when starting this script. Even then, it didn't work.

### iptables --append OUTPUT --jump REJECT --reject-with tcp-reset --protocol tcp --destination 192.168.0.200

## Log connections from a particular address:

### iptables --append INPUT --jump LOG --in-interface ppp+ --source 192.0.34.166 --log-prefix "firewall{Mic}: "
### iptables --append INPUT --jump LOG --source 192.0.34.166 --log-prefix "firewall{Mic}: "
### iptables --append INPUT --jump REJECT --reject-with tcp-reset --protocol tcp --destination-port 2122

##############################
## ##
## Handle specific ports: ##
## ##
##############################

## Probably redundant to block these, considering the default drop rule,
## but wondering if the allow "related" rules might allow these.

### iptables --append INPUT --jump REJECT --protocol tcp --in-interface ppp+ --destination-port 135:139
iptables --append INPUT --jump DROP --protocol tcp --in-interface ppp+ --destination-port 135:139
iptables --append INPUT --jump DROP --protocol udp --in-interface ppp+ --destination-port 135:139

##################
## ##
## Webserver: ##
## ##
##################

## Redirect webserver visitors past my ISP's firewalling (blocking port 80):
## (Removed, now that the HTTP server is listening to port 80 and 8000.)

# iptables --table nat --append PREROUTING --protocol tcp --dport 8000 --jump REDIRECT --to-port 80

## Allow connnections to the inside webserver from the outside world:
##
## (Should "--source" be "--destination"?)
## My alternatives (the following two lines), seem to do the job, with a more simple rule.

# iptables --append INPUT --jump ACCEPT --protocol tcp --in-interface ppp+ --destination-port www --source 192.168.1.2
# iptables --append INPUT --jump ACCEPT --protocol tcp --in-interface ppp+ --destination-port 8000 --destination 192.168.1.2

## Un-comment to allow outsiders to access the local webserver:
## My current ISP blocks port 80, so the first rule is a bit useless.

### iptables --append INPUT --jump ACCEPT --protocol tcp --in-interface ppp+ --destination-port 80
### iptables --append INPUT --jump ACCEPT --protocol tcp --in-interface ppp+ --destination-port 8000

## Allow external HTTPS server (port 443) access:

# iptables --append INPUT --jump ACCEPT --protocol tcp --in-interface ppp+ --destination-port https

## Allow one user to connect:
##
## (Order is important, user must be "allowed" before a general rejection rule.)

###iptables --append INPUT --jump ACCEPT --protocol tcp --in-interface ppp+ --source 192.0.34.166 --destination-port 8000

## Instantly "reject" connections, rather than ignoring them:

### iptables --append INPUT --jump REJECT --reject-with tcp-reset --protocol tcp --in-interface ppp+ --destination-port 8000

## Send visitors to a webserver further inside the network:
##
## (Should probably include: --in-interface ppp+)

### iptables --table nat --append PREROUTING --protocol tcp --destination-port 8000 --jump DNAT --to-destination 192.168.1.1:80

## Allow a particular address to connect to a server inside the LAN:
## Works (needs both lines).

###iptables --append INPUT --jump ACCEPT --protocol tcp --in-interface ppp+ --source 192.0.34.166 --destination-port 8000
###iptables --append INPUT --jump LOG --protocol tcp --in-interface ppp+ --source 192.0.34.166 --log-prefix "firewall{special}: "
###iptables --table nat --append PREROUTING --protocol tcp --in-interface ppp+ --source 192.0.34.166 --destination-port 8000 --jump DNAT --to-destination 192.168.1.1:8000

###################
## FTP server: ##
###################

### iptables --append INPUT --jump ACCEPT --protocol tcp --in-interface ppp+ --destination-port 20
### iptables --append INPUT --jump ACCEPT --protocol tcp --in-interface ppp+ --destination-port 21
### iptables --append INPUT --jump ACCEPT --protocol udp --in-interface ppp+ --destination-port 20
### iptables --append INPUT --jump ACCEPT --protocol udp --in-interface ppp+ --destination-port 21

###################################################################################
## ##
## Pass instant messaging ports through to another computer behind the gateway: ##
## ##
###################################################################################

########################
## Yahoo messenger: ##
########################
##
## TCP or HTTP 20, 23, 25, 80, 119, or 5050 for basic connection from scs*.msg.yahoo.com
## TCP 5100 for webcam.yahoo.com
## TCP or UDP 5000-5010 for voice chat from v*.vc.sc*.yahoo.com or vc1.vip.scd.yahoo.com
##
## (Didn't seem to be needed, though.)

