Hi, On Tue, 11 Sep 2007 17:30:51 +0200 Florian Philipp <[EMAIL PROTECTED]> wrote:
> > Hm, OK. This: > > ----snip---- > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > ACCEPT all -- 10.8.0.1 anywhere > > ACCEPT all -- anywhere 10.8.0.1 > > DROP all -- !10.8.0.1 anywhere > > ----snip---- > > > > is on what computer? On the "server" (I guess it's the router) the > > last line would effectively prevent routing for the client (but I > > don't know why ICMP works...). I would suggest starting without it > > and then setting up proper rules -- and then setting the chain's > > policy to DROP (plus some REJECT rules for proper answers). > > I followed the howto's nomenclature of "server" and "client". > I'm a bit puzzled right now. Is there anything essentially wrong with > the howto ( http://gentoo-wiki.com/HOWTO_quick_routing )? I followed > it word by word. > The drop rule is explained as "#prevent others ip from conecting to > my eth0" Hm, judging from that the article on Routing uses a "Client" and "Server" nomenclature, I consider the article being at least partly crap ;-) And yes, that guide really seems to be a bunch of BS (sorry, but that's the way it seems to be). It is outright horrible. Personally I hate discussing on Wikis' Discussion Pages, so, no, I won't correct it (but looking at its discussion page, others considered it bad, too, and are planning to correct/delete it). That iptables setup is absolutely stupid. It accepts packets from and to the machine itself (note that 10.8.0.1 is the router's IP), but will drop any packet not originating from 10.8.0.1. The latter should be true for all packets originating from the client (since it has the address 10.8.0.2). So all the client's communication is dropped, and that's it, end of story. Better have a look at netfilter's set of HOWTOs, especially the NAT howto. Better learn what you're doing... Otherwise, just take the hints from my previous posting. My suggestion for a proper setup would be $ iptables -F FORWARD $ iptables -P FORWARD DROP $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ...plus rules allowing for forwarding designated ports, if any You'll certainly want to keep this: $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE in place, too. Note that this trusts any box connecting via eth0, not just a single client. -hwh -- [EMAIL PROTECTED] mailing list
