On Sat, Sep 27, 2003 at 07:28:23AM -0500, Mojo B. Nichols wrote: > I'm not sure I know what your problem is, but this may help. > > # basic nat on extrenal device. > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I've already got this rule in my firewall > This should get your nating working. I highly recommend using LOG to > determine and trouble shoot what is going on in your firewall. If you > have a rule that you don't know what it is doing copy the rule and > replace the -J ACCEPT (whatever) with -j LOG --prefix "TESTING RULE > 3" in the first copy of the rule, or even comment out the old one > until LOG is LOGING the rule you want. Logging info regarding the NAT line doesn't show anything in the system logs? Cheers Adam
#!/sbin/runscript IPTABLES=/sbin/iptables IPTABLESSAVE=/sbin/iptables-save IPTABLESRESTORE=/sbin/iptables-restore FIREWALL=/etc/firewall.rules opts="${opts} showstatus panic save restore showoptions" depend() { need net } rules() { stop # insert connection tracking modules modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe ipt_LOG modprobe iptable_nat # allow local-only connections ${IPTABLES} -A INPUT -i lo -j ACCEPT # free output on any interface to any ip for any service ${IPTABLES} -A OUTPUT -j ACCEPT # permit answers on already established connections # and permit new connections related to established ones ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow incomg ssh connections ${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT # NAT ${IPTABLES} -t nat -A POSTROUTING -o eth0 -j LOG --log-prefix "Nat rule" # log everything else #${IPTABLES} -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " # everything not accepted > /dev/null ${IPTABLES} -P INPUT DROP ${IPTABLES} -P FORWARD DROP ${IPTABLES} -P OUTPUT DROP # be verbose on dynamic ip-addresses echo 2 > /proc/sys/net/ipv4/ip_dynaddr # disable ExplicitCongestionNotification echo 0 > /proc/sys/net/ipv4/tcp_ecn # turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward eend $? } start() { ebegin "Starting firewall" if [ -e "${FIREWALL}" ]; then restore else einfo "${FIREWALL} does not exists. Using default rules." rules fi eend $? } stop() { ebegin "Stopping firewall" ${IPTABLES} -F ${IPTABLES} -t nat -F ${IPTABLES} -X ${IPTABLES} -P FORWARD ACCEPT ${IPTABLES} -P INPUT ACCEPT ${IPTABLES} -P OUTPUT ACCEPT eend $? } showstatus() { ebegin "Status" ${IPTABLES} -L -n -v --line-numbers einfo "NAT status" ${IPTABLES} -L -n -v --line-numbers -t nat eend $? } panic() { ebegin "Setting panic rules" ${IPTABLES} -F ${IPTABLES} -X ${IPTABLES} -t nat -F ${IPTABLES} -P FORWARD DROP ${IPTABLES} -P INPUT DROP ${IPTABLES} -P OUTPUT DROP ${IPTABLES} -A INPUT -i lo -j ACCEPT ${IPTABLES} -A OUTPUT -o lo -j ACCEPT eend $? } save() { ebegin "Saving Firewall rules" ${IPTABLESSAVE} > ${FIREWALL} eend $? } restore() { ebegin "Restoring Firewall rules" ${IPTABLESRESTORE} < ${FIREWALL} eend $? } restart() { svc_stop; svc_start } showoptions() { echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}" echo "start) will restore setting if exists else force rule settings" echo "stop) delete all rules and set all to accept" echo "rules) force settings of new rules" echo "save) will store settings in ${FIREWALL}" echo "restore) will restore settings from ${FIREWALL}" echo "showstatus) Shows the status" }
-- [EMAIL PROTECTED] mailing list