# Port forwarding woes, can some guru solve this fubar prob?

## 1U

Port forwarding on my gentoo iptables nat box stopped working. So far I have tried the following without any success:

1. All normal iptables options are compiled into the kernel, and normal masquerading works for other computers to access the internet.

2. Tried echo "1" > /proc/sys/net/ipv4/conf/all/forwarding , also checked file just incase and 1 is there.

3. Another variation of #2, I tried echo "1" > /proc/sys/net/ipv4/ip_forward also has zero effect. At time of writing both are on.

4. Recompiled linux-headers and libc, incase they were related to this in any way.

5. Recompiled and tried stable/oldest/unstable iptables in portage without any difference.

6. Sysctl support is compiled into the kernel. My /etc/sysctl.conf file is:

```
# /etc/sysctl.conf

#[/list]

# For more information on how this file works, please see

# the manpages sysctl(8) and sysctl.conf(5).

#

# In order for this file to work properly, you must first

# enable 'Sysctl support' in the kernel.

#

# Look in /proc/sys/ for all the things you can setup.

#

# Disables packet forwarding

net.ipv4.ip_forward = 1

# Disables IP dynaddr

#net.ipv4.ip_dynaddr = 0

# Disable ECN

#net.ipv4.tcp_ecn = 0

# Enables source route verification

net.ipv4.conf.default.rp_filter = 1

# Enable reverse path

net.ipv4.conf.all.rp_filter = 1

# Disable source route

#net.ipv4.conf.all.accept_source_route = 0

#net.ipv4.conf.default.accept_source_route = 0

# Disable redirects

#net.ipv4.conf.all.accept_redirects = 0

#net.ipv4.conf.default.accept_redirects = 0

# Disable secure redirects

#net.ipv4.conf.all.secure_redirects = 0

#net.ipv4.conf.default.secure_redirects = 0

# Ignore ICMP broadcasts

#net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disables the magic-sysrq key

#kernel.sysrq = 0

# When the kernel panics, automatically reboot in 3 seconds

#kernel.panic = 3

# Allow for more PIDs (cool factor!); may break some programs

#kernel.pid_max = 999999

# TCP Port for lock manager

#fs.nfs.nlm_tcpport = 0

# UDP Port for lock manager

#fs.nfs.nlm_udpport = 0
```

7. The actual iptable rules have the specific port enabled, tried different ports & ips without any difference in operation. But just incase my iptable rules are:

```
iptables -F

iptables -t nat -F

iptables -F INPUT

iptables -I INPUT 1 -i br0 -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -j ACCEPT -m state --state established -i eth0 -p icmp

iptables -A INPUT -j ACCEPT -m state --state established -i eth0 -p tcp

iptables -A INPUT -j ACCEPT -m state --state established -i eth0 -p udp

iptables -A INPUT -p TCP --dport 216 -s something.somewhere.com -i eth0 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 -m multiport --dports 65534,65535 -j DNAT --to 192.168.1.x

iptables -t nat -A PREROUTING -p udp -i eth0 -m multiport --dports 65534,65535 -j DNAT --to 192.168.1.x

iptables -I FORWARD -i br0 -d 192.168.0.0/255.255.0.0 -j DROP

iptables -A FORWARD -i br0 -s 192.168.1.0/255.255.0.0 -j ACCEPT

iptables -A FORWARD -i eth0 -d 192.168.1.0/255.255.0.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG

iptables -A INPUT -i ! lo -j DROP

/etc/init.d/iptables save
```

I borrowed most of those from the gentoo home router guide. Those rules used to work before and as far as I know I haven't altered them in any ways that should alter port forwarding behaviour.

I've spent hours trying to figure out what's wrong, there's probably at least 10 things I've done I can't think of at the moment that should be on the list. This problem is really getting annoying, I hope it won't get to the point where I'll have to do a fresh gentoo install just to fix it. And as I've said before the regular ip masquerading works and computers are able to use the nat box to access the outside world.

I would really appreciate any help on this matter. I'll gladly post any other code and setup information if needed.Last edited by 1U on Fri Aug 19, 2005 3:19 am; edited 2 times in total

----------

## theDOC_23

make sure to add a rule that accepts the ports you are trying to forward, like:

iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.x --dport 65534,65535 -j ACCEPT

to forward a port doesn't imply that it "open".

----------

## 1U

Thank you for your reply. Odd that it worked before without having to do that, and it doesn't seem to work now either though. I tried the following rules according to your recommendation:

```
iptables -F

iptables -t nat -F

iptables -F INPUT

iptables -I INPUT 1 -i br0 -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -j ACCEPT -m state --state established -i eth0 -p icmp

iptables -A INPUT -j ACCEPT -m state --state established -i eth0 -p tcp

iptables -A INPUT -j ACCEPT -m state --state established -i eth0 -p udp

iptables -A INPUT -p tcp -i eth0 --dport 216 -s something.somewhere.com -j ACCEPT

iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.x -m multiport --dports 65534,65535 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 -m multiport --dports 65534,65535 -j DNAT --to 192.168.1.x

iptables -t nat -A PREROUTING -p udp -i eth0 -m multiport --dports 65534,65535 -j DNAT --to 192.168.1.x

iptables -I FORWARD -i br0 -d 192.168.0.0/255.255.0.0 -j DROP

iptables -A FORWARD -i br0 -s 192.168.1.0/255.255.0.0 -j ACCEPT

iptables -A FORWARD -i eth0 -d 192.168.1.0/255.255.0.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG

iptables -A INPUT -i ! lo -j DROP

/etc/init.d/iptables save
```

I'm still getting the same results. Any other ideas? Is there a way I can see what's making this problem like some kind of advanced diagnostics that can be performed to see why exactly it's not even being forwarded?

----------

## theDOC_23

...just to make sure, the 'x' in '192.168.1.x' is a number in your real config, right?

by the way, how do you test if the forwarding works or not? maybe the problem lies somewhere else.

----------

## 1U

I test it on a windows virtual machine bridged to the bridge that acts like it's a regular computer hooked up to the nat box. I've already tested real computers too with different os without a difference. This isn't like I"m trying to implement this setup, it used to work and stopped. I don't know what made it stop. I know it's the actual port forwarding that's broken.

----------

## 1U

I appreciate your help theDOC_23, however do you or does anyone know of a way I can troubleshoot this to see what's going on under the hood and why it's not going through? I didn't see anything exciting in dmesg or other typical logs.

----------

## 1U

Anyone?

----------

## or4n

You firewall script doesn't flush any other table than INPUT, so there might be a lot of old rules which might cause this.

So what does 'iptables-save' tell you.

----------

## 1U

Here is what I get from doing that command.

```
# Generated by iptables-save v1.2.11 on Wed Aug 17 15:49:40 2005

*raw

:PREROUTING ACCEPT [41697263:20397395815]

:OUTPUT ACCEPT [58086229:72533361309]

COMMIT

# Completed on Wed Aug 17 15:49:40 2005

# Generated by iptables-save v1.2.11 on Wed Aug 17 15:49:40 2005

*nat

:PREROUTING ACCEPT [886710:248999072]

:POSTROUTING ACCEPT [208441:8621232]

:OUTPUT ACCEPT [926555:41768950]

-A PREROUTING -i eth0 -p tcp -m multiport --dports 65534,65535 -j DNAT --to-destination 192.168.1.x

-A PREROUTING -i eth0 -p udp -m multiport --dports 65534,65535 -j DNAT --to-destination 192.168.1.x

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Wed Aug 17 15:49:40 2005

# Generated by iptables-save v1.2.11 on Wed Aug 17 15:49:40 2005

*mangle

:PREROUTING ACCEPT [43882510:21836604512]

:INPUT ACCEPT [22807592:9329805206]

:FORWARD ACCEPT [25718296:15193667143]

:OUTPUT ACCEPT [58851371:72871053648]

:POSTROUTING ACCEPT [88661958:93118888783]

COMMIT

# Completed on Wed Aug 17 15:49:40 2005

# Generated by iptables-save v1.2.11 on Wed Aug 17 15:49:40 2005

*filter

:INPUT ACCEPT [2216:1232618]

:FORWARD ACCEPT [23085:3736819]

:OUTPUT ACCEPT [63827881:78700516261]

-A INPUT -i lo -j ACCEPT

-A INPUT -i br0 -j ACCEPT

-A INPUT -i eth0 -p icmp -m state --state ESTABLISHED -j ACCEPT

-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT

-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -j ACCEPT

-A INPUT -s 555.555.555.555 -i eth0 -p tcp -m tcp --dport 216 -j ACCEPT

-A INPUT -i ! lo -m limit --limit 3/sec -j LOG

-A INPUT -i ! lo -j DROP

-A FORWARD -d 192.168.0.0/255.255.0.0 -i br0 -j DROP

-A FORWARD -s 192.168.0.0/255.255.0.0 -i br0 -j ACCEPT

-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth0 -j ACCEPT

COMMIT

# Completed on Wed Aug 17 15:49:40 2005
```

Is this normal? It looks like there's more things than there should be in there. Also could you please tell me how to flush all parts of iptables? I really appreciate it, thanks.

----------

## 1U

I tried stopping iptables, unmerging them, removing all files related to iptables such as the rule saves, reinstalling them, running that script again, and starting them again. Same results.