###
iptables --table nat --append PREROUTING --protocol tcp --in-interface ppp+ --destination-port 5050 --jump DNAT --to-destination 192.168.1.1
###
iptables --table nat --append PREROUTING --protocol udp --in-interface ppp+ --destination-port 5050 --jump DNAT --to-destination 192.168.1.1
###
iptables --table nat --append PREROUTING --protocol tcp --in-interface ppp+ --destination-port 5100 --jump DNAT --to-destination 192.168.1.1
###
iptables --table nat --append PREROUTING --protocol udp --in-interface ppp+ --destination-port 5100 --jump DNAT --to-destination 192.168.1.1

# Filesharer:

#iptables --append INPUT --protocol tcp --in-interface ppp+ --destination-port 8008 --jump ACCEPT
#iptables --append INPUT --protocol udp --in-interface ppp+ --destination-port 8008 --jump ACCEPT
#iptables --table nat --append PREROUTING --protocol tcp --in-interface ppp+ --destination-port 8008 --jump DNAT --to-destination 192.168.1.1:8008
#iptables --table nat --append PREROUTING --protocol udp --in-interface ppp+ --destination-port 8008 --jump DNAT --to-destination 192.168.1.1:8008

######################
## MSN messenger: ##
######################

##(for file transfers):
##
## MSN help docs mention:
## Opening outgoing TCP connections to port 1863, to allow file transfers.
## DNS access required.
## Incoming and outgoing TCP ports 6891 to 6900 used for file transfers
## (one per transfer).
## May not work behind NAT.

iptables --append INPUT --protocol tcp --in-interface ppp+ --destination-port 6891:6900 --jump ACCEPT
iptables --table nat --append PREROUTING --protocol tcp --in-interface ppp+ --destination-port 6891:6900 --jump DNAT --to-destination 192.168.1.1

# Noticed tcp 207.46.107.2:1863 to me:1850 in firewall logs.

iptables --append INPUT --protocol tcp --in-interface ppp+ --source 207.46.107.2 --source-port 1863 --destination-port 1850 --jump ACCEPT
#iptables --append INPUT --protocol tcp --in-interface ppp+ --destination-port 1850 --jump ACCEPT
#iptables --table nat --append PREROUTING --protocol tcp --in-interface ppp+ --destination-port 1850 --jump DNAT --to-destination 192.168.1.1

# Noticed udp 64.4.12.20:7001 to me:2030 in firewall logs.

iptables --append INPUT --protocol udp --in-interface ppp+ --source 64.4.12.201 --source-port 7001 --jump ACCEPT
#iptables --append INPUT --protocol udp --in-interface ppp+ --source 64.4.12.201 --source-port 7001 --destination-port 2030 --jump ACCEPT
#iptables --append INPUT --protocol udp --in-interface ppp+ --destination-port 2030 --jump ACCEPT
#iptables --table nat --append PREROUTING --protocol udp --in-interface ppp+ --destination-port 2030 --jump DNAT --to-destination 192.168.1.1

###################
## Netmeeting: ##
###################

## Pass Netmeeting connections through to computer inside the LAN:
##
## Port 389 (TCP) Internet Locator Server
## Port 522 (TCP) User Locator Server
## Port 1503 (TCP) T.120
## Port 1720 (TCP) H.323 call setup
## Port 1731 (TCP) Audio call control
## Dynamic (TCP) H.323 call control
## Dynamic (RTP over UDP) H.323 streaming (RTP - Realtime Transport Control)
##
## Outbound connections need to:
## Pass through primary TCP ports 389, 522, 1503, 1720, 1731.
## Pass through secondary UDP connections on dynamically assigned ports (1024 - 65535).
## (Elsewhere mentions 5004 - 65535.)
##
## Port 5060 mentioned for SIP (Session Initiation Protocol), might depend on
## which IM system being used (.NET Messenger, Exchange IM, SIP). SIP proxies
## can use UDP or TCP, and SSL.
##
## Port 3389 (TCP) mentioned for RDP (Remote Desktp Protocol), used for Remote Assistance.
##
## Port 1503 mentioned for the Whiteboard and Application Sharing systems.
##
## Dynamic UDP ports (5004 - 65535) used for audio/video purposes.
##
## Not sure if I need to accept inputs, before prerouting masquerading can get them.
## I think some of these (below) aren't needed for "*incoming* masquerading."

