Hello,
I am running iptables 1.2.7 as a loadable module (which came bundled
with RH 9.0) on a pentium 266 at a high school. The function of it is
to act as a firewall allowing me to control students' internet access.
I am also running Samba for file serving on the same server. I have
configured everything with pretty standard scripts and it works great
most of the time. The problem is that usually when first logging on to
a WIN2000 PC on the subnet it is slow, and it occasionally times out,
but after a few tries the connection seems to "wake up" and run
perfectly fine until logout. This usually happens to 2 of the 20 PC's
each class period.
Has anyone seen this before?
Here is my setup
INTERNET ======> || MAIN ROUTER 4 SCHOOL|| ====> |eth0 |
| LINUX |
| BOX |
PC PC PC PC<==========|eth1 |
PC PC PC PC
PC PC PC PC
PC PC PC PC
PC PC PC PC
192.168.0.X subnet
Here is my rc.firewall script
----------------------------------->
#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.74
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
#Setting the EXTERNAL and INTERNAL interfaces for the network
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo -en " loading modules: "
# Need to verify that all modules have all required dependencies
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
echo "----------------------------------------------------------------------"
echo -en "ip_tables, "
$MODPROBE ip_tables
#Load the IPTABLES filtering module - "iptable_filter"
# - Loaded automatically when filter policies are activated
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc
#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
#
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp
echo "----------------------------------------------------------------------"
echo -e " Done loading modules.\n"
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable simple IP forwarding and Masquerading
#
# The default for FORWARD is DROP (REJECT is not a valid policy)
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related
ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
------------------------------------------------>
|
Similar Threads
Linear Mode