Incase it helps, here is the output of sysctl -a (minus the cdrom parts because it has nothing to do with this)

```
dev.rtc.max-user-freq = 64

dev.scsi.logging_level = 0

net.bridge.bridge-nf-filter-vlan-tagged = 1

net.bridge.bridge-nf-call-ip6tables = 1

net.bridge.bridge-nf-call-iptables = 1

net.bridge.bridge-nf-call-arptables = 1

net.unix.max_dgram_qlen = 10

net.ipv4.ip_queue_maxlen = 1024

net.ipv4.ip_conntrack_max = 65528

net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3

net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0

net.ipv4.netfilter.ip_conntrack_tcp_loose = 3

net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300

net.ipv4.netfilter.ip_conntrack_log_invalid = 0

net.ipv4.netfilter.ip_conntrack_generic_timeout = 600

net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30

net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180

net.ipv4.netfilter.ip_conntrack_udp_timeout = 30

net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10

net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120

net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30

net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60

net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000

net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60

net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120

net.ipv4.netfilter.ip_conntrack_buckets = 8191

net.ipv4.netfilter.ip_conntrack_count = 134

net.ipv4.netfilter.ip_conntrack_max = 65528

net.ipv4.conf.eth0.promote_secondaries = 0

net.ipv4.conf.eth0.force_igmp_version = 0

net.ipv4.conf.eth0.disable_policy = 0

net.ipv4.conf.eth0.disable_xfrm = 0

net.ipv4.conf.eth0.arp_ignore = 0

net.ipv4.conf.eth0.arp_announce = 0

net.ipv4.conf.eth0.arp_filter = 0

net.ipv4.conf.eth0.tag = 0

net.ipv4.conf.eth0.log_martians = 0

net.ipv4.conf.eth0.bootp_relay = 0

net.ipv4.conf.eth0.medium_id = 0

net.ipv4.conf.eth0.proxy_arp = 0

net.ipv4.conf.eth0.accept_source_route = 1

net.ipv4.conf.eth0.send_redirects = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.eth0.shared_media = 1

net.ipv4.conf.eth0.secure_redirects = 1

net.ipv4.conf.eth0.accept_redirects = 1

net.ipv4.conf.eth0.mc_forwarding = 0

net.ipv4.conf.eth0.forwarding = 1

net.ipv4.conf.br0.promote_secondaries = 0

net.ipv4.conf.br0.force_igmp_version = 0

net.ipv4.conf.br0.disable_policy = 0

net.ipv4.conf.br0.disable_xfrm = 0

net.ipv4.conf.br0.arp_ignore = 0

net.ipv4.conf.br0.arp_announce = 0

net.ipv4.conf.br0.arp_filter = 0

net.ipv4.conf.br0.tag = 0

net.ipv4.conf.br0.log_martians = 0

net.ipv4.conf.br0.bootp_relay = 0

net.ipv4.conf.br0.medium_id = 0

net.ipv4.conf.br0.proxy_arp = 0

net.ipv4.conf.br0.accept_source_route = 1

net.ipv4.conf.br0.send_redirects = 1

net.ipv4.conf.br0.rp_filter = 1

net.ipv4.conf.br0.shared_media = 1

net.ipv4.conf.br0.secure_redirects = 1

net.ipv4.conf.br0.accept_redirects = 1

net.ipv4.conf.br0.mc_forwarding = 0

net.ipv4.conf.br0.forwarding = 1

net.ipv4.conf.default.promote_secondaries = 0

net.ipv4.conf.default.force_igmp_version = 0

net.ipv4.conf.default.disable_policy = 0

net.ipv4.conf.default.disable_xfrm = 0

net.ipv4.conf.default.arp_ignore = 0

net.ipv4.conf.default.arp_announce = 0

net.ipv4.conf.default.arp_filter = 0

net.ipv4.conf.default.tag = 0

net.ipv4.conf.default.log_martians = 0

net.ipv4.conf.default.bootp_relay = 0

net.ipv4.conf.default.medium_id = 0

net.ipv4.conf.default.proxy_arp = 0

net.ipv4.conf.default.accept_source_route = 1

net.ipv4.conf.default.send_redirects = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.shared_media = 1

net.ipv4.conf.default.secure_redirects = 1

net.ipv4.conf.default.accept_redirects = 1

net.ipv4.conf.default.mc_forwarding = 0

net.ipv4.conf.default.forwarding = 1

net.ipv4.conf.all.promote_secondaries = 0

net.ipv4.conf.all.force_igmp_version = 0

net.ipv4.conf.all.disable_policy = 0

net.ipv4.conf.all.disable_xfrm = 0

net.ipv4.conf.all.arp_ignore = 0

net.ipv4.conf.all.arp_announce = 0

net.ipv4.conf.all.arp_filter = 0

net.ipv4.conf.all.tag = 0

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.all.bootp_relay = 0

net.ipv4.conf.all.medium_id = 0

net.ipv4.conf.all.proxy_arp = 0

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.send_redirects = 1

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.all.shared_media = 1

net.ipv4.conf.all.secure_redirects = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.mc_forwarding = 0

net.ipv4.conf.all.forwarding = 1

net.ipv4.conf.lo.promote_secondaries = 0

net.ipv4.conf.lo.force_igmp_version = 0

net.ipv4.conf.lo.disable_policy = 1

net.ipv4.conf.lo.disable_xfrm = 1

net.ipv4.conf.lo.arp_ignore = 0

net.ipv4.conf.lo.arp_announce = 0

net.ipv4.conf.lo.arp_filter = 0

net.ipv4.conf.lo.tag = 0

net.ipv4.conf.lo.log_martians = 0

net.ipv4.conf.lo.bootp_relay = 0

net.ipv4.conf.lo.medium_id = 0

net.ipv4.conf.lo.proxy_arp = 0

net.ipv4.conf.lo.accept_source_route = 1

net.ipv4.conf.lo.send_redirects = 1

net.ipv4.conf.lo.rp_filter = 0

net.ipv4.conf.lo.shared_media = 1

net.ipv4.conf.lo.secure_redirects = 1

net.ipv4.conf.lo.accept_redirects = 1

net.ipv4.conf.lo.mc_forwarding = 0

net.ipv4.conf.lo.forwarding = 1

net.ipv4.neigh.eth0.base_reachable_time_ms = 30000

net.ipv4.neigh.eth0.retrans_time_ms = 1000

net.ipv4.neigh.eth0.locktime = 99

net.ipv4.neigh.eth0.proxy_delay = 79

net.ipv4.neigh.eth0.anycast_delay = 99

net.ipv4.neigh.eth0.proxy_qlen = 64

net.ipv4.neigh.eth0.unres_qlen = 3

net.ipv4.neigh.eth0.gc_stale_time = 60

net.ipv4.neigh.eth0.delay_first_probe_time = 5

net.ipv4.neigh.eth0.base_reachable_time = 30

net.ipv4.neigh.eth0.retrans_time = 99

net.ipv4.neigh.eth0.app_solicit = 0

net.ipv4.neigh.eth0.ucast_solicit = 3

net.ipv4.neigh.eth0.mcast_solicit = 3

net.ipv4.neigh.br0.base_reachable_time_ms = 30000

net.ipv4.neigh.br0.retrans_time_ms = 1000

net.ipv4.neigh.br0.locktime = 99

net.ipv4.neigh.br0.proxy_delay = 79

net.ipv4.neigh.br0.anycast_delay = 99

net.ipv4.neigh.br0.proxy_qlen = 64

net.ipv4.neigh.br0.unres_qlen = 3

net.ipv4.neigh.br0.gc_stale_time = 60

net.ipv4.neigh.br0.delay_first_probe_time = 5

net.ipv4.neigh.br0.base_reachable_time = 30

net.ipv4.neigh.br0.retrans_time = 99

net.ipv4.neigh.br0.app_solicit = 0

net.ipv4.neigh.br0.ucast_solicit = 3

net.ipv4.neigh.br0.mcast_solicit = 3

net.ipv4.neigh.lo.base_reachable_time_ms = 30000

net.ipv4.neigh.lo.retrans_time_ms = 1000

net.ipv4.neigh.lo.locktime = 99

net.ipv4.neigh.lo.proxy_delay = 79

net.ipv4.neigh.lo.anycast_delay = 99

net.ipv4.neigh.lo.proxy_qlen = 64

net.ipv4.neigh.lo.unres_qlen = 3

net.ipv4.neigh.lo.gc_stale_time = 60

net.ipv4.neigh.lo.delay_first_probe_time = 5

net.ipv4.neigh.lo.base_reachable_time = 30

net.ipv4.neigh.lo.retrans_time = 99

net.ipv4.neigh.lo.app_solicit = 0

net.ipv4.neigh.lo.ucast_solicit = 3

net.ipv4.neigh.lo.mcast_solicit = 3

net.ipv4.neigh.default.base_reachable_time_ms = 30000

net.ipv4.neigh.default.retrans_time_ms = 1000

net.ipv4.neigh.default.gc_thresh3 = 1024

net.ipv4.neigh.default.gc_thresh2 = 512

net.ipv4.neigh.default.gc_thresh1 = 128

net.ipv4.neigh.default.gc_interval = 30

net.ipv4.neigh.default.locktime = 99

net.ipv4.neigh.default.proxy_delay = 79

net.ipv4.neigh.default.anycast_delay = 99

net.ipv4.neigh.default.proxy_qlen = 64

net.ipv4.neigh.default.unres_qlen = 3

net.ipv4.neigh.default.gc_stale_time = 60

net.ipv4.neigh.default.delay_first_probe_time = 5

net.ipv4.neigh.default.base_reachable_time = 30

net.ipv4.neigh.default.retrans_time = 99

net.ipv4.neigh.default.app_solicit = 0

net.ipv4.neigh.default.ucast_solicit = 3

net.ipv4.neigh.default.mcast_solicit = 3

net.ipv4.tcp_bic_beta = 819

net.ipv4.tcp_tso_win_divisor = 8

net.ipv4.tcp_moderate_rcvbuf = 1

net.ipv4.tcp_bic_low_window = 14

net.ipv4.tcp_bic_fast_convergence = 1

net.ipv4.tcp_bic = 1

net.ipv4.tcp_vegas_gamma = 2

net.ipv4.tcp_vegas_beta = 6

net.ipv4.tcp_vegas_alpha = 2

net.ipv4.tcp_vegas_cong_avoid = 0

net.ipv4.tcp_westwood = 0

net.ipv4.tcp_no_metrics_save = 0

net.ipv4.ipfrag_secret_interval = 600

net.ipv4.tcp_low_latency = 0

net.ipv4.tcp_frto = 0

net.ipv4.tcp_tw_reuse = 0

net.ipv4.icmp_ratemask = 6168

net.ipv4.icmp_ratelimit = 1000

net.ipv4.tcp_adv_win_scale = 2

net.ipv4.tcp_app_win = 31

net.ipv4.tcp_rmem = 4096        87380   174760

net.ipv4.tcp_wmem = 4096        16384   131072

net.ipv4.tcp_mem = 49152        65536   98304

net.ipv4.tcp_dsack = 1

net.ipv4.tcp_ecn = 0

net.ipv4.tcp_reordering = 3

net.ipv4.tcp_fack = 1

net.ipv4.tcp_orphan_retries = 0

net.ipv4.inet_peer_gc_maxtime = 120

net.ipv4.inet_peer_gc_mintime = 10

net.ipv4.inet_peer_maxttl = 600

net.ipv4.inet_peer_minttl = 120

net.ipv4.inet_peer_threshold = 65664

net.ipv4.igmp_max_msf = 10

net.ipv4.igmp_max_memberships = 20

net.ipv4.route.secret_interval = 600

net.ipv4.route.min_adv_mss = 256

net.ipv4.route.min_pmtu = 552

net.ipv4.route.mtu_expires = 600

net.ipv4.route.gc_elasticity = 8

net.ipv4.route.error_burst = 5000

net.ipv4.route.error_cost = 1000

net.ipv4.route.redirect_silence = 20480

net.ipv4.route.redirect_number = 9

net.ipv4.route.redirect_load = 20

net.ipv4.route.gc_interval = 60

net.ipv4.route.gc_timeout = 300

net.ipv4.route.gc_min_interval_ms = 500

net.ipv4.route.gc_min_interval = 0

net.ipv4.route.max_size = 131072

net.ipv4.route.gc_thresh = 8192

net.ipv4.route.max_delay = 10

net.ipv4.route.min_delay = 2

error: "Operation not permitted" reading key "net.ipv4.route.flush"

net.ipv4.icmp_errors_use_inbound_ifaddr = 0

net.ipv4.icmp_ignore_bogus_error_responses = 0

net.ipv4.icmp_echo_ignore_broadcasts = 0

net.ipv4.icmp_echo_ignore_all = 0

net.ipv4.ip_local_port_range = 32768    61000

net.ipv4.tcp_max_syn_backlog = 1024

net.ipv4.tcp_rfc1337 = 0

net.ipv4.tcp_stdurg = 0

net.ipv4.tcp_abort_on_overflow = 0

net.ipv4.tcp_tw_recycle = 0

net.ipv4.tcp_fin_timeout = 60

net.ipv4.tcp_retries2 = 15

net.ipv4.tcp_retries1 = 3

net.ipv4.tcp_keepalive_intvl = 75

net.ipv4.tcp_keepalive_probes = 9

net.ipv4.tcp_keepalive_time = 7200

net.ipv4.ipfrag_time = 30

net.ipv4.ip_dynaddr = 0

net.ipv4.ipfrag_low_thresh = 196608

net.ipv4.ipfrag_high_thresh = 262144

net.ipv4.tcp_max_tw_buckets = 180000

net.ipv4.tcp_max_orphans = 16384

net.ipv4.tcp_synack_retries = 5

net.ipv4.tcp_syn_retries = 5

net.ipv4.ip_nonlocal_bind = 0

net.ipv4.ip_no_pmtu_disc = 0

net.ipv4.ip_autoconfig = 0

net.ipv4.ip_default_ttl = 64

net.ipv4.ip_forward = 1

net.ipv4.tcp_retrans_collapse = 1

net.ipv4.tcp_sack = 1

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_timestamps = 1

net.core.somaxconn = 128

net.core.optmem_max = 10240

net.core.message_burst = 10

net.core.message_cost = 5

net.core.mod_cong = 290

net.core.lo_cong = 100

net.core.no_cong = 20

net.core.no_cong_thresh = 10

net.core.netdev_max_backlog = 300

net.core.dev_weight = 64

net.core.rmem_default = 110592

net.core.wmem_default = 110592

net.core.rmem_max = 131071

net.core.wmem_max = 131071

vm.swap_token_timeout = 0

vm.legacy_va_layout = 0

vm.vfs_cache_pressure = 100

vm.block_dump = 0

vm.laptop_mode = 0

vm.max_map_count = 65536

vm.min_free_kbytes = 3831

vm.lowmem_reserve_ratio = 256   32

vm.hardmaplimit = 1

vm.mapped = 66

vm.nr_pdflush_threads = 2

vm.dirty_expire_centisecs = 1500

vm.dirty_writeback_centisecs = 300

vm.dirty_ratio = 33

vm.dirty_background_ratio = 10

vm.page-cluster = 3

vm.overcommit_ratio = 50

vm.overcommit_memory = 0

kernel.randomize_va_space = 1

kernel.bootloader_type = 113

kernel.burst_factor = 1

kernel.timeslice_factor = 15

kernel.timeslice = 6

kernel.compute = 0

kernel.interactive = 1

kernel.ngroups_max = 65536

kernel.printk_ratelimit_burst = 10

kernel.printk_ratelimit = 5

kernel.panic_on_oops = 0

kernel.pid_max = 32768

kernel.overflowgid = 65534

kernel.overflowuid = 65534

kernel.pty.nr = 2

kernel.pty.max = 4096

kernel.random.uuid = 29743590-9791-4b28-932a-fdf0db4f9219

kernel.random.boot_id = 8969d7b5-1014-4d48-93ef-b9a4e25ee54d

kernel.random.write_wakeup_threshold = 128

kernel.random.read_wakeup_threshold = 64

kernel.random.entropy_avail = 3137

kernel.random.poolsize = 4096

kernel.threads-max = 16383

kernel.cad_pid = 1

kernel.sem = 250        32000   32      128

kernel.msgmnb = 16384

kernel.msgmni = 16

kernel.msgmax = 8192

kernel.shmmni = 4096

kernel.shmall = 2097152

kernel.shmmax = 33554432

kernel.sg-big-buff = 32768

kernel.hotplug = /sbin/udevsend

kernel.modprobe = /sbin/modprobe

kernel.printk = 1       4       1       7

kernel.ctrl-alt-del = 0

kernel.real-root-dev = 0

kernel.cap-bound = -257

kernel.tainted = 1

kernel.core_pattern = core

kernel.core_uses_pid = 0

kernel.panic = 0

kernel.domainname = (none)

kernel.hostname = B1-32

kernel.version = #5 Sat Aug 13 00:00:53 EST 2005

kernel.osrelease = 2.6.12-nitro5

kernel.ostype = Linux

fs.mqueue.msgsize_max = 8192

fs.mqueue.msg_max = 10

fs.mqueue.queues_max = 256

fs.aio-max-nr = 65536

fs.aio-nr = 0

fs.lease-break-time = 45

fs.dir-notify-enable = 1

fs.leases-enable = 1

fs.overflowgid = 65534

fs.overflowuid = 65534

fs.dentry-state = 24566 11288   45      0       0       0

fs.file-max = 102689

fs.file-nr = 1250       0       102689

fs.inode-state = 34838  10358   0       0       0       0       0

fs.inode-nr = 34838     10358
```

