> On Mon, Apr 25, 2005 at 10:34:15AM -0400, Dave Nebinger wrote: > > > Chain FORWARD (policy ACCEPT) > > > target prot opt source destination > > > DROP all -- anywhere 192.168.0.0/16 > > > DROP all -- anywhere 192.168.0.0/16 > > > DROP all -- anywhere 192.168.0.0/16 > > > DROP all -- anywhere 192.168.0.0/16 > > > ACCEPT all -- 192.168.0.0/16 anywhere > > > ACCEPT all -- anywhere 192.168.0.0/16 > > > ACCEPT all -- 192.168.0.0/16 anywhere > > > ACCEPT all -- anywhere 192.168.0.0/16 > > > LOG all -- anywhere anywhere LOG level > > > warning prefix `Dropped outgoing: ' > > > LOG all -- anywhere anywhere LOG level > > > warning prefix `Dropped incoming: ' > > > ACCEPT all -- 192.168.0.0/16 anywhere > > > ACCEPT all -- anywhere 192.168.0.0/16 > > > ACCEPT all -- 192.168.0.0/16 anywhere > > > ACCEPT all -- anywhere 192.168.0.0/16 > > > > Well this would seem to indicate your problem. The first couple of > rules > > (which look like dups) will drop any incoming packets headed to the > intranet > > (192.168.0.0 network). > > That's weird, I didn't see what you quoted in my mailbox. Anyway, > according to his iptables -L -v output, there should only be one of > those DROP rules in the FORWARD chain. And that is to prevent > intranet packets from going to the internet.
I've been working offline with him, and somehow the response got back online again... Sorry for the confusion. > > > > I think you need to readjust the rules similar to the following: > > > > # Flush the forward table > > iptables -F FORWARD > > # Define the default forward policy as drop. > > iptables -P FORWARD DROP > > > > # Allow established traffic from the internet to the intranet > > iptables -A FORWARD -I eth0 -O eth1 -m state --state ESTABLISHED,RELATED > -j > > ACCEPT > > I think you mean -i eth0 -o eth1? And he might need to compile > additional kernel modules for the options you specified. (Which I see > you have specified below) Yes, outlook likes to capitalize things I don't want capitalized; sometimes I catch them and sometimes I don't. > > # Allow the intranet to create and maintain connections to the internet. > > iptables -A FORWARD -I eth1 -O eth0 -m state --state > NEW,ESTABLISHED,RELATED > > -j ACCEPT > > > > # Log packets that are being dropped > > iptables -A FORWARD -j LOG --log-prefix "Dropped forwarded packets: " > > > > These rules will allow new outgoing connections and established incoming > > connections. You really shouldn't need to filter on IP address as the > > invalid destination addresses would be dropped by the intranet and only > > valid established connections will allow the incoming internet packets > to be > > delivered anyway. > > > > These rules rely on the state module being available and loaded. -- gentoo-user@gentoo.org mailing list
