[lug] iptables, windows & ipmasq

[Bill Gjestvang]

One way to ease iptables configurations is to use Shorewall.  It's
basically a set of preconfigured iptables setups.  There are standard
setups for (1 interface) standalone machine, (2 iface) basic LAN
router/firewall, and (3 iface) router plus DMZ.
All you have to do is copy the standard config over, and add any
exceptions (e.g., forward ssh from the internet to box foo).  It's pretty
handy, and easier to configure than writing your own ruleset.
On the other hand, it can be rewarding and educational to write your own
rulesets.
-Bill Gjestvang

Ben Luey said:
> Take 2 on weird routing problems. I took out my PRE and POSTROUTING NAT
> options and that fixed the ping problems. But now windows boxes
> *sometimes* can't access the internet.
>
> Here's the setup:
>
> My router has ip address 10.0.0.1 and is configured with the attached
> iptables. Netmast 255.255.255.0
>
> Linux box, has ip 10.0.0.X, gateway: 10.0.0.1 and it works fine. DNS:
> external
>
> Windows boxes: ip 10.0.0.X, gateway: 10.0.0.1, external DNS.
>
> Sometimes everything works fine. Sometimes, the firewall doesn't
> respond to any packest from windows boxes. I can ping 10.0.0.1, but I
> can't ssh to it and I can't get outside. If I turn off all the security
> in iptables (default policy, allow, etc) nothing changes. If I log
> packets, I can't see the windows machines trying to access anything. If
> I put back the security stuff in iptables and wait, sometimes
> everything works again. Once it is working, it seems to stay working
> until I change something, but I'm not sure about that. I've tried
> rebooting both the firewall and the windows boxes, but no luck
>
> How can this be? Why is the linux box without problems? How can things
> magically start working? And when things aren't, why can't I see the
> packets getting to the firewall? Any ideas greatly appreciated.
>
> Thanks,
>
> Ben