|
On Tue, Oct 10, 2000 at 10:02:24AM -0700, Clint Byrum wrote:
> Forgive me if I'm talking out of my arse here, but I believe one of the
> "features" of IP-Masquerading in Linux is that once the masq table entry is
> created, much of the normal routing code is bypassed. Maybe this includes
> CBQ.
>
> Are you using VS-NAT? That would also explain why your forward rule with
> the -j ACCEPT cause things to stop working.
As per another email I don't think that this is the problem here but it is
true that when masquerading is used the forwarding chain of ip chains is
bypassed so interestingly enough the following will allow masqueraded hosts
to communicate with the outside world and log any other packets that try
and go through the box..
ipchains -P forward DENY
ipchains -A forward -s 192.168.192.0/18 -j MASQ
ipchains -A forward -l
... in fact this email traveled through just that chain.
--
Horms
|