###iptables --append INPUT --protocol tcp --in-interface ppp+ --destination-port 389 --jump ACCEPT
###iptables --append INPUT --protocol tcp --in-interface ppp+ --destination-port 522 --jump ACCEPT
###iptables --append INPUT --protocol tcp --in-interface ppp+ --destination-port 1503 --jump ACCEPT
###iptables --append INPUT --protocol tcp --in-interface ppp+ --destination-port 1720 --jump ACCEPT
###iptables --append INPUT --protocol tcp --in-interface ppp+ --destination-port 1731 --jump ACCEPT
###iptables --append INPUT --protocol udp --in-interface ppp+ --destination-port 5004:65535 --jump ACCEPT

###iptables --table nat --append PREROUTING --protocol tcp --in-interface ppp+ --destination-port 389 --jump DNAT --to-destination 192.168.1.1
###iptables --table nat --append PREROUTING --protocol tcp --in-interface ppp+ --destination-port 522 --jump DNAT --to-destination 192.168.1.1
###iptables --table nat --append PREROUTING --protocol tcp --in-interface ppp+ --destination-port 1503 --jump DNAT --to-destination 192.168.1.1
###iptables --table nat --append PREROUTING --protocol tcp --in-interface ppp+ --destination-port 1720 --jump DNAT --to-destination 192.168.1.1
###iptables --table nat --append PREROUTING --protocol tcp --in-interface ppp+ --destination-port 1731 --jump DNAT --to-destination 192.168.1.1
###iptables --table nat --append PREROUTING --protocol udp --in-interface ppp+ --destination-port 5004:65535 --jump DNAT --to-destination 192.168.1.1

############################
## ##
## Related connections: ##
## ##
############################

## Allow established connections from outside web servers to internal network:
## (Not sure why I should be allowing a web server to connect "to" me.)
##
## (Never picked up anything on the log, so will try disabling these rules.)

###
iptables --append INPUT --match state --state ESTABLISHED,RELATED --in-interface ppp+ --protocol tcp --source-port www --source 0.0.0.0 --destination 192.168.0.0/16 --jump LOG --log-prefix "firewall{WWW-return}: "
###
iptables --append INPUT --match state --state ESTABLISHED,RELATED --in-interface ppp+ --protocol tcp --source-port 8000 --source 0.0.0.0 --destination 192.168.0.0/16 --jump LOG --log-prefix "firewall{WWW-return}: "
###
iptables --append INPUT --match state --state ESTABLISHED,RELATED --in-interface ppp+ --protocol tcp --source-port www --source 0.0.0.0 --destination 192.168.0.0/16 --jump ACCEPT
###
iptables --append INPUT --match state --state ESTABLISHED,RELATED --in-interface ppp+ --protocol tcp --source-port 8000 --source 0.0.0.0 --destination 192.168.0.0/16 --jump ACCEPT

## Log and prevent, new (uninvited/unexpected) connections from outside web
## servers to internal network:

iptables --append OUTPUT --match state --state NEW --out-interface ppp+ --protocol tcp --source-port www --destination 192.168.0.0/16 --jump LOG --log-prefix "firewall{new-WWW-access}: "
iptables --append OUTPUT --match state --state NEW --out-interface ppp+ --protocol tcp --source-port 8000 --destination 192.168.0.0/16 --jump LOG --log-prefix "firewall{new-WWW-access}: "
iptables --append OUTPUT --match state --state NEW --out-interface ppp+ --protocol tcp --source-port www --destination 192.168.0.0/16 --jump DROP
iptables --append OUTPUT --match state --state NEW --out-interface ppp+ --protocol tcp --source-port 8000 --destination 192.168.0.0/16 --jump DROP

## Allow established and related outside commications to this system,
## and allow outside communications to the firewall, except for ICMP packets:

iptables --append INPUT --match state --state ESTABLISHED,RELATED --in-interface ppp+ --protocol \! icmp --jump ACCEPT

## Prevent connections initiated from the outside world:
##
## (I wonder if this will screw up instant messaging,
## or other peer-to-peer clients?)
##
## Is messing with Netmeeting. Try adding \! --source {ipaddress}

iptables --append INPUT --match state --state NEW --in-interface ppp+ --jump LOG --protocol \! icmp --log-prefix "firewall{new-ext-access}: "
iptables --append INPUT --match state --state NEW --in-interface ppp+ --jump DROP

## Allow all local communications to and from the firewall on ETH from the
## local network:
##
## (Might need putting further up into this file.)

iptables --append INPUT --jump ACCEPT --protocol all --in-interface eth+ --source 192.168.0.0/16

###################################
## Internet connection sharing: ##
###################################

## Set up masquerading to allow internal machines access to outside network:

iptables --table nat --append POSTROUTING --out-interface ppp+ --jump MASQUERADE

## Turn on IP forwarding, now:

echo 1 > /proc/sys/net/ipv4/ip_forward

## Save iptables rules to the default iptables rules file (used at boot-up):
##
## (Red Hat's own /etc/init.d/iptables script looks here.)

iptables-save > /etc/sysconfig/iptables

-- 
My "from" address is totally fake.  The reply-to address is real, but 
may be only temporary.  Reply to usenet postings in the same place as 
you read the message you're replying to.
This message was sent without a virus, please delete some files yourself.