On Mon, Apr 25, 2005 at 10:34:15AM -0400, Dave Nebinger wrote:
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> > DROP       all  --  anywhere             192.168.0.0/16
> > DROP       all  --  anywhere             192.168.0.0/16
> > DROP       all  --  anywhere             192.168.0.0/16
> > DROP       all  --  anywhere             192.168.0.0/16
> > ACCEPT     all  --  192.168.0.0/16       anywhere
> > ACCEPT     all  --  anywhere             192.168.0.0/16
> > ACCEPT     all  --  192.168.0.0/16       anywhere
> > ACCEPT     all  --  anywhere             192.168.0.0/16
> > LOG        all  --  anywhere             anywhere            LOG level
> > warning prefix `Dropped outgoing: '
> > LOG        all  --  anywhere             anywhere            LOG level
> > warning prefix `Dropped incoming: '
> > ACCEPT     all  --  192.168.0.0/16       anywhere
> > ACCEPT     all  --  anywhere             192.168.0.0/16
> > ACCEPT     all  --  192.168.0.0/16       anywhere
> > ACCEPT     all  --  anywhere             192.168.0.0/16
> 
> Well this would seem to indicate your problem.  The first couple of rules
> (which look like dups) will drop any incoming packets headed to the intranet
> (192.168.0.0 network).

That's weird, I didn't see what you quoted in my mailbox. Anyway,
according to his iptables -L -v output, there should only be one of
those DROP rules in the FORWARD chain. And that is to prevent
intranet packets from going to the internet. 

> 
> I think you need to readjust the rules similar to the following:
> 
> # Flush the forward table
> iptables -F FORWARD
> # Define the default forward policy as drop.
> iptables -P FORWARD DROP
> 
> # Allow established traffic from the internet to the intranet
> iptables -A FORWARD -I eth0 -O eth1 -m state --state ESTABLISHED,RELATED -j
> ACCEPT

I think you mean -i eth0 -o eth1? And he might need to compile
additional kernel modules for the options you specified. (Which I see
you have specified below)

> # Allow the intranet to create and maintain connections to the internet.
> iptables -A FORWARD -I eth1 -O eth0 -m state --state NEW,ESTABLISHED,RELATED
> -j ACCEPT
> 
> # Log packets that are being dropped
> iptables -A FORWARD -j LOG --log-prefix "Dropped forwarded packets: "
> 
> These rules will allow new outgoing connections and established incoming
> connections.  You really shouldn't need to filter on IP address as the
> invalid destination addresses would be dropped by the intranet and only
> valid established connections will allow the incoming internet packets to be
> delivered anyway.
> 
> These rules rely on the state module being available and loaded.
> 
> 
> 
> -- 
> gentoo-user@gentoo.org mailing list

-- 
----------------------------------------------------------------
*   Address:  45 Spelman Hall, Princeton University  08544     *
*     Phone:  x68958                  AIM:  AngularJerk        *
*    E-mail:  [EMAIL PROTECTED]    From:  sep.dynalias.net   *
----------------------------------------------------------------
"If I had a little robot walking around with me and I could feed him the 
Lagrangian and he'd spit out the answer I would love this class."
~DeathMech, Some Student. P-town PHY 205
Sortir en Pantoufles: up 14 days,  2:24
-- 
gentoo-user@gentoo.org mailing list

Reply via email to