And the ifconfig -a output:

```
br0       Link encap:Ethernet  HWaddr 00:80:C8:B9:D2:C9

          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:874421 errors:0 dropped:0 overruns:0 frame:0

          TX packets:979586 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:151348927 (144.3 Mb)  TX bytes:995798803 (949.6 Mb)

eth0      Link encap:Ethernet  HWaddr 00:0D:61:71:D0:0A

          inet addr:68.56.65.163  Bcast:255.255.255.255  Mask:255.255.255.128

          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2389612 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1110379 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:1307597709 (1247.0 Mb)  TX bytes:126969895 (121.0 Mb)

          Interrupt:11 Base address:0x6000

eth1      Link encap:Ethernet  HWaddr 00:80:C8:B9:D2:C9

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:1 dropped:0 overruns:0 frame:0

          TX packets:111937 errors:5 dropped:0 overruns:3 carrier:2

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:113783066 (108.5 Mb)

          Interrupt:11 Base address:0x8000

eth2      Link encap:Ethernet  HWaddr 00:80:C8:B9:D2:CA

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:445333 errors:1 dropped:0 overruns:0 frame:0

          TX packets:634384 errors:2 dropped:0 overruns:2 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:43076673 (41.0 Mb)  TX bytes:861411819 (821.5 Mb)

          Interrupt:5 Base address:0xa000

eth3      Link encap:Ethernet  HWaddr 00:80:C8:B9:D2:CB

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:429092 errors:1 dropped:0 overruns:0 frame:0

          TX packets:358968 errors:4 dropped:0 overruns:3 carrier:2

          collisions:0 txqueuelen:1000

          RX bytes:122911639 (117.2 Mb)  TX bytes:141275686 (134.7 Mb)

          Interrupt:15 Base address:0xc000

eth4      Link encap:Ethernet  HWaddr 00:80:C8:B9:D2:CC

          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:2 dropped:0 overruns:0 carrier:2

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

          Interrupt:10 Base address:0xe000

eth5      Link encap:Ethernet  HWaddr 00:80:C8:C9:B3:1D

          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:4 dropped:0 overruns:0 carrier:4

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

          Interrupt:5

eth6      Link encap:Ethernet  HWaddr 00:80:C8:C9:B3:1E

          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:4 dropped:0 overruns:0 carrier:4

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

          Interrupt:15 Base address:0x2000

eth7      Link encap:Ethernet  HWaddr 00:80:C8:C9:B3:1F

          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:4 dropped:0 overruns:0 carrier:4

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

          Interrupt:10 Base address:0x4000

eth8      Link encap:Ethernet  HWaddr 00:80:C8:C9:B3:20

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

          Interrupt:11 Base address:0x6000

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:1084 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1084 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:70320 (68.6 Kb)  TX bytes:70320 (68.6 Kb)
```

