Fedora Core 4 setup as nat

I have dialup PPP on a fedora core, I use the GUI to setup the security.
I checked eth0 as trusted, and masquerade. This is the output on the
/etc/sysconfig/iptables :-

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -j MARK --set-mark 0x9
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
COMMIT

My problem is nat is not working. I view the POSTROUTING chain
in the nat table, there is no packet going in there. In fact, I insert rules
inside the filter table FORWARD chain, there is no packet mark 0x9.
But there are many packets in the mangle chain of the mangle table.

Why ? Where have the packets marked 0x9 in the mangle table gone to ?

"Ming-Ching Tiew" <(E-Mail Removed)> wrote in message news:441514a7$(E-Mail Removed)...
>
> Why ? Where have the packets marked 0x9 in the mangle table gone to ?
>

OK ip_forward is not set to 1. What is the GUI method to edit this
( other than editing /etc/sysctl.conf directly ) ?

Cheers

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ming-Ching Tiew wrote:

> OK ip_forward is not set to 1. What is the GUI method to edit this
> ( other than editing /etc/sysctl.conf directly ) ?

It is not GUI, but it works : "man sysctl"

- --
Un saludo
Alo [alo(@)uk2.net]
PGP en http://pgp.eteo.mondragon.edu [Get "0xF6695A61 "]
Usuario registrado Linux #276144 [http://counter.li.org]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEFUY2vzPPcPZpWmERAqZ/AKCdLi5yspEZld9pVW+4L+aZomFMqQCgh9N1
wbQEU5jsTC8IksVbNOyoZqc=
=8Egn
-----END PGP SIGNATURE-----

"Alo" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
>
> > OK ip_forward is not set to 1. What is the GUI method to edit this
> > ( other than editing /etc/sysctl.conf directly ) ?
>
> It is not GUI, but it works : "man sysctl"
>

You are not answering my question. I am asking the GUI method to
edit this.

Cheers.

On Tue, 14 Mar 2006 10:03:55 +0800, Ming-Ching Tiew wrote:

>
> "Alo" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
>>
>> > OK ip_forward is not set to 1. What is the GUI method to edit this (
>> > other than editing /etc/sysctl.conf directly ) ?
>>
>> It is not GUI, but it works : "man sysctl"
>>
>>
> You are not answering my question. I am asking the GUI method to edit
> this.
>
> Cheers.

If I may,
I would recommend a look at the following software :

FireStarter. The URL is :

http://www.fs-security.com/

With this, you can filter (firewall) and NAT all within a nice GUI.

Hope it help...

"noEMA" <(E-Mail Removed)> wrote in message news(E-Mail Removed) y...
>
> If I may,
> I would recommend a look at the following software :
>
> FireStarter. The URL is :
>
> http://www.fs-security.com/
>
> With this, you can filter (firewall) and NAT all within a nice GUI.
>
> Hope it help...
>

You mean Fedora Core provided a little GUI to perform basic iptables
configuration but there is no GUI to edit /etc/sysctl.conf and therefore
one will finally still have to go commandline to edit /etc/sysctl.conf
before FC4 can be a true router ? That sounds totally counter intuitive
and a perfect pittfall for everyone hoping to get things working quickly.

Cheers.

On Tue, 14 Mar 2006 22:02:01 +0800, Ming-Ching Tiew wrote:

>
> "noEMA" <(E-Mail Removed)> wrote in message
> news(E-Mail Removed) y...
>>
>> If I may,
>> I would recommend a look at the following software :
>>
>> FireStarter. The URL is :
>>
>> http://www.fs-security.com/
>>
>> With this, you can filter (firewall) and NAT all within a nice GUI.
>>
>> Hope it help...
>>
>>
> You mean Fedora Core provided a little GUI to perform basic iptables
> configuration but there is no GUI to edit /etc/sysctl.conf and therefore
> one will finally still have to go commandline to edit /etc/sysctl.conf
> before FC4 can be a true router ? That sounds totally counter intuitive
> and a perfect pittfall for everyone hoping to get things working quickly.
>
> Cheers.

Hi.

Edit of sysctl.conf is not exactly something every one does often...

There are good reasons for that :
- One : not all graphical front end are really needed.
Better spend time on more useful stuff.
- Two, Back in the time when "Text" was common on *nix boxes you
could edit all these files on slow links faster than thru a GUI...
- Three : on a FireWall / router, you do not want any services to run.
This make them less susceptible to compromises.


And I would even add that routing is NOT something one want to do
quickly. Router have 2 or more interfaces and that mean that Your problem
may cascade to someone else.

Now, if routing is your goal, you might want to look at something else
than FC. Not that anything is wrong with FC. Just that FC is a prototype
distribution. It's used as a test bed by RedHat to test new software
before using it into their business class distribution. It mean that FC is
updated frequently, which is not exactly a wanted feature on a routing box...

If you want something more business oriented, While still looking
like FC, look for Centos. Their URL is :

http://www.centos.org/



If you want help in selecting a better mission specific distribution, look
at the following URL :

http://distrowatch.com/

A few pointers : Some "Firewall" distributions might do what you look for.
I can propose :

http://www.smoothwall.org/
http://www.m0n0.ch/wall/
http://www.wifi.com.ar/cdrouter.html


I wish your luck in your task.