well the firewall script works fine, the dnsmasq works almost fine, but.....
as i said before i was able to ping 216.109.118.70 but not
www.yahoo.com
it seems dnsmasq dosn't proprely forward dns requests
so i looked into dnsmasq.conf
here is the a part of dnsmasq.conf
and i'll explain what i modified
# Never forward plain names (with a dot or domain part)
##########domain-needed
# Reply to reverse queries for addresses in the non-routed address
# space with the dotted.quad address
bogus-priv
# Filter useless windows-originated DNS requests
##############filterwin2k <----- here modified i had to coment this line
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
strict-order <-------------------here modified i had to uncoment line
.................................................................................................... .....................
# If you want to disable negative caching, uncomment this.
#no-negcache
# Normally responses which come form /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=
# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11
# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
alias=81.196.25.xx,192.168.0.2 <----------------here modified
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
log-queries
# Include a another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
so any dns request to 192.168.0.2 wiil be translated as direct request to 81.196.25.xx(my isp primary dsn)
without those modifies i was unable to use 192.168.0.2 as PRIMARY DNS on my local machines...
...............and now can you help me to create rules to block access to some services like irc, or yahoo messenger?
...and howto permit acces based on ipadress and mac ??