And my kernel config:

```
#

# Automatically generated make config: don't edit

# Linux kernel version: 2.6.12-nitro5 "Make my day"

# Thu Aug 18 11:52:44 2005

#

CONFIG_X86=y

CONFIG_MMU=y

CONFIG_UID16=y

CONFIG_GENERIC_ISA_DMA=y

CONFIG_GENERIC_IOMAP=y

#

#   NiTR0 Menu

#

CONFIG_LOGO_NITRO_CLUT224=y

#

# Staircase scheduler tunables

#

CONFIG_BASE_TIMESLICE_CTL=6

CONFIG_BASE_TIMESLICE_FACTOR_CTL=15

CONFIG_BURST_FACTOR_CTL=1

# CONFIG_GENETIC_IOSCHED_AS is not set

CONFIG_REISER4_FS=y

# CONFIG_REISER4_DEBUG is not set

CONFIG_INOTIFY=y

# CONFIG_SVGALIB_HELPER is not set

# CONFIG_SQUASHFS is not set

# CONFIG_LUFS_FS is not set

#

# Linux InfraRed Controller

#

# CONFIG_LIRC_SUPPORT is not set

# CONFIG_BLK_DEV_IT821X is not set

# CONFIG_IPW2100 is not set

# CONFIG_IPW2200 is not set

# CONFIG_IP_NF_MATCH_LAYER7 is not set

CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN=2048

#

# Code maturity level options

#

CONFIG_EXPERIMENTAL=y

CONFIG_CLEAN_COMPILE=y

CONFIG_BROKEN_ON_SMP=y

CONFIG_LOCK_KERNEL=y

CONFIG_INIT_ENV_ARG_LIMIT=32

#

# General setup

#

CONFIG_LOCALVERSION=""

CONFIG_SWAP=y

CONFIG_SYSVIPC=y

CONFIG_POSIX_MQUEUE=y

# CONFIG_BSD_PROCESS_ACCT is not set

CONFIG_SYSCTL=y

CONFIG_AUDIT=y

CONFIG_AUDITSYSCALL=y

CONFIG_HOTPLUG=y

CONFIG_KOBJECT_UEVENT=y

# CONFIG_IKCONFIG is not set

# CONFIG_EMBEDDED is not set

CONFIG_KALLSYMS=y

# CONFIG_KALLSYMS_EXTRA_PASS is not set

CONFIG_PRINTK=y

CONFIG_BUG=y

CONFIG_BASE_FULL=y

CONFIG_FUTEX=y

CONFIG_EPOLL=y

CONFIG_SHMEM=y

CONFIG_CC_ALIGN_FUNCTIONS=0

CONFIG_CC_ALIGN_LABELS=0

CONFIG_CC_ALIGN_LOOPS=0

CONFIG_CC_ALIGN_JUMPS=0

# CONFIG_TINY_SHMEM is not set

CONFIG_BASE_SMALL=0

#

# Loadable module support

#

CONFIG_MODULES=y

CONFIG_MODULE_UNLOAD=y

# CONFIG_MODULE_FORCE_UNLOAD is not set

CONFIG_OBSOLETE_MODPARM=y

# CONFIG_MODVERSIONS is not set

# CONFIG_MODULE_SRCVERSION_ALL is not set

CONFIG_KMOD=y

#

# Processor type and features

#

CONFIG_X86_PC=y

# CONFIG_X86_ELAN is not set

# CONFIG_X86_VOYAGER is not set

# CONFIG_X86_NUMAQ is not set

# CONFIG_X86_SUMMIT is not set

# CONFIG_X86_BIGSMP is not set

# CONFIG_X86_VISWS is not set

# CONFIG_X86_GENERICARCH is not set

# CONFIG_X86_ES7000 is not set

# CONFIG_M386 is not set

# CONFIG_M486 is not set

# CONFIG_M586 is not set

# CONFIG_M586TSC is not set

# CONFIG_M586MMX is not set

# CONFIG_M686 is not set

# CONFIG_MPENTIUMII is not set

# CONFIG_MPENTIUMIII is not set

# CONFIG_MPENTIUMM is not set

# CONFIG_MPENTIUM4 is not set

# CONFIG_MK6 is not set

CONFIG_MK7=y

# CONFIG_MK8 is not set

# CONFIG_MCRUSOE is not set

# CONFIG_MEFFICEON is not set

# CONFIG_MWINCHIPC6 is not set

# CONFIG_MWINCHIP2 is not set

# CONFIG_MWINCHIP3D is not set

# CONFIG_MGEODEGX1 is not set

# CONFIG_MCYRIXIII is not set

# CONFIG_MVIAC3_2 is not set

# CONFIG_X86_GENERIC is not set

CONFIG_X86_CMPXCHG=y

CONFIG_X86_XADD=y

CONFIG_X86_L1_CACHE_SHIFT=6

CONFIG_RWSEM_XCHGADD_ALGORITHM=y

CONFIG_GENERIC_CALIBRATE_DELAY=y

CONFIG_X86_WP_WORKS_OK=y

CONFIG_X86_INVLPG=y

CONFIG_X86_BSWAP=y

CONFIG_X86_POPAD_OK=y

CONFIG_X86_GOOD_APIC=y

CONFIG_X86_INTEL_USERCOPY=y

CONFIG_X86_USE_PPRO_CHECKSUM=y

CONFIG_X86_USE_3DNOW=y

CONFIG_HPET_TIMER=y

# CONFIG_HPET_EMULATE_RTC is not set

# CONFIG_SMP is not set

CONFIG_PREEMPT=y

CONFIG_PREEMPT_BKL=y

# CONFIG_X86_UP_APIC is not set

CONFIG_X86_TSC=y

# CONFIG_X86_MCE is not set

# CONFIG_TOSHIBA is not set

# CONFIG_I8K is not set

# CONFIG_X86_REBOOTFIXUPS is not set

# CONFIG_MICROCODE is not set

# CONFIG_X86_MSR is not set

# CONFIG_X86_CPUID is not set

#

# Firmware Drivers

#

# CONFIG_EDD is not set

# CONFIG_NOHIGHMEM is not set

CONFIG_HIGHMEM4G=y

# CONFIG_HIGHMEM64G is not set

CONFIG_HIGHMEM=y

# CONFIG_HIGHPTE is not set

# CONFIG_MATH_EMULATION is not set

CONFIG_MTRR=y

CONFIG_HAVE_DEC_LOCK=y

# CONFIG_REGPARM is not set

CONFIG_SECCOMP=y

#

# Win4Lin 9x Support

#

# CONFIG_MKI is not set

#

# Power management options (ACPI, APM)

#

# CONFIG_PM is not set

#

# ACPI (Advanced Configuration and Power Interface) Support

#

# CONFIG_ACPI is not set

#

# CPU Frequency scaling

#

# CONFIG_CPU_FREQ is not set

CONFIG_HZ_1000=y

# CONFIG_HZ_512 is not set

# CONFIG_HZ_100 is not set

CONFIG_HZ=1000

#

# Bus options (PCI, PCMCIA, EISA, MCA, ISA)

#

CONFIG_PCI=y

# CONFIG_PCI_GOBIOS is not set

# CONFIG_PCI_GOMMCONFIG is not set

# CONFIG_PCI_GODIRECT is not set

CONFIG_PCI_GOANY=y

CONFIG_PCI_BIOS=y

CONFIG_PCI_DIRECT=y

# CONFIG_PCIEPORTBUS is not set

CONFIG_PCI_LEGACY_PROC=y

CONFIG_PCI_NAMES=y

CONFIG_ISA_DMA_API=y

# CONFIG_ISA is not set

# CONFIG_MCA is not set

# CONFIG_SCx200 is not set

#

# PCCARD (PCMCIA/CardBus) support

#

# CONFIG_PCCARD is not set

#

# PCI Hotplug Support

#

# CONFIG_HOTPLUG_PCI is not set

#

# Executable file formats

#

CONFIG_BINFMT_ELF=y

CONFIG_BINFMT_AOUT=y

CONFIG_BINFMT_MISC=y

#

# Device Drivers

#

#

# Generic Driver Options

#

CONFIG_STANDALONE=y

CONFIG_PREVENT_FIRMWARE_BUILD=y

CONFIG_FW_LOADER=y

#

# Memory Technology Devices (MTD)

#

# CONFIG_MTD is not set

#

# Parallel port support

#

# CONFIG_PARPORT is not set

#

# Plug and Play support

#

#

# Block devices

#

# CONFIG_BLK_DEV_FD is not set

# CONFIG_BLK_CPQ_DA is not set

# CONFIG_BLK_CPQ_CISS_DA is not set

# CONFIG_BLK_DEV_DAC960 is not set

# CONFIG_BLK_DEV_UMEM is not set

# CONFIG_BLK_DEV_COW_COMMON is not set

CONFIG_BLK_DEV_LOOP=y

# CONFIG_BLK_DEV_CRYPTOLOOP is not set

# CONFIG_BLK_DEV_NBD is not set

# CONFIG_BLK_DEV_SX8 is not set

# CONFIG_BLK_DEV_UB is not set

CONFIG_BLK_DEV_RAM=y

CONFIG_BLK_DEV_RAM_COUNT=16

CONFIG_BLK_DEV_RAM_SIZE=4096

CONFIG_BLK_DEV_INITRD=y

CONFIG_INITRAMFS_SOURCE=""

# CONFIG_LBD is not set

# CONFIG_CDROM_PKTCDVD is not set

#

# IO Schedulers

#

CONFIG_IOSCHED_NOOP=y

CONFIG_IOSCHED_AS=y

CONFIG_IOSCHED_DEADLINE=y

CONFIG_IOSCHED_CFQ=y

# CONFIG_ATA_OVER_ETH is not set

#

# ATA/ATAPI/MFM/RLL support

#

CONFIG_IDE=y

CONFIG_BLK_DEV_IDE=y

#

# Please see Documentation/ide.txt for help/info on IDE drives

#

# CONFIG_BLK_DEV_IDE_SATA is not set

# CONFIG_BLK_DEV_HD_IDE is not set

CONFIG_BLK_DEV_IDEDISK=y

CONFIG_IDEDISK_MULTI_MODE=y

CONFIG_BLK_DEV_IDECD=y

# CONFIG_BLK_DEV_IDETAPE is not set

# CONFIG_BLK_DEV_IDEFLOPPY is not set

# CONFIG_BLK_DEV_IDESCSI is not set

# CONFIG_IDE_TASK_IOCTL is not set

#

# IDE chipset support/bugfixes

#

# CONFIG_IDE_GENERIC is not set

# CONFIG_BLK_DEV_CMD640 is not set

CONFIG_BLK_DEV_IDEPCI=y

CONFIG_IDEPCI_SHARE_IRQ=y

# CONFIG_BLK_DEV_OFFBOARD is not set

# CONFIG_BLK_DEV_GENERIC is not set

# CONFIG_BLK_DEV_OPTI621 is not set

# CONFIG_BLK_DEV_RZ1000 is not set

CONFIG_BLK_DEV_IDEDMA_PCI=y

# CONFIG_BLK_DEV_IDEDMA_FORCED is not set

CONFIG_IDEDMA_PCI_AUTO=y

# CONFIG_IDEDMA_ONLYDISK is not set

# CONFIG_BLK_DEV_AEC62XX is not set

# CONFIG_BLK_DEV_ALI15X3 is not set

CONFIG_BLK_DEV_AMD74XX=y

# CONFIG_BLK_DEV_ATIIXP is not set

# CONFIG_BLK_DEV_CMD64X is not set

# CONFIG_BLK_DEV_TRIFLEX is not set

# CONFIG_BLK_DEV_CY82C693 is not set

# CONFIG_BLK_DEV_CS5520 is not set

# CONFIG_BLK_DEV_CS5530 is not set

# CONFIG_BLK_DEV_HPT34X is not set

# CONFIG_BLK_DEV_HPT366 is not set

# CONFIG_BLK_DEV_SC1200 is not set

# CONFIG_BLK_DEV_PIIX is not set

# CONFIG_BLK_DEV_NS87415 is not set

# CONFIG_BLK_DEV_PDC202XX_OLD is not set

# CONFIG_BLK_DEV_PDC202XX_NEW is not set

# CONFIG_BLK_DEV_SVWKS is not set

# CONFIG_BLK_DEV_SIIMAGE is not set

# CONFIG_BLK_DEV_SIS5513 is not set

# CONFIG_BLK_DEV_SLC90E66 is not set

# CONFIG_BLK_DEV_TRM290 is not set

# CONFIG_BLK_DEV_VIA82CXXX is not set

# CONFIG_IDE_ARM is not set

CONFIG_BLK_DEV_IDEDMA=y

# CONFIG_IDEDMA_IVB is not set

CONFIG_IDEDMA_AUTO=y

# CONFIG_BLK_DEV_HD is not set

#

# SCSI device support

#

CONFIG_SCSI=y

CONFIG_SCSI_PROC_FS=y

#

# SCSI support type (disk, tape, CD-ROM)

#

CONFIG_BLK_DEV_SD=y

# CONFIG_CHR_DEV_ST is not set

# CONFIG_CHR_DEV_OSST is not set

# CONFIG_BLK_DEV_SR is not set

CONFIG_CHR_DEV_SG=y

#

# Some SCSI devices (e.g. CD jukebox) support multiple LUNs

#

# CONFIG_SCSI_MULTI_LUN is not set

# CONFIG_SCSI_CONSTANTS is not set

# CONFIG_SCSI_LOGGING is not set

#

# SCSI Transport Attributes

#

# CONFIG_SCSI_SPI_ATTRS is not set

# CONFIG_SCSI_FC_ATTRS is not set

# CONFIG_SCSI_ISCSI_ATTRS is not set

#

# SCSI low-level drivers

#

# CONFIG_BLK_DEV_3W_XXXX_RAID is not set

# CONFIG_SCSI_3W_9XXX is not set

# CONFIG_SCSI_ACARD is not set

# CONFIG_SCSI_AACRAID is not set

# CONFIG_SCSI_AIC7XXX is not set

# CONFIG_SCSI_AIC7XXX_OLD is not set

# CONFIG_SCSI_AIC79XX is not set

# CONFIG_SCSI_DPT_I2O is not set

# CONFIG_MEGARAID_NEWGEN is not set

# CONFIG_MEGARAID_LEGACY is not set

CONFIG_SCSI_SATA=y

# CONFIG_SCSI_ATA_ADMA is not set

# CONFIG_SCSI_SATA_AHCI is not set

# CONFIG_SCSI_SATA_SVW is not set

# CONFIG_SCSI_ATA_PIIX is not set

# CONFIG_SCSI_SATA_NV is not set

# CONFIG_SCSI_SATA_PROMISE is not set

# CONFIG_SCSI_SATA_QSTOR is not set

# CONFIG_SCSI_SATA_SX4 is not set

CONFIG_SCSI_SATA_SIL=y

# CONFIG_SCSI_SATA_SIS is not set

# CONFIG_SCSI_SATA_ULI is not set

# CONFIG_SCSI_SATA_VIA is not set

# CONFIG_SCSI_SATA_VITESSE is not set

# CONFIG_SCSI_BUSLOGIC is not set

# CONFIG_SCSI_DMX3191D is not set

# CONFIG_SCSI_EATA is not set

# CONFIG_SCSI_FUTURE_DOMAIN is not set

# CONFIG_SCSI_GDTH is not set

# CONFIG_SCSI_IPS is not set

# CONFIG_SCSI_INITIO is not set

# CONFIG_SCSI_INIA100 is not set

# CONFIG_SCSI_SYM53C8XX_2 is not set

# CONFIG_SCSI_IPR is not set

# CONFIG_SCSI_QLOGIC_FC is not set

# CONFIG_SCSI_QLOGIC_1280 is not set

CONFIG_SCSI_QLA2XXX=y

