On Mon, Apr 25, 2005 at 10:34:15AM -0400, Dave Nebinger wrote: > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > DROP all -- anywhere 192.168.0.0/16 > > DROP all -- anywhere 192.168.0.0/16 > > DROP all -- anywhere 192.168.0.0/16 > > DROP all -- anywhere 192.168.0.0/16 > > ACCEPT all -- 192.168.0.0/16 anywhere > > ACCEPT all -- anywhere 192.168.0.0/16 > > ACCEPT all -- 192.168.0.0/16 anywhere > > ACCEPT all -- anywhere 192.168.0.0/16 > > LOG all -- anywhere anywhere LOG level > > warning prefix `Dropped outgoing: ' > > LOG all -- anywhere anywhere LOG level > > warning prefix `Dropped incoming: ' > > ACCEPT all -- 192.168.0.0/16 anywhere > > ACCEPT all -- anywhere 192.168.0.0/16 > > ACCEPT all -- 192.168.0.0/16 anywhere > > ACCEPT all -- anywhere 192.168.0.0/16 > > Well this would seem to indicate your problem. The first couple of rules > (which look like dups) will drop any incoming packets headed to the intranet > (192.168.0.0 network).
That's weird, I didn't see what you quoted in my mailbox. Anyway, according to his iptables -L -v output, there should only be one of those DROP rules in the FORWARD chain. And that is to prevent intranet packets from going to the internet. > > I think you need to readjust the rules similar to the following: > > # Flush the forward table > iptables -F FORWARD > # Define the default forward policy as drop. > iptables -P FORWARD DROP > > # Allow established traffic from the internet to the intranet > iptables -A FORWARD -I eth0 -O eth1 -m state --state ESTABLISHED,RELATED -j > ACCEPT I think you mean -i eth0 -o eth1? And he might need to compile additional kernel modules for the options you specified. (Which I see you have specified below) > # Allow the intranet to create and maintain connections to the internet. > iptables -A FORWARD -I eth1 -O eth0 -m state --state NEW,ESTABLISHED,RELATED > -j ACCEPT > > # Log packets that are being dropped > iptables -A FORWARD -j LOG --log-prefix "Dropped forwarded packets: " > > These rules will allow new outgoing connections and established incoming > connections. You really shouldn't need to filter on IP address as the > invalid destination addresses would be dropped by the intranet and only > valid established connections will allow the incoming internet packets to be > delivered anyway. > > These rules rely on the state module being available and loaded. > > > > -- > gentoo-user@gentoo.org mailing list -- ---------------------------------------------------------------- * Address: 45 Spelman Hall, Princeton University 08544 * * Phone: x68958 AIM: AngularJerk * * E-mail: [EMAIL PROTECTED] From: sep.dynalias.net * ---------------------------------------------------------------- "If I had a little robot walking around with me and I could feed him the Lagrangian and he'd spit out the answer I would love this class." ~DeathMech, Some Student. P-town PHY 205 Sortir en Pantoufles: up 14 days, 2:24 -- gentoo-user@gentoo.org mailing list
