>The script is taken from http://martybugs.net/smoothwall/vpn.cgi >which is for Smoothwall. >> With no success. I suspect that it could be the mppe-ppp modules causing >> problems. I'm sure that TCP/port 1723 is forwarding properly... but that's >> all I see when I do a "iptstate" when trying to connect. >Do you have Smoothwall installed or do you have any other iptables rules >active which may block previous to your VPN rules? Your host is directly >connected to the net through eth1? >Alexander iptables v1.2.5 on 2.4 kernel No, it's not smoothwall. Here is the current output of my firewall. Can you see if there is something else blocking my PPTP GRE forwarding. BTW, sorry for hijacking the thread. I won't do it again. :-) $ service masq status Table: filter Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 224.0.0.0/4 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 224.0.0.0/4 DROP all -- 224.0.0.0/4 0.0.0.0/0 DROP all -- 0.0.0.0/0 224.0.0.0/4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmpIn icmp -- 0.0.0.0/0 0.0.0.0/0 InputAllowIPSEC all -- 0.0.0.0/0 0.0.0.0/0 InputAllowLocals all -- 0.0.0.0/0 0.0.0.0/0 InboundTCP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 InboundUDP udp -- 0.0.0.0/0 0.0.0.0/0 denylog udp -- 0.0.0.0/0 0.0.0.0/0 esp-in esp -- 0.0.0.0/0 0.0.0.0/0 denylog esp -- 0.0.0.0/0 0.0.0.0/0 gre-in 47 -- 0.0.0.0/0 0.0.0.0/0 denylog 47 -- 0.0.0.0/0 0.0.0.0/0 denylog all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination ForwardAllowIPSEC all -- 0.0.0.0/0 0.0.0.0/0 ForwardAllowLocals all -- 0.0.0.0/0 0.0.0.0/0 denylog all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 224.0.0.0/4 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 224.0.0.0/4 DROP all -- 224.0.0.0/4 0.0.0.0/0 DROP all -- 0.0.0.0/0 224.0.0.0/4 icmpOut icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain ForwardAllowIPSEC (1 references) target prot opt source destination Chain ForwardAllowLocals (1 references) target prot opt source destination ForwardAllowLocals_18960 all -- 0.0.0.0/0 0.0.0.0/0 Chain ForwardAllowLocals_18960 (1 references) target prot opt source destination ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.0.0/24 Chain InboundTCP (1 references) target prot opt source destination InboundTCP_18960 all -- 0.0.0.0/0 0.0.0.0/0 denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 Chain InboundTCP_18960 (1 references) target prot opt source destination denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 Chain InboundUDP (1 references) target prot opt source destination InboundUDP_18960 all -- 0.0.0.0/0 0.0.0.0/0 denylog udp -- 0.0.0.0/0 0.0.0.0/0 Chain InboundUDP_18960 (1 references) target prot opt source destination denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx denylog udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 Chain InputAllowIPSEC (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain InputAllowLocals (1 references) target prot opt source destination InputAllowLocals_18960 all -- 0.0.0.0/0 0.0.0.0/0 Chain InputAllowLocals_18960 (1 references) target prot opt source destination ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 Chain denylog (22 references) target prot opt source destination DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:137:139 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain esp-in (1 references) target prot opt source destination denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx denylog all -- 0.0.0.0/0 0.0.0.0/0 Chain gre-in (1 references) target prot opt source destination denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain icmpIn (1 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12 