> On Mon, Apr 25, 2005 at 10:34:15AM -0400, Dave Nebinger wrote:
> > > Chain FORWARD (policy ACCEPT)
> > > target     prot opt source               destination
> > > DROP       all  --  anywhere             192.168.0.0/16
> > > DROP       all  --  anywhere             192.168.0.0/16
> > > DROP       all  --  anywhere             192.168.0.0/16
> > > DROP       all  --  anywhere             192.168.0.0/16
> > > ACCEPT     all  --  192.168.0.0/16       anywhere
> > > ACCEPT     all  --  anywhere             192.168.0.0/16
> > > ACCEPT     all  --  192.168.0.0/16       anywhere
> > > ACCEPT     all  --  anywhere             192.168.0.0/16
> > > LOG        all  --  anywhere             anywhere            LOG level
> > > warning prefix `Dropped outgoing: '
> > > LOG        all  --  anywhere             anywhere            LOG level
> > > warning prefix `Dropped incoming: '
> > > ACCEPT     all  --  192.168.0.0/16       anywhere
> > > ACCEPT     all  --  anywhere             192.168.0.0/16
> > > ACCEPT     all  --  192.168.0.0/16       anywhere
> > > ACCEPT     all  --  anywhere             192.168.0.0/16
> >
> > Well this would seem to indicate your problem.  The first couple of
> rules
> > (which look like dups) will drop any incoming packets headed to the
> intranet
> > (192.168.0.0 network).
> 
> That's weird, I didn't see what you quoted in my mailbox. Anyway,
> according to his iptables -L -v output, there should only be one of
> those DROP rules in the FORWARD chain. And that is to prevent
> intranet packets from going to the internet.

I've been working offline with him, and somehow the response got back online
again... Sorry for the confusion.

> >
> > I think you need to readjust the rules similar to the following:
> >
> > # Flush the forward table
> > iptables -F FORWARD
> > # Define the default forward policy as drop.
> > iptables -P FORWARD DROP
> >
> > # Allow established traffic from the internet to the intranet
> > iptables -A FORWARD -I eth0 -O eth1 -m state --state ESTABLISHED,RELATED
> -j
> > ACCEPT
> 
> I think you mean -i eth0 -o eth1? And he might need to compile
> additional kernel modules for the options you specified. (Which I see
> you have specified below)

Yes, outlook likes to capitalize things I don't want capitalized; sometimes
I catch them and sometimes I don't.

> > # Allow the intranet to create and maintain connections to the internet.
> > iptables -A FORWARD -I eth1 -O eth0 -m state --state
> NEW,ESTABLISHED,RELATED
> > -j ACCEPT
> >
> > # Log packets that are being dropped
> > iptables -A FORWARD -j LOG --log-prefix "Dropped forwarded packets: "
> >
> > These rules will allow new outgoing connections and established incoming
> > connections.  You really shouldn't need to filter on IP address as the
> > invalid destination addresses would be dropped by the intranet and only
> > valid established connections will allow the incoming internet packets
> to be
> > delivered anyway.
> >
> > These rules rely on the state module being available and loaded.


-- 
gentoo-user@gentoo.org mailing list

Reply via email to