# CONFIG_SCSI_QLA21XX is not set

# CONFIG_SCSI_QLA22XX is not set

# CONFIG_SCSI_QLA2300 is not set

# CONFIG_SCSI_QLA2322 is not set

# CONFIG_SCSI_QLA6312 is not set

# CONFIG_SCSI_LPFC is not set

# CONFIG_SCSI_DC395x is not set

# CONFIG_SCSI_DC390T is not set

# CONFIG_SCSI_NSP32 is not set

# CONFIG_SCSI_DEBUG is not set

#

# Multi-device support (RAID and LVM)

#

# CONFIG_MD is not set

#

# Fusion MPT device support

#

# CONFIG_FUSION is not set

#

# IEEE 1394 (FireWire) support

#

# CONFIG_IEEE1394 is not set

#

# I2O device support

#

# CONFIG_I2O is not set

#

# Networking support

#

CONFIG_NET=y

#

# Networking options

#

CONFIG_PACKET=y

# CONFIG_PACKET_MMAP is not set

CONFIG_UNIX=y

# CONFIG_NET_KEY is not set

CONFIG_INET=y

CONFIG_IP_MULTICAST=y

CONFIG_IP_ADVANCED_ROUTER=y

CONFIG_IP_MULTIPLE_TABLES=y

# CONFIG_IP_ROUTE_FWMARK is not set

CONFIG_IP_ROUTE_MULTIPATH=y

# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set

CONFIG_IP_ROUTE_VERBOSE=y

# CONFIG_IP_PNP is not set

# CONFIG_NET_IPIP is not set

# CONFIG_NET_IPGRE is not set

# CONFIG_IP_MROUTE is not set

# CONFIG_ARPD is not set

# CONFIG_SYN_COOKIES is not set

# CONFIG_INET_AH is not set

# CONFIG_INET_ESP is not set

# CONFIG_INET_IPCOMP is not set

# CONFIG_INET_TUNNEL is not set

CONFIG_IP_TCPDIAG=y

# CONFIG_IP_TCPDIAG_IPV6 is not set

#

# IP: Virtual Server Configuration

#

# CONFIG_IP_VS is not set

# CONFIG_IPV6 is not set

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

CONFIG_BRIDGE_NETFILTER=y

#

# IP: Netfilter Configuration

#

CONFIG_IP_NF_CONNTRACK=y

CONFIG_IP_NF_CT_ACCT=y

# CONFIG_IP_NF_CONNTRACK_MARK is not set

# CONFIG_IP_NF_CT_PROTO_SCTP is not set

# CONFIG_IP_NF_FTP is not set

# CONFIG_IP_NF_IRC is not set

# CONFIG_IP_NF_TFTP is not set

# CONFIG_IP_NF_AMANDA is not set

CONFIG_IP_NF_QUEUE=y

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_LIMIT=y

CONFIG_IP_NF_MATCH_IPRANGE=y

CONFIG_IP_NF_MATCH_MAC=y

CONFIG_IP_NF_MATCH_PKTTYPE=y

CONFIG_IP_NF_MATCH_MARK=y

CONFIG_IP_NF_MATCH_MULTIPORT=y

CONFIG_IP_NF_MATCH_TOS=y

CONFIG_IP_NF_MATCH_RECENT=y

CONFIG_IP_NF_MATCH_ECN=y

CONFIG_IP_NF_MATCH_DSCP=y

CONFIG_IP_NF_MATCH_AH_ESP=y

CONFIG_IP_NF_MATCH_LENGTH=y

CONFIG_IP_NF_MATCH_TTL=y

CONFIG_IP_NF_MATCH_TCPMSS=y

CONFIG_IP_NF_MATCH_HELPER=y

CONFIG_IP_NF_MATCH_STATE=y

CONFIG_IP_NF_MATCH_CONNTRACK=y

CONFIG_IP_NF_MATCH_OWNER=y

# CONFIG_IP_NF_MATCH_PHYSDEV is not set

# CONFIG_IP_NF_MATCH_ADDRTYPE is not set

# CONFIG_IP_NF_MATCH_REALM is not set

# CONFIG_IP_NF_MATCH_SCTP is not set

# CONFIG_IP_NF_MATCH_COMMENT is not set

# CONFIG_IP_NF_MATCH_HASHLIMIT is not set

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

CONFIG_IP_NF_TARGET_LOG=y

CONFIG_IP_NF_TARGET_ULOG=y

CONFIG_IP_NF_TARGET_TCPMSS=y

CONFIG_IP_NF_NAT=y

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=y

CONFIG_IP_NF_TARGET_REDIRECT=y

CONFIG_IP_NF_TARGET_NETMAP=y

CONFIG_IP_NF_TARGET_SAME=y

# CONFIG_IP_NF_NAT_SNMP_BASIC is not set

CONFIG_IP_NF_MANGLE=y

CONFIG_IP_NF_TARGET_TOS=y

CONFIG_IP_NF_TARGET_ECN=y

CONFIG_IP_NF_TARGET_DSCP=y

CONFIG_IP_NF_TARGET_MARK=y

CONFIG_IP_NF_TARGET_CLASSIFY=y

CONFIG_IP_NF_RAW=y

CONFIG_IP_NF_TARGET_NOTRACK=y

CONFIG_IP_NF_ARPTABLES=y

CONFIG_IP_NF_ARPFILTER=y

CONFIG_IP_NF_ARP_MANGLE=y

#

# Bridge: Netfilter Configuration

#

# CONFIG_BRIDGE_NF_EBTABLES is not set

#

# SCTP Configuration (EXPERIMENTAL)

#

# CONFIG_IP_SCTP is not set

# CONFIG_ATM is not set

CONFIG_BRIDGE=y

# CONFIG_VLAN_8021Q is not set

# CONFIG_DECNET is not set

# CONFIG_LLC2 is not set

# CONFIG_IPX is not set

# CONFIG_ATALK is not set

# CONFIG_X25 is not set

# CONFIG_LAPB is not set

# CONFIG_NET_DIVERT is not set

# CONFIG_ECONET is not set

# CONFIG_WAN_ROUTER is not set

#

# QoS and/or fair queueing

#

CONFIG_NET_SCHED=y

CONFIG_NET_SCH_CLK_JIFFIES=y

# CONFIG_NET_SCH_CLK_GETTIMEOFDAY is not set

# CONFIG_NET_SCH_CLK_CPU is not set

# CONFIG_NET_SCH_CBQ is not set

CONFIG_NET_SCH_HTB=y

# CONFIG_NET_SCH_HFSC is not set

# CONFIG_NET_SCH_PRIO is not set

# CONFIG_NET_SCH_RED is not set

CONFIG_NET_SCH_SFQ=y

# CONFIG_NET_SCH_TEQL is not set

# CONFIG_NET_SCH_TBF is not set

# CONFIG_NET_SCH_GRED is not set

# CONFIG_NET_SCH_DSMARK is not set

# CONFIG_NET_SCH_NETEM is not set

# CONFIG_NET_SCH_INGRESS is not set

CONFIG_NET_QOS=y

CONFIG_NET_ESTIMATOR=y

CONFIG_NET_CLS=y

# CONFIG_NET_CLS_BASIC is not set

# CONFIG_NET_CLS_TCINDEX is not set

# CONFIG_NET_CLS_ROUTE4 is not set

# CONFIG_NET_CLS_ROUTE is not set

CONFIG_NET_CLS_FW=y

# CONFIG_NET_CLS_U32 is not set

# CONFIG_NET_CLS_IND is not set

# CONFIG_NET_CLS_RSVP is not set

# CONFIG_NET_CLS_RSVP6 is not set

# CONFIG_NET_EMATCH is not set

# CONFIG_NET_CLS_ACT is not set

CONFIG_NET_CLS_POLICE=y

#

# Network testing

#

# CONFIG_NET_PKTGEN is not set

# CONFIG_NETPOLL is not set

# CONFIG_NET_POLL_CONTROLLER is not set

# CONFIG_HAMRADIO is not set

# CONFIG_IRDA is not set

# CONFIG_BT is not set

# CONFIG_IEEE80211 is not set

CONFIG_NETDEVICES=y

# CONFIG_DUMMY is not set

# CONFIG_BONDING is not set

# CONFIG_EQUALIZER is not set

# CONFIG_TUN is not set

#

# ARCnet devices

#

# CONFIG_ARCNET is not set

#

# Ethernet (10 or 100Mbit)

#

CONFIG_NET_ETHERNET=y

CONFIG_MII=y

# CONFIG_HAPPYMEAL is not set

# CONFIG_SUNGEM is not set

# CONFIG_NET_VENDOR_3COM is not set

#

# Tulip family network device support

#

CONFIG_NET_TULIP=y

# CONFIG_DE2104X is not set

CONFIG_TULIP=y

CONFIG_TULIP_MWI=y

CONFIG_TULIP_MMIO=y

CONFIG_TULIP_NAPI=y

CONFIG_TULIP_NAPI_HW_MITIGATION=y

# CONFIG_DE4X5 is not set

# CONFIG_WINBOND_840 is not set

# CONFIG_DM9102 is not set

# CONFIG_HP100 is not set

# CONFIG_NET_PCI is not set

#

# Ethernet (1000 Mbit)

#

# CONFIG_ACENIC is not set

# CONFIG_DL2K is not set

# CONFIG_E1000 is not set

# CONFIG_NS83820 is not set

# CONFIG_HAMACHI is not set

# CONFIG_YELLOWFIN is not set

CONFIG_R8169=y

CONFIG_R8169_NAPI=y

# CONFIG_SK98LIN is not set

# CONFIG_TIGON3 is not set

# CONFIG_BNX2 is not set

#

# Ethernet (10000 Mbit)

#

# CONFIG_IXGB is not set

# CONFIG_S2IO is not set

#

# Token Ring devices

#

# CONFIG_TR is not set

#

# Wireless LAN (non-hamradio)

#

# CONFIG_NET_RADIO is not set

#

# Wan interfaces

#

# CONFIG_WAN is not set

# CONFIG_FDDI is not set

# CONFIG_HIPPI is not set

# CONFIG_PPP is not set

# CONFIG_SLIP is not set

# CONFIG_NET_FC is not set

# CONFIG_SHAPER is not set

# CONFIG_NETCONSOLE is not set

#

# ISDN subsystem

#

# CONFIG_ISDN is not set

#

# Telephony Support

#

# CONFIG_PHONE is not set

#

# Input device support

#

CONFIG_INPUT=y

#

# Userland interfaces

#

CONFIG_INPUT_MOUSEDEV=y

CONFIG_INPUT_MOUSEDEV_PSAUX=y

CONFIG_INPUT_MOUSEDEV_SCREEN_X=1280

CONFIG_INPUT_MOUSEDEV_SCREEN_Y=1024

# CONFIG_INPUT_JOYDEV is not set

# CONFIG_INPUT_TSDEV is not set

CONFIG_INPUT_EVDEV=y

# CONFIG_INPUT_EVBUG is not set

#

# Input Device Drivers

#

CONFIG_INPUT_KEYBOARD=y

CONFIG_KEYBOARD_ATKBD=y

# CONFIG_KEYBOARD_SUNKBD is not set

# CONFIG_KEYBOARD_LKKBD is not set

# CONFIG_KEYBOARD_XTKBD is not set

# CONFIG_KEYBOARD_NEWTON is not set

# CONFIG_INPUT_MOUSE is not set

# CONFIG_INPUT_JOYSTICK is not set

# CONFIG_INPUT_TOUCHSCREEN is not set

# CONFIG_INPUT_MISC is not set

#

# Hardware I/O ports

#

CONFIG_SERIO=y

CONFIG_SERIO_I8042=y

# CONFIG_SERIO_SERPORT is not set

# CONFIG_SERIO_CT82C710 is not set

# CONFIG_SERIO_PCIPS2 is not set

CONFIG_SERIO_LIBPS2=y

# CONFIG_SERIO_RAW is not set

# CONFIG_GAMEPORT is not set

#

# Character devices

#

CONFIG_VT=y

CONFIG_VT_CONSOLE=y

CONFIG_NR_TTY_DEVICES=63

CONFIG_HW_CONSOLE=y

# CONFIG_SERIAL_NONSTANDARD is not set

#

# Serial drivers

#

# CONFIG_SERIAL_8250 is not set

#

# Non-8250 serial port support

#

# CONFIG_SERIAL_JSM is not set

CONFIG_UNIX98_PTYS=y

CONFIG_LEGACY_PTYS=y

CONFIG_LEGACY_PTY_COUNT=256

#

# IPMI

#

# CONFIG_IPMI_HANDLER is not set

#

# Watchdog Cards

#

# CONFIG_WATCHDOG is not set

# CONFIG_HW_RANDOM is not set

# CONFIG_NVRAM is not set

CONFIG_RTC=y

# CONFIG_DTLK is not set

# CONFIG_R3964 is not set

# CONFIG_APPLICOM is not set

# CONFIG_SONYPI is not set

#

# Ftape, the floppy tape device driver

#

# CONFIG_FTAPE is not set

CONFIG_AGP=y

# CONFIG_AGP_ALI is not set

# CONFIG_AGP_ATI is not set

# CONFIG_AGP_AMD is not set

# CONFIG_AGP_AMD64 is not set

# CONFIG_AGP_INTEL is not set

CONFIG_AGP_NVIDIA=y

# CONFIG_AGP_SIS is not set

# CONFIG_AGP_SWORKS is not set

# CONFIG_AGP_VIA is not set

# CONFIG_AGP_EFFICEON is not set

# CONFIG_DRM is not set

# CONFIG_MWAVE is not set

# CONFIG_RAW_DRIVER is not set

# CONFIG_HANGCHECK_TIMER is not set

#

# TPM devices

#

# CONFIG_TCG_TPM is not set

#

# I2C support

#

# CONFIG_I2C is not set

#

# Dallas's 1-wire bus

#

# CONFIG_W1 is not set

#

# Misc devices

#

# CONFIG_IBM_ASM is not set

#

# Multimedia devices

#

# CONFIG_VIDEO_DEV is not set

#

# Digital Video Broadcasting Devices

#

# CONFIG_DVB is not set

#

# Graphics support

#

CONFIG_FB=y

CONFIG_FB_CFB_FILLRECT=y

CONFIG_FB_CFB_COPYAREA=y

CONFIG_FB_CFB_IMAGEBLIT=y

CONFIG_FB_SOFT_CURSOR=y

# CONFIG_FB_MACMODES is not set

CONFIG_FB_MODE_HELPERS=y

# CONFIG_FB_TILEBLITTING is not set

# CONFIG_FB_CIRRUS is not set

# CONFIG_FB_PM2 is not set

# CONFIG_FB_CYBER2000 is not set

# CONFIG_FB_ASILIANT is not set

# CONFIG_FB_IMSTT is not set

# CONFIG_FB_VGA16 is not set

CONFIG_FB_VESA=y

# CONFIG_FB_VESA_STD is not set

CONFIG_FB_VESA_TNG=y

CONFIG_FB_VESA_DEFAULT_MODE="1280x1024@70"

# CONFIG_VIDEO_SELECT is not set

# CONFIG_FB_HGA is not set

# CONFIG_FB_NVIDIA is not set

# CONFIG_FB_RIVA is not set

# CONFIG_FB_I810 is not set

# CONFIG_FB_INTEL is not set

# CONFIG_FB_MATROX is not set

# CONFIG_FB_RADEON_OLD is not set

# CONFIG_FB_RADEON is not set

# CONFIG_FB_ATY128 is not set

# CONFIG_FB_ATY is not set

# CONFIG_FB_SAVAGE is not set

# CONFIG_FB_SIS is not set

# CONFIG_FB_NEOMAGIC is not set

# CONFIG_FB_KYRO is not set

# CONFIG_FB_3DFX is not set

# CONFIG_FB_VOODOO1 is not set

# CONFIG_FB_TRIDENT is not set

# CONFIG_FB_GEODE is not set

# CONFIG_FB_S1D13XXX is not set

# CONFIG_FB_VIRTUAL is not set

#

# Console display driver support

#

CONFIG_VGA_CONSOLE=y

