방화벽설정 때문인지..외부에서 접속이 잘 안되요??

안녕하세여. 리눅스를 공부하는 학생입니다.

다름이아니라, 한컴리눅스2.2 를 설치하여 iptables를 사용한

masq을 설정하였습니다.

일단은 내부는 물론, 외부에서도 웹접속 및 telnet,ftp접속등이

정상적으로 되는것같습니다.

그런데..머스커레이딩설정시 방화벽문제 인지는 잘모르겠으나,,

외부에서 정상적으로 접속이 잘되다가도.접속이 안되는경우가

종종 있습니다.

방화벽문제 일것 같아서..ntsysv 에서 ipchains및 iptables를

모두 해제하였으나..증상은 마찬가지입니다.

ip_masq땜에 이런증상이 발생하는것 같은데...어디를 수정해야할지 잘 모
르겠습니다.

고수님들의 답변을 부탁드립니다.

rc.firewall-2.4 소스내용.

#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.63
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this
simple
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
#
#
#
# Log
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that used eth0
# instead of $EXTIF
# 0.61 - Changed the firewall to use variables for the internal
# and external interfaces.
# 0.60 - 0.50 had a mistake where the ruleset had a rule to
DROP
# all forwarded packets but it didn't have a rule to
ACCEPT
# any packets to be forwarded either
# - Load the ip_nat_ftp and ip_conntrack_ftp modules by
default
# 0.50 - Initial draft
#

echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"

# The location of the 'iptables' program
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
#IPTABLES=/sbin/iptables
IPTABLES=/usr/local/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
# NOTE If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example
#
# EXTIF="ppp0"
#
# if you are a modem user.
#
EXTIF="eth0"
INTIF="eth1"
echo " External Interface $EXTIF"
echo " Internal Interface $INTIF"

#====================================================================
==
#== No editing beyond this line is required for initial MASQ testing
==

echo -en " loading modules "

# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a

# With the new IPTABLES code, the core MASQ functionality is now
either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE The following items are listed ONLY for informational
reasons.
# There is no reason to manual load these modules unless your
# kernel is either mis-configured or you intentionally
disabled
# the kernel module autoloader.
#

# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded
#
# NOTE Only load the IP MASQ modules you need. All current IP
MASQ
# modules are shown below but are commented out from loading.
# ===============================================================

#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
/sbin/insmod ip_tables

#Load the IPTABLES filtering module - "iptable_filter"
# - Loaded automatically when filter policies are activated

#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other
specific
# conntrack modules being loaded afterwards such as
the "ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
/sbin/insmod ip_conntrack

#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
/sbin/insmod ip_conntrack_ftp

#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
/sbin/insmod ip_conntrack_irc

#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
/sbin/insmod iptable_nat

#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp

# Just to be complete, here is a list of the remaining kernel
modules
# and their function. Please note that several modules should be
only
# loaded by the correct master kernel module for proper operation.
# -------------------------------------------------------------------
-
#
# ipt_mark - this target marks a given packet for future
action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port
individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have
invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module
automatically
# loads the following modules
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and
returns
# a configurable ICMP packet back
to the
# sender.
#
# iptable_mangle - this target allows for packets to be
manipulated
# for things like the TCPMSS option, etc.

echo ". Done loading modules."

#CRITICAL Enable IP forwarding since it is disabled by default
since
#
# Redhat Users you may try changing the options in
# /etc/sysconfig/network from
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address
hacking
# which makes the life with Diald and similar programs much easier.
#
echo " enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Enable simple IP forwarding and Masquerading
#
# NOTE In IPTABLES speak, IP Masquerading is a form of SourceNAT
or SNAT.
#
# NOTE #2 The following is an example for an internal LAN address
in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit
subnet mask
# connecting to the Internet on external
interface "eth0". This
# example will MASQ internal traffic out to the Internet
but not
# allow non-initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask,
and your
# *** Internet connection interface name to match your setup
#

#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP
#
echo " clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " FWD Allow all connections OUT and only existing and
related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nDone.\n"