denylog all -- 0.0.0.0/0 0.0.0.0/0 Chain icmpOut (1 references) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12 denylog all -- 0.0.0.0/0 0.0.0.0/0 Table: nat Chain PREROUTING (policy ACCEPT) target prot opt source destination PreroutingBypassIPSEC all -- 0.0.0.0/0 0.0.0.0/0 TransProxy tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 PortForwarding all -- 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain PortForwarding (1 references) target prot opt source destination PortForwarding_18960 all -- 0.0.0.0/0 66.xxx.xx.xxx Chain PortForwarding_18960 (1 references) target prot opt source destination Chain PreroutingBypassIPSEC (1 references) target prot opt source destination Chain TransProxy (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 127.0.0.1 ACCEPT all -- 0.0.0.0/0 192.168.0.10 ACCEPT all -- 0.0.0.0/0 66.xxx.xx.xxx DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 to:192.168.0.10:3128 Table: mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 TOS set 0x10 TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 TOS set 0x10 TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TOS set 0x10 TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 TOS set 0x10 TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 Chain POSTROUTING (policy ACCEPT) target prot opt source destination #!/bin/sh # chkconfig: 345 82 35 # description: Configures IP masquerading. INTERNALIF=eth0 OUTERIF=eth1 OUTERNET=66.xxx.xx.xxx if [ -z "$OUTERNET" ] then # Make sure that OUTERNET value is set to syntactly valid value # to ensure that iptables syntax is at least correct OUTERNET=1.2.3.4 fi adjust_tcp_in() { local dport=$1 local target=$2 local chain=$3 # Add the rule requested. /sbin/iptables --append $chain --protocol tcp --dport $dport \ --in-interface $OUTERIF --jump $target # Catch any matching return, just in case. #/sbin/iptables --append $3 --protocol tcp --dport $1 \ #--in-interface $OUTERIF --jump denylog } adjust_udp_in() { local dport=$1 local target=$2 local chain=$3 # Add the rule requested. /sbin/iptables --append $chain --protocol udp --dport $dport \ --in-interface $OUTERIF --jump $target # Catch any matching return, just in case. #/sbin/iptables --append $3 --protocol udp --dport $1 \ #--in-interface $OUTERIF --jump denylog } get_safe_id() { # Expect arguments of, chain_name, table, mode, where mode can be either # find or new local chain_name=$1 local table=$2 local mode=$3 # Find the existing numbered chain. current=$(/sbin/iptables --table $table --list $chain_name --numeric | s ed -n '3s/ .*//p') if [ "x$current" = "x" ]; then # We didn't find it. echo "ERROR: Cannot find chain $chain_name in table $table" 1>&2 exit 1 fi # If we're in find mode, return this chain. case "$mode" in find) echo $current ;; new) # Make sure the number on this chain doesn't conflict wi th our # process ID. current_id=$(echo $current | sed 's/^[a-zA-Z][a-zA-Z]*_\ ([0-9][0-9]*\)/\1/') if [ "x$current_id" = "x" ]; then echo "ERROR: Cannot find process ID on chain nam e" 1>&2 exit 1 fi # If it conflicts with our process ID, add one to ours. if [ $current_id -eq $$ ]; then echo ${chain_name}_$(expr $$ + 1) else echo ${chain_name}_$$ fi ;; esac } case "$1" in start) echo -n "Enabling IP masquerading: " /sbin/iptables -F -t filter /sbin/iptables -F -t nat /sbin/iptables -F -t mangle /sbin/iptables -X -t filter /sbin/iptables -X -t nat /sbin/iptables -X -t mangle /sbin/iptables --flush FORWARD /sbin/iptables --flush INPUT /sbin/iptables --flush OUTPUT /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp /sbin/iptables --new-chain denylog /sbin/iptables --append denylog --jump DROP /sbin/iptables --append denylog --jump DROP /sbin/iptables --append denylog --jump DROP /sbin/iptables --append denylog --jump DROP /sbin/iptables --append denylog --jump DROP # Set telnet, www, smtp, pop3 and FTP for minimum delay for port in 21 22 23 25 80 110 do /sbin/iptables --table mangle --append OUTPUT \ --protocol tcp --dport $port \ -j TOS --set-tos Minimize-Delay done # Set ftp-data for maximum throughput /sbin/iptables --table mangle --append OUTPUT \ --protocol tcp --dport 20 \ -j TOS --set-tos Maximize-Throughput # TODO - this hasn't yet been converted for iptables - does it # need to be? # set timeouts for tcp tcpfin udp #/sbin/iptables --masquerading --set 14400 60 600 # Turn on Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f done /sbin/iptables --append INPUT -i lo -j ACCEPT /sbin/iptables --append OUTPUT -o lo -j ACCEPT # Permit multicast traffic to and from the internal interface. /sbin/iptables --append INPUT -s 224.0.0.0/4 \ --in-interface $INTERNALIF --jump ACCEPT /sbin/iptables --append INPUT -d 224.0.0.0/4 \ --in-interface $INTERNALIF --jump ACCEPT /sbin/iptables --append OUTPUT -s 224.0.0.0/4 \ --out-interface $INTERNALIF --jump ACCEPT /sbin/iptables --append OUTPUT -d 224.0.0.0/4 \ --out-interface $INTERNALIF --jump ACCEPT # Drop all other multicast traffic. /sbin/iptables --append INPUT -s 224.0.0.0/4 -j DROP /sbin/iptables --append INPUT -d 224.0.0.0/4 -j DROP /sbin/iptables --append OUTPUT -s 224.0.0.0/4 -j DROP /sbin/iptables --append OUTPUT -d 224.0.0.0/4 -j DROP # Set up chains which allow us to bypass prerouting for IPSEC networks /sbin/iptables --table nat --new-chain PreroutingBypassIPSEC /sbin/iptables --table nat --append PREROUTING --jump PreroutingBypassIPSEC /sbin/iptables --table nat --new-chain TransProxy /sbin/iptables --table nat --append PREROUTING\ -p tcp --dport 80 -j TransProxy /sbin/iptables --table nat --append TransProxy \ --destination 127.0.0.1 --jump ACCEPT /sbin/iptables --table nat --append TransProxy \ --destination 192.168.0.10 --jump ACCEPT /sbin/iptables --table nat --append TransProxy \ --destination $OUTERNET --jump ACCEPT /sbin/iptables --table nat --append TransProxy\ -p TCP -j DNAT --to 192.168.0.10:3128 # Allow any already established or related connection /sbin/iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables --new-chain icmpIn /sbin/iptables --append INPUT --protocol icmp --jump icmpIn /sbin/iptables --append icmpIn --proto icmp --icmp-type echo-request --jump ACCEPT /sbin/iptables --append icmpIn --proto icmp --icmp-type echo-reply --jump AC CEPT /sbin/iptables --append icmpIn --proto icmp --icmp-type destination-unreacha ble --jump ACCEPT /sbin/iptables --append icmpIn --proto icmp --icmp-type source-quench --jump ACCEPT /sbin/iptables --append icmpIn --proto icmp --icmp-type time-exceeded --jump ACCEPT /sbin/iptables --append icmpIn --proto icmp --icmp-type parameter-problem -- jump ACCEPT /sbin/iptables --new-chain icmpOut /sbin/iptables --append OUTPUT --protocol icmp --jump icmpOut /sbin/iptables --append icmpOut --proto icmp --icmp-type echo-request --jump ACCEPT /sbin/iptables --append icmpOut --proto icmp --icmp-type echo-reply --jump A CCEPT /sbin/iptables --append icmpOut --proto icmp --icmp-type destination-unreach able --jump ACCEPT /sbin/iptables --append icmpOut --proto icmp --icmp-type source-quench --jum p ACCEPT /sbin/iptables --append icmpOut --proto icmp --icmp-type time-exceeded --jum p ACCEPT /sbin/iptables --append icmpOut --proto icmp --icmp-type parameter-problem - -jump ACCEPT # Set up chains which allow us to capture IPSEC connections /sbin/iptables --new-chain InputAllowIPSEC /sbin/iptables --append InputAllowIPSEC -i ipsec+ -j ACCEPT /sbin/iptables --append INPUT --jump InputAllowIPSEC /sbin/iptables --new-chain ForwardAllowIPSEC /sbin/iptables --append FORWARD --jump ForwardAllowIPSEC # Set up chains which allow us to capture local networks /sbin/iptables --new-chain InputAllowLocals /sbin/iptables --new-chain InputAllowLocals_1 /sbin/iptables --append InputAllowLocals --jump InputAllowLocals_1 /sbin/iptables --append INPUT --jump InputAllowLocals /sbin/iptables --new-chain ForwardAllowLocals /sbin/iptables --new-chain ForwardAllowLocals_1 /sbin/iptables --append ForwardAllowLocals --jump ForwardAllowLocals_1 /sbin/iptables --append FORWARD --jump ForwardAllowLocals /sbin/iptables --append POSTROUTING -t nat -o $OUTERIF -j MASQUERADE /sbin/iptables --new-chain InboundTCP /sbin/iptables --new-chain InboundTCP_1 /sbin/iptables --append INPUT --protocol tcp --syn --jump InboundTCP /sbin/iptables --append InboundTCP --protocol tcp --syn --jump InboundTCP_1 # Catch any returns, just in case /sbin/iptables --append INPUT --protocol tcp --syn --jump denylog /sbin/iptables --append InboundTCP --protocol tcp --syn --jump denylog /sbin/iptables --new-chain InboundUDP /sbin/iptables --new-chain InboundUDP_1 /sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \ --jump InboundUDP /sbin/iptables --append InboundUDP --protocol udp --jump InboundUDP_1 # Catch any returns, just in case /sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \ --jump denylog /sbin/iptables --append InboundUDP --protocol udp --jump denylog /sbin/iptables -t nat --new-chain PortForwarding /sbin/iptables -t nat --new-chain PortForwarding_1 /sbin/iptables -t nat --append PREROUTING --jump PortForwarding /sbin/iptables -t nat --append PortForwarding --destination $OUTERNET \ --jump PortForwarding_1 /sbin/iptables --new-chain esp-in /sbin/iptables --append INPUT -p 50 -j esp-in /sbin/iptables --append INPUT -p 50 -j denylog /sbin/iptables --append esp-in -d \! $OUTERNET -j denylog /sbin/iptables --append esp-in -j denylog /sbin/iptables --new-chain gre-in /sbin/iptables --append INPUT -p 47 -j gre-in /sbin/iptables --append INPUT -p 47 -j denylog /sbin/iptables --append gre-in -d \! $OUTERNET -j denylog /sbin/iptables --append gre-in -j denylog /sbin/iptables --append icmpIn --jump denylog /sbin/iptables --append icmpOut --jump denylog /sbin/iptables --policy FORWARD DROP /sbin/iptables --append FORWARD --jump denylog /sbin/iptables --policy INPUT DROP /sbin/iptables --append INPUT --jump denylog /sbin/iptables --policy OUTPUT ACCEPT /sbin/iptables --append OUTPUT --jump ACCEPT $0 adjust echo "done" ;; adjust) FAL=$(get_safe_id ForwardAllowLocals filter find) IAL=$(get_safe_id InputAllowLocals filter find) new_fal=$(get_safe_id ForwardAllowLocals filter new) new_ial=$(get_safe_id InputAllowLocals filter new) /sbin/iptables --new-chain $new_fal /sbin/iptables --new-chain $new_ial /sbin/iptables --append $new_fal \ -s 192.168.0.0/255.255.255.0 -j ACCEPT /sbin/iptables --append $new_fal \ -d 192.168.0.0/255.255.255.0 -j ACCEPT /sbin/iptables --append $new_ial \ -s 192.168.0.0/255.255.255.0 -j ACCEPT /sbin/iptables --replace InputAllowLocals 1 \ --jump $new_ial /sbin/iptables --flush $IAL /sbin/iptables --delete-chain $IAL /sbin/iptables --replace ForwardAllowLocals 1 \ --jump $new_fal /sbin/iptables --flush $FAL /sbin/iptables --delete-chain $FAL /sbin/iptables --replace denylog 1 -p udp --dport 520 --jump DROP /sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump DROP /sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump DROP /sbin/iptables --replace denylog 4 --jump LOG /sbin/iptables --replace esp-in 1 -d \! $OUTERNET -j denylog /sbin/iptables --replace esp-in 2 -j denylog /sbin/iptables --replace gre-in 1 -d \! $OUTERNET -j denylog /sbin/iptables --replace gre-in 2 -j ACCEPT IBT=$(get_safe_id InboundTCP filter find) new_ibt=$(get_safe_id InboundTCP filter new) /sbin/iptables --new-chain $new_ibt /sbin/iptables --append $new_ibt \! --destination $OUTERNET --jump denylog adjust_tcp_in 113 ACCEPT $new_ibt adjust_tcp_in 21 denylog $new_ibt adjust_tcp_in 80 ACCEPT $new_ibt adjust_tcp_in 443 ACCEPT $new_ibt adjust_tcp_in 143 denylog $new_ibt adjust_tcp_in 389 denylog $new_ibt adjust_tcp_in 110 denylog $new_ibt adjust_tcp_in 1723 denylog $new_ibt adjust_tcp_in 25 ACCEPT $new_ibt adjust_tcp_in 22 ACCEPT $new_ibt adjust_tcp_in 23 denylog $new_ibt /sbin/iptables --replace InboundTCP 1 \ --jump $new_ibt /sbin/iptables --flush $IBT /sbin/iptables --delete-chain $IBT /sbin/iptables --table nat \ --replace TransProxy 3\ --destination $OUTERNET --jump ACCEPT /sbin/iptables --table nat --replace TransProxy 4\ -p TCP -j DNAT --to 192.168.0.10:3128 IBU=$(get_safe_id InboundUDP filter find) new_ibu=$(get_safe_id InboundUDP filter new) /sbin/iptables --new-chain $new_ibu /sbin/iptables --append $new_ibu \! --destination $OUTERNET --jump denylog adjust_udp_in 500 denylog $new_ibu /sbin/iptables --replace InboundUDP 1 \ --jump $new_ibu /sbin/iptables --flush $IBU /sbin/iptables --delete-chain $IBU # Create a new PortForwarding chain PFC=$(/sbin/iptables --table nat --numeric --list PortForwarding |\ sed -n '3s/ .*//p') /sbin/iptables --table nat --new-chain PortForwarding_$$ /sbin/iptables --table nat --replace PortForwarding 1 --destination $OUTERNE T --jump PortForwarding_$$ /sbin/iptables --table nat --flush $PFC /sbin/iptables --table nat --delete-chain $PFC ;; masqstop) echo "" echo -n "Shuting down IP Masquerading:" /sbin/iptables -F FORWARD /sbin/iptables -P FORWARD DROP echo " Done!" echo "" ;; restart) $0 stop $0 start ;; status) echo $"Table: filter" /sbin/iptables --list -n echo $"Table: nat" /sbin/iptables -t nat --list -n echo $"Table: mangle" /sbin/iptables -t mangle --list -n ;; stop) echo "" echo -n "Shutting down IP masquerade and firewall rules:" /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P INPUT DROP /sbin/iptables -F INPUT /sbin/iptables -F OUTPUT /sbin/iptables -F FORWARD /sbin/iptables -F /sbin/iptables --append FORWARD -s 192.168.0.0/255.255.255.0 -d 192.168.0.0/ 255.255.255.0 -j ACCEPT /sbin/iptables -X echo " Done!" echo "" ;; *) echo "Usage: masq {start|stop|restart|...}" exit 1 esac exit 0 Modules: [root@bcpe root]# lsmod Module Size Used by Tainted: P ipt_LOG 4640 1 (autoclean) ppp_mppe 12864 0 (autoclean) ppp_async 8256 0 (autoclean) ppp_generic 24332 0 (autoclean) [ppp_mppe ppp_async] appletalk 24172 12 (autoclean) slhc 6508 0 (autoclean) [ppp_generic] printer 8160 0 (unused) 8139too 16448 1 mii 2408 0 [8139too] 3c59x 28680 1 ipt_MASQUERADE 2464 1 (autoclean) ipt_state 1536 1 (autoclean) ipt_TOS 1952 7 (autoclean) ip_conntrack_ftp 5056 0 (unused) ip_nat_ftp 4320 0 (unused) iptable_mangle 3136 1 (autoclean) iptable_nat 21460 2 (autoclean) [ipt_MASQUERADE ip_nat_ftp] ip_conntrack 21836 3 (autoclean) [ipt_MASQUERADE ipt_state ip_conntrack_ftp ip_nat_ftp iptable_nat] iptable_filter 2752 1 (autoclean) ip_tables 13792 9 [ipt_LOG ipt_MASQUERADE ipt_state ipt_TOS iptable_mangle iptable_nat iptable_filter] ide-cd 30272 0 cdrom 32032 0 [ide-cd] ide-scsi 9664 0 hid 20832 0 (unused) input 5792 0 [hid] usb-uhci 24484 0 (unused) usbcore 71904 0 [printer hid usb-uhci] ext3 67328 2 jbd 49496 2 [ext3] 3w-xxxx 32160 3 sd_mod 12960 6 scsi_mod 109392 3 [ide-scsi 3w-xxxx sd_mod]