CONFIG_DUMMY_CONSOLE=y

CONFIG_FRAMEBUFFER_CONSOLE=y

CONFIG_FONTS=y

# CONFIG_FONT_8x8 is not set

CONFIG_FONT_8x16=y

# CONFIG_FONT_6x11 is not set

# CONFIG_FONT_PEARL_8x8 is not set

# CONFIG_FONT_ACORN_8x8 is not set

# CONFIG_FONT_MINI_4x6 is not set

# CONFIG_FONT_SUN8x16 is not set

# CONFIG_FONT_SUN12x22 is not set

#

# Logo configuration

#

CONFIG_LOGO=y

# CONFIG_BACKLIGHT_LCD_SUPPORT is not set

# CONFIG_FB_SPLASH is not set

#

# Sound

#

CONFIG_SOUND=y

#

# Advanced Linux Sound Architecture

#

CONFIG_SND=y

CONFIG_SND_TIMER=y

CONFIG_SND_PCM=y

CONFIG_SND_SEQUENCER=y

# CONFIG_SND_SEQ_DUMMY is not set

CONFIG_SND_OSSEMUL=y

CONFIG_SND_MIXER_OSS=y

CONFIG_SND_PCM_OSS=y

CONFIG_SND_SEQUENCER_OSS=y

# CONFIG_SND_RTCTIMER is not set

# CONFIG_SND_VERBOSE_PRINTK is not set

# CONFIG_SND_DEBUG is not set

#

# Generic devices

#

# CONFIG_SND_DUMMY is not set

# CONFIG_SND_VIRMIDI is not set

# CONFIG_SND_MTPAV is not set

# CONFIG_SND_SERIAL_U16550 is not set

# CONFIG_SND_MPU401 is not set

#

# PCI devices

#

CONFIG_SND_AC97_CODEC=y

# CONFIG_SND_ALI5451 is not set

# CONFIG_SND_ATIIXP is not set

# CONFIG_SND_ATIIXP_MODEM is not set

# CONFIG_SND_AU8810 is not set

# CONFIG_SND_AU8820 is not set

# CONFIG_SND_AU8830 is not set

# CONFIG_SND_AZT3328 is not set

# CONFIG_SND_BT87X is not set

# CONFIG_SND_CS46XX is not set

# CONFIG_SND_CS4281 is not set

# CONFIG_SND_EMU10K1 is not set

# CONFIG_SND_EMU10K1X is not set

# CONFIG_SND_CA0106 is not set

# CONFIG_SND_KORG1212 is not set

# CONFIG_SND_MIXART is not set

# CONFIG_SND_NM256 is not set

# CONFIG_SND_RME32 is not set

# CONFIG_SND_RME96 is not set

# CONFIG_SND_RME9652 is not set

# CONFIG_SND_HDSP is not set

# CONFIG_SND_HDSPM is not set

# CONFIG_SND_TRIDENT is not set

# CONFIG_SND_YMFPCI is not set

# CONFIG_SND_ALS4000 is not set

# CONFIG_SND_CMIPCI is not set

# CONFIG_SND_ENS1370 is not set

# CONFIG_SND_ENS1371 is not set

# CONFIG_SND_ES1938 is not set

# CONFIG_SND_ES1968 is not set

# CONFIG_SND_MAESTRO3 is not set

# CONFIG_SND_FM801 is not set

# CONFIG_SND_ICE1712 is not set

# CONFIG_SND_ICE1724 is not set

CONFIG_SND_INTEL8X0=y

# CONFIG_SND_INTEL8X0M is not set

# CONFIG_SND_SONICVIBES is not set

# CONFIG_SND_VIA82XX is not set

# CONFIG_SND_VIA82XX_MODEM is not set

# CONFIG_SND_VX222 is not set

# CONFIG_SND_HDA_INTEL is not set

#

# USB devices

#

# CONFIG_SND_USB_AUDIO is not set

# CONFIG_SND_USB_USX2Y is not set

#

# Open Sound System

#

# CONFIG_SOUND_PRIME is not set

#

# USB support

#

CONFIG_USB_ARCH_HAS_HCD=y

CONFIG_USB_ARCH_HAS_OHCI=y

CONFIG_USB=y

# CONFIG_USB_DEBUG is not set

#

# Miscellaneous USB options

#

CONFIG_USB_DEVICEFS=y

# CONFIG_USB_BANDWIDTH is not set

# CONFIG_USB_DYNAMIC_MINORS is not set

# CONFIG_USB_OTG is not set

#

# USB Host Controller Drivers

#

CONFIG_USB_EHCI_HCD=y

# CONFIG_USB_EHCI_SPLIT_ISO is not set

# CONFIG_USB_EHCI_ROOT_HUB_TT is not set

CONFIG_USB_OHCI_HCD=y

# CONFIG_USB_OHCI_BIG_ENDIAN is not set

CONFIG_USB_OHCI_LITTLE_ENDIAN=y

# CONFIG_USB_UHCI_HCD is not set

# CONFIG_USB_SL811_HCD is not set

#

# USB Device Class drivers

#

# CONFIG_USB_AUDIO is not set

# CONFIG_USB_BLUETOOTH_TTY is not set

# CONFIG_USB_MIDI is not set

# CONFIG_USB_ACM is not set

# CONFIG_USB_PRINTER is not set

#

# NOTE: USB_STORAGE enables SCSI, and 'SCSI disk support' may also be needed; see USB_STORAGE Help for more information

#

CONFIG_USB_STORAGE=y

# CONFIG_USB_STORAGE_DEBUG is not set

# CONFIG_USB_STORAGE_DATAFAB is not set

# CONFIG_USB_STORAGE_FREECOM is not set

# CONFIG_USB_STORAGE_ISD200 is not set

# CONFIG_USB_STORAGE_DPCM is not set

# CONFIG_USB_STORAGE_USBAT is not set

# CONFIG_USB_STORAGE_SDDR09 is not set

# CONFIG_USB_STORAGE_SDDR55 is not set

# CONFIG_USB_STORAGE_JUMPSHOT is not set

#

# USB Input Devices

#

CONFIG_USB_HID=y

CONFIG_USB_HID_MOUSE_POLLING_INTERVAL=2

CONFIG_USB_HIDINPUT=y

# CONFIG_HID_FF is not set

# CONFIG_USB_HIDDEV is not set

# CONFIG_USB_AIPTEK is not set

# CONFIG_USB_WACOM is not set

# CONFIG_USB_KBTAB is not set

# CONFIG_USB_POWERMATE is not set

# CONFIG_USB_MTOUCH is not set

# CONFIG_USB_EGALAX is not set

# CONFIG_USB_XPAD is not set

# CONFIG_USB_ATI_REMOTE is not set

#

# USB Imaging devices

#

# CONFIG_USB_MDC800 is not set

# CONFIG_USB_MICROTEK is not set

#

# USB Multimedia devices

#

# CONFIG_USB_DABUSB is not set

#

# Video4Linux support is needed for USB Multimedia device support

#

#

# USB Network Adapters

#

# CONFIG_USB_CATC is not set

# CONFIG_USB_KAWETH is not set

# CONFIG_USB_PEGASUS is not set

# CONFIG_USB_RTL8150 is not set

# CONFIG_USB_USBNET is not set

# CONFIG_USB_MON is not set

#

# USB port drivers

#

#

# USB Serial Converter support

#

# CONFIG_USB_SERIAL is not set

#

# USB Miscellaneous drivers

#

# CONFIG_USB_EMI62 is not set

# CONFIG_USB_EMI26 is not set

# CONFIG_USB_AUERSWALD is not set

# CONFIG_USB_RIO500 is not set

# CONFIG_USB_LEGOTOWER is not set

# CONFIG_USB_LCD is not set

# CONFIG_USB_LED is not set

# CONFIG_USB_CYTHERM is not set

# CONFIG_USB_PHIDGETKIT is not set

# CONFIG_USB_PHIDGETSERVO is not set

# CONFIG_USB_IDMOUSE is not set

# CONFIG_USB_SISUSBVGA is not set

# CONFIG_USB_TEST is not set

#

# USB ATM/DSL drivers

#

#

# USB Gadget Support

#

# CONFIG_USB_GADGET is not set

#

# MMC/SD Card support

#

# CONFIG_MMC is not set

#

# InfiniBand support

#

# CONFIG_INFINIBAND is not set

#

# File systems

#

CONFIG_EXT2_FS=y

# CONFIG_EXT2_FS_XATTR is not set

# CONFIG_EXT3_FS is not set

# CONFIG_JBD is not set

CONFIG_REISERFS_FS=y

# CONFIG_REISERFS_CHECK is not set

# CONFIG_REISERFS_PROC_INFO is not set

# CONFIG_REISERFS_FS_XATTR is not set

# CONFIG_JFS_FS is not set

#

# XFS support

#

# CONFIG_XFS_FS is not set

# CONFIG_MINIX_FS is not set

# CONFIG_ROMFS_FS is not set

# CONFIG_QUOTA is not set

CONFIG_DNOTIFY=y

# CONFIG_AUTOFS_FS is not set

CONFIG_AUTOFS4_FS=y

#

# CD-ROM/DVD Filesystems

#

CONFIG_ISO9660_FS=y

CONFIG_JOLIET=y

# CONFIG_ZISOFS is not set

CONFIG_UDF_FS=y

CONFIG_UDF_NLS=y

#

# DOS/FAT/NT Filesystems

#

CONFIG_FAT_FS=y

CONFIG_MSDOS_FS=y

CONFIG_VFAT_FS=y

CONFIG_FAT_DEFAULT_CODEPAGE=437

CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"

# CONFIG_NTFS_FS is not set

#

# Pseudo filesystems

#

CONFIG_PROC_FS=y

CONFIG_PROC_KCORE=y

CONFIG_SYSFS=y

# CONFIG_DEVFS_FS is not set

# CONFIG_DEVPTS_FS_XATTR is not set

CONFIG_TMPFS=y

# CONFIG_TMPFS_XATTR is not set

# CONFIG_HUGETLBFS is not set

# CONFIG_HUGETLB_PAGE is not set

CONFIG_RAMFS=y

#

# Miscellaneous filesystems

#

# CONFIG_ADFS_FS is not set

# CONFIG_AFFS_FS is not set

# CONFIG_HFS_FS is not set

# CONFIG_HFSPLUS_FS is not set

# CONFIG_BEFS_FS is not set

# CONFIG_BFS_FS is not set

# CONFIG_EFS_FS is not set

# CONFIG_CRAMFS is not set

# CONFIG_VXFS_FS is not set

# CONFIG_HPFS_FS is not set

# CONFIG_QNX4FS_FS is not set

# CONFIG_SYSV_FS is not set

# CONFIG_UFS_FS is not set

#

# Network File Systems

#

# CONFIG_NFS_FS is not set

# CONFIG_NFSD is not set

# CONFIG_SMB_FS is not set

# CONFIG_CIFS is not set

# CONFIG_NCP_FS is not set

# CONFIG_CODA_FS is not set

# CONFIG_AFS_FS is not set

#

# Partition Types

#

# CONFIG_PARTITION_ADVANCED is not set

CONFIG_MSDOS_PARTITION=y

#

# Native Language Support

#

CONFIG_NLS=y

CONFIG_NLS_DEFAULT="iso8859-1"

CONFIG_NLS_CODEPAGE_437=y

# CONFIG_NLS_CODEPAGE_737 is not set

# CONFIG_NLS_CODEPAGE_775 is not set

# CONFIG_NLS_CODEPAGE_850 is not set

# CONFIG_NLS_CODEPAGE_852 is not set

# CONFIG_NLS_CODEPAGE_855 is not set

# CONFIG_NLS_CODEPAGE_857 is not set

# CONFIG_NLS_CODEPAGE_860 is not set

# CONFIG_NLS_CODEPAGE_861 is not set

# CONFIG_NLS_CODEPAGE_862 is not set

# CONFIG_NLS_CODEPAGE_863 is not set

# CONFIG_NLS_CODEPAGE_864 is not set

# CONFIG_NLS_CODEPAGE_865 is not set

# CONFIG_NLS_CODEPAGE_866 is not set

# CONFIG_NLS_CODEPAGE_869 is not set

# CONFIG_NLS_CODEPAGE_936 is not set

# CONFIG_NLS_CODEPAGE_950 is not set

# CONFIG_NLS_CODEPAGE_932 is not set

# CONFIG_NLS_CODEPAGE_949 is not set

# CONFIG_NLS_CODEPAGE_874 is not set

# CONFIG_NLS_ISO8859_8 is not set

# CONFIG_NLS_CODEPAGE_1250 is not set

# CONFIG_NLS_CODEPAGE_1251 is not set

# CONFIG_NLS_ASCII is not set

CONFIG_NLS_ISO8859_1=y

# CONFIG_NLS_ISO8859_2 is not set

# CONFIG_NLS_ISO8859_3 is not set

# CONFIG_NLS_ISO8859_4 is not set

# CONFIG_NLS_ISO8859_5 is not set

# CONFIG_NLS_ISO8859_6 is not set

# CONFIG_NLS_ISO8859_7 is not set

# CONFIG_NLS_ISO8859_9 is not set

# CONFIG_NLS_ISO8859_13 is not set

# CONFIG_NLS_ISO8859_14 is not set

# CONFIG_NLS_ISO8859_15 is not set

# CONFIG_NLS_KOI8_R is not set

# CONFIG_NLS_KOI8_U is not set

# CONFIG_NLS_UTF8 is not set

#

# Profiling support

#

CONFIG_PROFILING=y

CONFIG_OPROFILE=y

#

# Kernel hacking

#

# CONFIG_PRINTK_TIME is not set

# CONFIG_DEBUG_KERNEL is not set

CONFIG_LOG_BUF_SHIFT=14

CONFIG_DEBUG_BUGVERBOSE=y

CONFIG_EARLY_PRINTK=y

#

# Security options

#

# CONFIG_KEYS is not set

# CONFIG_SECURITY is not set

#

# Cryptographic options

#

# CONFIG_CRYPTO is not set

#

# Hardware crypto devices

#

#

# Library routines

#

# CONFIG_CRC_CCITT is not set

CONFIG_CRC32=y

# CONFIG_LIBCRC32C is not set

# CONFIG_GENETIC_LIB is not set

CONFIG_ZLIB_INFLATE=y

CONFIG_ZLIB_DEFLATE=y

CONFIG_GENERIC_HARDIRQS=y

CONFIG_GENERIC_IRQ_PROBE=y

CONFIG_X86_BIOS_REBOOT=y

CONFIG_PC=y
```

