Hi Mett, > Just a final update on this thread. > > I end up with the script below working perfectly, except if I use both > following rules at the beginning of the script. > --------------------------- > iptables -t nat -F > iptables -t mangle -F > --------------------------- > > I don't fully understand why but I'll investigate that later. Do a iptables -t nat -L -v iptables -t mangle -L -v to see what is in those tables that you cannot delete
You probably need those because.... > > script: > ------------------------------------------------------ > #!/bin/sh > > PATH=/usr/sbin:/sbin:/bin:/usr/bin > > # > # delete all existing rules. > # > iptables -F > > iptables -X This does NOT delete ALL existing rules. Those lines just delete the rules in the default INPUT, FORWARD and OUTPUT chains in the table "filter". I have the following at the beginning of my firewall scripts to delete ALL rules in all chains in all tables. # Flush all rules in all chains and then delete all chains chains=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $chains; do $IPTABLES -t $i -F; done for i in $chains; do $IPTABLES -t $i -X; done # Reset all counters for default chains $IPTABLES -Z I do not set the PATH variable, I use the $IPTABLES variable which I set at the beginning of my script IPTABLES=/sbin/iptables # For testing #IPTABLES="echo iptables" The testing option allows me to easily see what the result of my script lines is as I use A LOT of variables. Spotting a typo can be hard sometimes. ;-) > ## nat/POSTROUTING > # Masquerade <=> Changed to SNAT(seemed wiser in my situation after #reading > doc...). > iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j SNAT --to-source > EXT.FIX.IP.ADD > The "nat" table is not the default table which is why with this command you need to add the -t nat option. The same for the "mangle" table if you use it. > ## filter/FORWARD > > # Allow New outgoing connections from the LAN side. > iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j ACCEPT Although it is not wrong, you do not need the -t filter option here. The "filter" table is the default table. > [....] > # Enable routing. > echo 1 > /proc/sys/net/ipv4/ip_forward I have a # Disable routing. echo 0 > /proc/sys/net/ipv4/ip_forward at the beginning of my script too, that way when I run the script for a second time forwarding is turned off before removing all firewall rules.