I'm on dial-up with two boxes connected through a cross-over cable. Box 1 is multi-boot, primarily NT4 Workstation and Slackware 10.1. Box 2 is Slackware 10.2

To date I have used a firewall script that seems to be working well on my two boxes. I can ping in either direction to either box and out to the net. The script tests well with both boxes at those various testing sites. So far so good.

Yesterday I decided to try configuring one box as a router and connect to the net with the remaining box. No go. I could surf the net through Box 2 from Box 1 using NT4, but I could not surf the net through Box 2 from Box 1 in Slack. Troubleshooting traced the problem to the firewall script.

The script defaults to an internet interface variable (INET_IFACE) of ppp0. Makes sense for how I have done things previously. However, when I now occasionally want to access the net through the other box, I need to temporarily modify this variable manually to eth0. Without actually connecting to the net using ppp, this variable as used in the firewall script rules then clashes with the routing table, which is why yesterday I initially could not punch through until I modified to eth0.

My challenge is that this is a simple two-box network and I am not going to dedicate one box as a router/gateway. I plan lots of experimenting over the coming months and that means one box could be down or even not connected. Nor do I desire buying a dedicated router.

Thus, I must assume a default of ppp0 and temporarily modify to eth0 on the fly. I need to conjure a reasonable way to toggle the firewall script on one box from ppp0 to eth0 if I decide to surf through the other box. Everything otherwise works well.

I can manually edit this variable, restart the script, and everything clicks just great. But I never know ahead of time how I might connect to the web. Thus, the firewall script defaults to ppp0. The only method I can derive is to write another script that I run manually that will toggle that variable and restart the firewall script. Or is there a more elegant solution that covers both interface options?

As always, thanks for your help.

Woodsman,

I guess one way to do it would be to have a shell script which monitors for a change in the interface that is up, then loads the appropriate script file.

This does however mean that you will need to maintain two copies of rc.firewall (One for ppp0 and the other from eth0). You could get fancy with the shell script and populate the value of the INET_IFACE variable depending on which interface is up.

Run this script in a cron job and I think that will do the trick.

I'm at work at the moment, so I don't have the time to put a script together. I can however give you a hand when I get home.

Let me know how you go.

Regards,
Kristijan

I've been tinkering with this since posting my query. Yes, I decided to use multiple firewall scripts. I have fine-tuned things sufficiently of late that I probably could use some variables to then merge the individual scripts into one and then set the iptable rules according to how I called the script with the variables. But for now, I think things are working.

Also confusing the issue greatly (for a while) is that the ppp daemon fails to reset the default gateway in the routing table. Thus, in my scripts I am manually taking care of that, but that issue temporarily masked my observations in what I was trying to accomplish otherwise. I posted a query of that problem in another thread. Nonetheless, I could trim a few lines of script if I could resolve that problem.

A dialup script I wrote is where I decided to toggle the INET_IFACE variable and run the appropriate firewall script. Upon hanging up I reverse the process. FWIW, I had to add my mortal user account to the sudo list to run the firewall script. In all I think I have succeeded, but this was a lot of work! Whenever I get my web site online I'll have a lot of this kind of info posted for people to browse---and either learn or laugh at my efforts.