----------

## 1U

Am I going to have to keep bumping my thread until I'm a veteran or reinstall gentoo? Doesn't anyone have an idea on what's wrong?  :Sad: 

----------

## joaander

I cant say what your problem might be, but I have found shorewall to be a much easier way to setup iptables rules. And it makes it easy to change firewall settings and add port forwarding options. There is a thread on this forum IIRc on how to set shorewall up.

----------

## 1U

Thank you for your recommendation but I think it would be as easy for me to reinstall gentoo as it would be to learn shorewall, and what if I spend time learning shorewall only to find out that the problem wasn't iptables related and that I still can't get port forwarding to work? It's just funny how this worked before and now it doesn't. That and the curiosity of wtf is causing this is getting the best of me, I must get to the root of the problem and fix this.

----------

## tutaepaki

Could you give us a simple diagram, (ascii art will do) describing your setup, and where you are wanting to

get from/to? Might help us understand what you are trying to do a bit better.

----------

## 1U

```
  eth0 --iptables--> br0 ===bridge=== vmnet0

   |                  |                 |

outside net      consists of     virtual machine

dhcp from        eth1-8          running win

cable modem           |          where the port

                 local comps     is being forwarded
```

I know this looks a bit unusual, but I've had this setup working for a long time without any problems. Ethernet devices 1-8 are 2x 4 port network cards which enable my computer to also be the switch while already being the gateway, eliminating the need for switches/routers. Some people might think this is stupid, but I have my reasons for having this setup, and I wouldn't use something like a linksys router/switch even if you gave me a free one.

The problem is not between br0 and vmnet0, because I've tested port forwarding to the local machines plugged into the 8 port bridge/switch I made. The OS or type of hardware (virtual/real) of the machine the port is being forwarded to does not make a difference.

Internet works for all nodes (virtual/real) thanks to iptables, but no port forwarding. I haven't made any serious configuration changes that I can think of which could have resulted in the mysterious loss of the port forwarding function.

Thank you for your time and interest in this problem, I hope this is fixable.

----------

## plut0

This line might cause some problems:

```
iptables -I FORWARD -i br0 -d 192.168.0.0/255.255.0.0 -j DROP 
```

Depending on how your computers are connected to br0.  If you have a decent hub or switch connected between them then thats probably not the issue.  Otherwise it would be.

If it worked before and then stopped, you have to ask yourself what you changed to break it.  My suggestion is to do some debugging of your own.  Your firewall script is small, fortunately.  Comment out everything for now and just use the masquerade line.  If it works, great.  Then start uncommenting lines till you find the trouble one.  Theres many ways to go about this, it might not even be your firewall script.  Can the computers talk over the lan?  Have you tried running tcpdump?  Have you run iptables in verbose list mode to see where the packets are hitting and not hitting?  Did you mess with the routing tables?  Do you have other client computers behind the firewall you can try?  Start debugging...

----------

## Chris W

```
*filter

:INPUT ACCEPT [2216:1232618]

:FORWARD ACCEPT [23085:3736819]

:OUTPUT ACCEPT [63827881:78700516261]
```

 and 

```
-A FORWARD -d 192.168.0.0/255.255.0.0 -i br0 -j DROP

-A FORWARD -s 192.168.0.0/255.255.0.0 -i br0 -j ACCEPT

-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth0 -j ACCEPT
```

From the iptables-save output you posted the FORWARD chain policy is to ACCEPT.  Therefore, if forwarding is not working then there must be a specific rule blocking it.  There's only one DROP rule in your FORWARD chain---that'd be where I look first.   There doesn't seem to be much point to this rule---anything arriving in through br0 is in the 192.168/24 space already (I assume) and would have no need to FORWARD because:The bridge will already have intercepted and bridged the packets to the other 192.168/16 machines.   Any routing decision would decide the destination was local, and the FORWARD chain would not be involved  Remove that rule and see where that gets you.  The other two FORWARD chain rules have no real effect---this traffic would be ACCEPTed by the default policy anyway.

From you original post you appear to be trying to differentiate between machines in the 192.168.0.x and 192.168.1.x ranges.  Unfortunately, your netmask of 255.255.0.0 will not allow this differentiation i.e. machines in both ranges are on net 192.168.0.0.  In the later iptables-save output this distinction appears to have been removed.  Perhaps you could clarify.

----------

## 1U

I think I just made a mistake that one time when editing the rules. I changed my rules now to:

```
iptables -F

iptables -t nat -F

iptables -F INPUT

export LAN=br0

export WAN=eth0

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p tcp -i ${WAN} --dport 216 -s neta.neodi.net -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i ${WAN} -m multiport --dports 65534,65535 -j DNAT --to 192.168.1.2

iptables -t nat -A PREROUTING -p udp -i ${WAN} -m multiport --dports 65534,65535 -j DNAT --to 192.168.1.2

iptables -A INPUT -j ACCEPT -m state --state established -i ${WAN} -p icmp

iptables -A INPUT -j ACCEPT -m state --state established -i ${WAN} -p tcp

iptables -A INPUT -j ACCEPT -m state --state established -i ${WAN} -p udp

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG

iptables -A INPUT -i ! lo -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

/etc/init.d/iptables save
```

As you recommended. And I also updated them to be a bit easier to modify. I still can't get forwarding to work though. 

The only machines I have on my network are all 192.168.1.0, I don't go outside of that block.

Thank you both for your replies, I'll try some of the debugging thigns as soon as I get a chance.

----------

## 1U

I just did some further debugging as recommended  by plut0 and here are my results:

1. The computers can talk to each other, pings go through normally with 0 loss.

2. I tried many variations of this script, and also commented out everything I could except the bare things required to share the internet. No effect.

3. I tried this same software on another standard winblows machine, works as it does on my virtual machine without any difference.

4. What are the routing tables and how do I check/edit them? Should I post them here incase someone recognizes an obvious problem?

5. How would I go about running iptables in verbose?

6. Instead of doing tcpdump I used ethereal to listen to all packets related to port 65534, the port I'm trying to forward. Then I did a port test from the edonkey website. Here are the results I got:

```
No.     Time        Source                Destination           Protocol Info

      1 0.000000    209.67.220.58         68.65.56.163          TCP      44632 > 65534 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=971266903 TSER=0 WS=0

      2 0.000049    209.67.220.58         192.168.1.2           TCP      44632 > 65534 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=971266903 TSER=0 WS=0

      3 0.000056    209.67.220.58         192.168.1.2           TCP      44632 > 65534 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=971266903 TSER=0 WS=0

      4 0.000063    209.67.220.58         192.168.1.2           TCP      44632 > 65534 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=971266903 TSER=0 WS=0

      5 0.000070    209.67.220.58         192.168.1.2           TCP      44632 > 65534 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=971266903 TSER=0 WS=0

      6 0.000231    192.168.1.2           209.67.220.58         TCP      65534 > 44632 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0

      7 0.000240    192.168.1.2           209.67.220.58         TCP      65534 > 44632 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0

      8 2.920642    192.168.1.2           209.67.220.58         TCP      65534 > 44632 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0

      9 2.920669    192.168.1.2           209.67.220.58         TCP      65534 > 44632 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0

     10 2.998273    209.67.220.58         68.65.56.163          TCP      44632 > 65534 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=971267203 TSER=0 WS=0

     11 2.998306    209.67.220.58         192.168.1.2           TCP      44632 > 65534 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=971267203 TSER=0 WS=0

     12 2.998320    209.67.220.58         192.168.1.2           TCP      44632 > 65534 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=971267203 TSER=0 WS=0

     13 2.998324    209.67.220.58         192.168.1.2           TCP      44632 > 65534 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=971267203 TSER=0 WS=0

     14 2.998329    209.67.220.58         192.168.1.2           TCP      44632 > 65534 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=971267203 TSER=0 WS=0

     15 2.998655    192.168.1.2           209.67.220.58         TCP      65534 > 44632 [ACK] Seq=194385447 Ack=1 Win=64240 Len=0 TSV=47231 TSER=971267203

     16 2.998670    68.56.65.163          209.67.220.58         TCP      65534 > 44632 [ACK] Seq=0 Ack=0 Win=64240 Len=0 TSV=47231 TSER=971267203

     17 8.882704    192.168.1.2           209.67.220.58         TCP      65534 > 44632 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0

     18 8.882725    192.168.1.2           209.67.220.58         TCP      65534 > 44632 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0

     19 8.998987    209.67.220.58         68.65.56.163          TCP      44632 > 65534 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=971267803 TSER=0 WS=0
```

That's all I can think of doing. I don't know enough about the guts of networking to be able to see a problem in that output. Can anyone help me? Those are all the things I can think of doing for now.

