> > I have to PCs. > > 1st one used as a router. > > Well, I think then you've already set up forwarding, like Kurt G. > mentioned. Yes I did.
> A few ideas: > - the FORWARD queue must also allow new connections from the outside (- > i ppp0) to 192.168.0.2 (because PREROUTING modifies the packet before > FORWARD sees it, it's not 192.168.0.1 here) > - 192.168.0.2 must have proper routes configured to answer back via the > Router, > - the router must allow that packets are leaving the 192.168.0/24 net > to any address. > - your configuration probably won't work when you're using conntrack > for the forwarding rules at the moment. You may want to issue (see my > first point, too): > $IPTABLES -A FORWARD -i ppp0 -d 192.168.0.2 -p tcp --dport 80 -m state \ > --state NEW,RELATED,ESTABLISHED -j ACCEPT > > if you didn't already. > > otherwise insert a few LOG rules and see what's going on. Are the > packets hitting the web server? It didn't work. I think so because, when I type www.mydomain.com it gives me error "The requested URL could not be retrieved". #iptables -L :Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www DROP all -- anywhere anywhere state INVALID,NEW Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED DROP all -- anywhere anywhere state INVALID,NEW LOG all -- anywhere anywhere LOG level warning prefix `Dropped outgoing: ' LOG all -- anywhere anywhere LOG level warning prefix `Dropped incoming: ' ACCEPT tcp -- anywhere 192.168.0.2 tcp dpt:www state NEW,RELATED,ESTABLISHED ----- I have the following lines in script for logging: $IPTABLES -A FORWARD -i eth0 -o ppp0 -j LOG --log-prefix "Dropped outgoing: " $IPTABLES -A FORWARD -i ppp0 -o eth0 -j LOG --log-prefix "Dropped incoming: " But after I tried to access a web page, I found no info /vag/log/messages on the router side. I also have SQUID running. The iptables scripts as follows: --------------------------------------------- #!/bin/bash IPTABLES='/sbin/iptables' # Set interface values EXTIF='ppp0' INTIF1='eth0' # enable ip forwarding in the kernel /bin/echo 1 > /proc/sys/net/ipv4/ip_forward # flush rules and delete chains $IPTABLES -F $IPTABLES -X # enable masquerading to allow LAN internet access $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # forward LAN traffic from $INTIF1 to Internet interface $EXTIF $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT #echo -e " - Allowing access to the SSH server" $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT #echo -e " - Allowing access to the HTTP server" $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT # block out all other Internet access on $EXTIF $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP $IPTABLES -A FORWARD -i eth0 -o ppp0 -j LOG --log-prefix "Dropped outgoing: " $IPTABLES -A FORWARD -i ppp0 -o eth0 -j LOG --log-prefix "Dropped incoming: " $IPTABLES -A FORWARD -i ppp0 -d 192.168.0.2 -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --------------------------------------------------- askar -- gentoo-user@gentoo.org mailing list
