[StAndrews and Fife LUG] Linux - Mandrake

David Tillotson standrews at mailman.lug.org.uk
Sun Mar 9 15:50:01 2003 

In message <YpWN9eBDq0a+EwRZ@acmelabs.demon.co.uk>, David Tillotson 
<linux@acmelabs.demon.co.uk> writes
>In message <200303091346.23103.brian.duncan@fife.co.uk>, brian duncan 
><brian.duncan@fife.co.uk> writes
>>I accidentally dicovered that I could use MSN messenger but no Browser or FTP.
>>therefore it's down to Linux.  I can't see where IP forwarding should
>>be set in MDK control panel.
>
>OK, looks like MDK have screwed up again!
>What's in /proc/sys/net/ipv4/ip_forward ? This should be non-zero 
>(usually "1") if IP forwarding in enabled (also requires kernel 
>support, but it is in all stock kernels I have seen.) The fact that MSN 
>messenger works would indicate that you're forwarding OK. This leaves 
>the fireball rules (blocking TCP < 1024 ?), or Windoze looking for a proxy.

Been doing a little research on this one (an ex-coworker has similar 
woes with MDK9.0!), and found this (all praise to Google's cache)

--- From http://24.43.219.215/~mark/ ---
Packets just weren't getting forwarded. I checked my rules again and 
again, but they seemed ok. It turned out that IP Forwarding was turned 
off in the kernel. Now, maybe this makes sense for a high security box, 
however, I DID turn on Internet connection sharing, so it seemed silly 
to leave IP Forwarding off. I turned it on with the echo 1 > 
/proc/sys/net/ipv4/ip_forward command, and my firewall seemed ok.

Until I rebooted, that is. Once I rebooted I found that IP Forwarding 
was turned off again. I checked the /etc/sysconfig/ network file and it 
indicated that IP Forwarding was turned on. I was at a loss as to why it 
would be turned off. I eventually grepped the /etc dir for ip_forward 
and found in the /etc/sysctl.conf file a line that said 
"net.ipv4.ip_forward = 0". I changed this to "1" and it worked! Needless 
to say, I found that a little un-intuitive. Perhaps Mandrake needs to 
refine the security level concept a little? I like the idea of a set of 
default configurations that specify a certain security level, and even a 
set of tools to help you stay secure, but when the user says "share my 
internet connection", the computer should just DO IT.
--- End snippet ---

So it would appear that in an attempt to make MDK secure, the ICS stuff 
gets well'n'truly shafted! Boy, am I glad I switch to Debian last week 
(after "upgrading" my Alcatel SpeedTouch Home router :)
-- 
David Tillotson