Thanks in advance.

----------

## Chris W

 *1U wrote:*   

> 4. What are the routing tables and how do I check/edit them? Should I post them here incase someone recognizes an obvious problem?

  They are the tables the networking code uses to work out where to send IP packets.  By comparing the destination address with the entries in the table the machine can work out the interface to send the packet out on, or the next router to forward the packet to.  Your firewall/router's table should probably look a bit like mine:

```
ptolemy ~ # netstat -rn

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

xx.yy.zz.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

192.168.0.0     0.0.0.0         255.255.0.0     U         0 0          0 br0

127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo

0.0.0.0         xx.yy.zz.nn   0.0.0.0         UG        0 0          0 eth0
```

The address in the first and last line belong to your ISP.  The last line is the default route (dest is 0.0.0.0) and is where it will send any packet destined for somewhere not explicitly listed.  You modify the tables with the route command (route add/route del) but this would not be necessary in the vast majority of home setups.

 *1U wrote:*   

> 5. How would I go about running iptables in verbose?

 

You would make use of the LOG target in additional rules in your chains.  For example: 

```
# iptables -A FORWARD -i eth0 -j LOG --log-prefix "Forward from eth0:" --log-level 6
```

with the output going into the system log.  If you scatter these through the chain(s) you'll see what gets where.

 *Quote:*   

> 6. Instead of doing tcpdump I used ethereal to listen to all packets related to port 65534, the port I'm trying to forward. Then I did a port test from the edonkey website. Here are the results I got:
> 
> ```
> No.     Time        Source                Destination           Protocol Info
> 
> ...

  This looks for all the world like the communication is working.  Line 1 is an inbound connection, 2 is the same connection after DNAT (not sure why it repeats at 3,4,5 but perhaps related to DNAT), 6 is the reply (repeated?), and 10 is the start of the next exchange.

----------

## 1U

Thank you for your reply.

My routing table is:

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

68.65.56.128    0.0.0.0         255.255.255.128 U         0 0          0 eth0

192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 br0

127.0.0.0       127.0.0.1       255.0.0.0       UG        0 0          0 lo

0.0.0.0         68.65.56.129    0.0.0.0         UG        0 0          0 eth0
```

You are correct, those are just repeats. I believe the port test attempts to try getting through 3 times, and then just gives up. I've also tried nmap which also shows the port as being filtered. I've tried different things to test the port with also (edonkey, dc++, ventrilo, and etc.). If I use nmap inside the network though the ports are clearly open, outside they are filtered.

----------

## plut0

Lets go over the obvious.  Your workstations behind the firewall, do they have the correct IP settings?  Is the gateway IP set to 192.168.1.1 on the workstations?  Is the routing tables correct on the workstations?  Do the workstations have DNS settings?  Where is the problem again, the local workstations, the virtual machine or both?

This will help you debug your rules:

```
iptables -t nat -v -L;iptables -t filter -v -L FORWARD
```

On the left it will show the packages and bytes.  If the packet numbers isn't going up for a particular rule that should be getting data, say the MASQUERADE rule for instance, then you have found the problem.

----------

## Chris W

 *1U wrote:*   

> You are correct, those are just repeats. I believe the port test attempts to try getting through 3 times, and then just gives up. 

   Your Ethereal trace clearly shows inbound connection (SYN) followed by an outbound reply (SYN, ACK).  Are you sure there's not something else afoot, like an ISP or the modem device filtering P2P, or another layer of NAT?

----------

## BlinkEye

 *1U wrote:*   

> I think I just made a mistake that one time when editing the rules. I changed my rules now to:
> 
> ```
> iptables -F
> 
> ...

 

please try the following script. i adjusted it to fit your setup - all you have to do is filling/changing the ports you want to forward. this works for me:

```
#!/bin/bash

# eth0 -> WAN

# br0 -> LAN

iptables=/sbin/iptables

$iptables -F

$iptables -X

$iptables -P INPUT DROP

$iptables -A INPUT -i ! eth0 -j ACCEPT

$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### allow ssh, apache connection ###

$iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

$iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

### uncomment the following to permit traceroute/tracepath to reach your host ###

$iptables -A INPUT -i eth0 -p udp -j ACCEPT

### forward mysql port to another host ###

$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3306 -j DNAT --to 192.168.1.2:3306

$iptables -I FORWARD -i eth0 -p tcp -d 192.168.1.2 --dport 3306 -j ACCEPT

### forward edonkey port to another host ###

$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4662 -j DNAT --to 192.168.1.2:4662

$iptables -I FORWARD -i eth0 -p tcp -d 192.168.1.2 --dport 4662 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

$iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```

you might want to test it with port 22 to see if it's a ISP problem or not. so, redirect port 22 to your localhost and try to ssh to your router from the outside (well, you must login to a WAN box (you may do that from your home - but you must login to a WAN box to test this) and then ssh back to your router which will redirect you to your local box).

----------

## 1U

Thank you BlinkEye for your reply and code, I appreciate your effort to help. I used the script you suggested and modified it to the below:

```
iptables -F

iptables -X

iptables -P INPUT DROP

iptables -A INPUT -i ! eth0 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 216 -j ACCEPT

iptables -A INPUT -i eth0 -p udp -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 65535 -j DNAT --to 192.168.1.2:65535

iptables -I FORWARD -i eth0 -p tcp -d 192.168.1.2 --dport 65535 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```

Unfortunately I still get the same results  :Sad: . I don't believe this is anything iptables related. This must be some kind of a kernel port forwarding problem or something of the sort, any ideas? Or maybe some kind of software package interfering? I once tried to setup bandwidth managing with QoS and a few software packages so that I could limit upload bandwidth but never got around to finishing it, do you think that could be causing this?

I can open any port I want on the gateway and it will work just fine for the outside world. I just can't forward the damn traffic. I'm not quite sure why the traffic actually hits the machine it's supposed to be forwarded to but doesn't come back. Because those machines can still use the internet and send any traffic out they want through masquerading. This happens no matter what I try on the machines being forwarded to, p2p or not it still doesn't forward any traffic properly.

I'm cluess as to what I should do next (other than reinstalling) I really want to find out wtf is causing this.

----------

## m_sqrd

maybe this is the problem.

 *Quote:*   

> 
> 
> br0       Link encap:Ethernet  HWaddr 00:80:C8:B9:D2:C9
> 
>           inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
> ...

 

----------

## 1U

Thanks for the reply m_sqrd, but can you please explain further on what is wrong with it and how I go about fixing it? Btw I'm using my previous script again now, I just posted his because that's what I used to test it but there wasn't any difference.

----------

## m_sqrd

well it to me it looks like you are tring to forward to ip address 192.168.1.2 and your ifconfig shows

192.168.1.1

----------

## 1U

Well that's the ifconfig of the gateway which is supposed to forward the ports. I only have one other machine so I decided to just give it .2 instead of using other ip ranges.

----------

## BlinkEye

could you post your output from

```
ipconfig-save
```

again after running this script? i just had to learn the hard way what happens if you forget to flush all your rules. the script provided does not flush all added rules:

you need to add this line

```
iptables -F -t nat
```

you may verify this misbehaviour by running the script several time and verifying the rules with ipconfig-save (double added rules or worse: rules you removed but which don't get flushed).

----------

## Chris W

What is the policy on the FORWARD chain?  If it is DROP then you will need a rule to allow forwarding outward.

----------

## 1U

BlinkEye:

I went back to my script since it's basically the same thing and it didn't change the results, and I already had the -t nat -F in it  :Wink: . Sorry to hear about your server lockout. My updated version is:

```
iptables -F

iptables -t nat -F

iptables -F INPUT

export LAN=br0

export WAN=eth0

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i ${WAN} -m multiport --dports 65534,65535 -j DNAT --to 192.168.1.2

iptables -t nat -A PREROUTING -p udp -i ${WAN} -m multiport --dports 65534,65535 -j DNAT --to 192.168.1.2

iptables -A INPUT -j ACCEPT -m state --state established -i ${WAN}

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG

iptables -A INPUT -i ! lo -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

/etc/init.d/iptables save
```

Chris W:

How do I go about checking the forward chain? I know a bit about checking tables, but not sure how to specify a chain. Also I'm just curious, how would it allow regular outgoing traffic but block things that are supposed to be replying back?

----------

## Chris W

The chains to which I refer are INPUT, OUTPUT, and FORWARD.  They each have a default policy that shows in the output of "iptables -L", e.g.: 

```
ptolemy ~ # iptables  -L  FORWARD

Chain FORWARD (policy DROP)              <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

target     prot opt source               destination

TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

br0_fwd    all  --  anywhere             anywhere

eth0_fwd   all  --  anywhere             anywhere

ath0_fwd   all  --  anywhere             anywhere

Reject     all  --  anywhere             anywhere

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:FORWARD:REJECT:'

reject     all  --  anywhere             anywhere
```

Policy is set with "iptables -P".  Chances are that yours are ACCEPT, but if they were like mine (DROP) then if traffic did not match any rule in the chain it would be dropped rather than passed.  Since you only had (when I asked) a rule allowing forwarding inward to 192.168.1.2 this may have been a problem.

----------

## 1U

Here is what I get when I do iptables -L

```
Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     tcp  --  pcp05050825pcs.nport01.fl.comcast.net  anywhere            tcp dpt:216

ACCEPT     all  --  anywhere             anywhere            state ESTABLISHED

LOG        all  --  anywhere             anywhere            limit: avg 3/sec burst 5 LOG level warning

DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
```

It almost looks as if I don't have a default policy for those? Also, what would you recommend I change in the above script to make mine default drop also? Sorry for all these troubles and I appreciate your help.

----------

## BlinkEye

the policy to drop for input, output, and forward is set as following:

```
iptables -P INPUT DROP

iptables -P OUTPUT DROP 

iptables -P FORWARD DROP
```

----------

## BlinkEye

 *1U wrote:*   

> Here is what I get when I do iptables -L
> 
> ```
> Chain INPUT (policy ACCEPT)
> 
> ...

 

well, you should have some FORWARD chains like:

```
Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     tcp  --  anywhere             192.168.101.2   tcp dpt:4672 

ACCEPT     tcp  --  anywhere             192.168.101.2   tcp dpt:4662 
```

if you don't have such entries you didn't add some port forwarding rules. you forgot in your script to add 

```
iptables -I FORWARD -i eth0 -p tcp -d 192.168.101.2 --dport XXXX -j ACCEPT 
```

----------

## 1U

When I add

```
iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP
```

To any part of my iptables I can't use my network at all for anything. I had to make them ACCEPT again. And once again adding

```
iptables -I FORWARD -i ${WAN} -p tcp -d 192.168.1.2 -m multiport --dports 65534,65535 -j ACCEPT

iptables -I FORWARD -i ${WAN} -p udp -d 192.168.1.2 -m multiport --dports 65534,65535 -j ACCEPT
```

Did not make any difference.

My original script with accepts on default is secure as far as locking down ports, and it always had port forwarding working. I don't see why it shouldn't now. I think this is being caused by something else. Though I'd still like to implement a default drop policy, how would I go about making that work without killing the normal traffic?

----------

## splooge

Start from scratch and go minimalist:

#clear everything

iptables -F

iptables -F INPUT

iptables -t nat -F 

#accept everything

iptables INPUT -P ACCEPT

iptables OUTPUT -P ACCEPT

iptables FORWARD -P ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 22 -j DNAT --to 192.168.0.2

***TEST THIS FROM AN EXTERNAL SOURCE***

----------

## jamapii

You can use the "-j LOG" target to get packets logged in syslog. This way you can watch what packets match your rule, as they enter. Duplicate each rule with "-j LOG" instead of "-j whatever".

FORWARD-ACCEPT rules were in place from the beginning without mentioning the port, this is sufficient.

But there was a "-I FORWARD" ... "-j DROP" rule, this would have blocked the connection by blocking the reply packets, if you tested from a 192.168.x.x box.

(I mostly try to avoid inserting rules with -I, it means the rules have a different order in the script than in the chain, making the script harder to read)

192.168.1.0/255.255.0.0 is really the same as 192.168.0.0/255.255.0.0

----------

