Next Previous Contents

5. Common problems.

5.1 Masquerading/forwarding doesn't work!

Make sure that packet forwarding is enabled (in recent kernels it is disabled by default, meaning that packets never even try to traverse the `forward' chain). You can override this (as root) by typing

# echo 1 > /proc/sys/net/ipv4/ip_forward
#

If this works for you, you can put this somewhere in your bootup scripts so it is enabled every time.

5.2 Wildcard interfaces don't work!

There was a bug in versions 2.1.102 and 2.1.103 of the kernel (and some old patches I produced) which made ipchains commands which specified a wildcard interface (such as -i ppp+) fail.

This is fixed in recent kernels, and in the 2.0.34 patch on the web site. You can also fix it by hand in the kernel source by changing line 63 or so in include/linux/ip_fw.h:

#define IP_FW_F_MASK    0x002F  /* All possible flag bits mask   */

This should read ``0x003F''. Fix this and recompile the kernel.

5.3 TOS doesn't work!

This was my mistake: setting the Type of Service field dif not actually set the Type of Service in kernel versions 2.1.102 through 2.1.111. This problem was fixed in 2.1.112.

5.4 ipautofw and ipportfw don't work!

For 2.0.x, this is true; I haven't time to create and maintain a jumbo patch for ipchains and ipautofw/ipportfw.

For 2.1.x, download ipmasqadm from

<url url="http://juanjox.home.ml.org/"
        name="http://juanjox.home.ml.org/">
and use it exactly as you would have used ipautofw or ipportfw, except instead of ipportfw you type ipmasqadm portfw, and instead of ipautofw you type ipmasqadm autofw.

5.5 xosview is broken!

Upgrade to version 1.6.0 or above, which doesn't require any firewall rules at all for 2.1.x kernels.

5.6 Segmentation fault with -j REDIRECT!

This was a bug in ipchains version 1.3.3. Please upgrade.

5.7 I can't set masquerading timeouts!

True (for 2.1.x kernels) up to and including 2.1.112. This is being persued vigorously at the moment, and by the time you read this it might have been fixed. My web page will contain a patch when available.

5.8 I want to firewall IPX!

So do a number of others, it seems. My code only covers IP, unfortunately. On the good side, all the hooks are there to firewall IPX! You just need to write the code; I will happily help where possible.


Next Previous Contents