I've come across some problem.
I've got a machine with two network cards. It shall be a firewall, doing
some proxy and passing through pop3 and smtp to the clients via masquerading.
routes to the networks are set - 255.255.255.224 to internet (olicom 3137),
10.*.*.*/255.255.254.0 to internal net.
Problem is:
On startup the input, output and forward chains have policy ACCEPT.
Running ipchains tells me to echo 1 > /proc/sys...ip_forward. BUT:
As soon as I do this, the sys-time rises to 40-90% and the machine does
hardly respond. ping times go from 0.2ms to 180, 500ms, pings get lost ...
this was in nearly single-user-mode (init, kernel-daemones, mingettys and
inetd) without any load from outside.
looking further (by logging every packet), I found that the problem is, the
machine tries to forward EVERY packet - even if the packet does neither
match the internal network, nor the ip-adress of the outgoing card, neither
anything else in this machine ....
I got around this by setting the policy and the last rule in the forward
chain to DENY. (What is the Right Thing to do, I know, ok ...).
Is this behaviour correct? Did I misunderstand something? I thought only
packets matching the ipadress should get copied and not every one - or do I
have to set some ipchain-rules to filter them out?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/