Hans-Werner Hilse schrieb: > Hi, > > On Tue, 11 Sep 2007 18:50:52 +0200 Florian Philipp > <[EMAIL PROTECTED]> wrote: > >>> My suggestion for a proper setup would be >>> >>> $ iptables -F FORWARD >>> $ iptables -P FORWARD DROP >>> $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state >>> NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -o >>> eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ...plus rules >>> allowing for forwarding designated ports, if any >>> >>> You'll certainly want to keep this: >>> $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE >>> in place, too. >>> >>> Note that this trusts any box connecting via eth0, not just a single >>> client. >> [...] >> When I try to apply the rules you've posted I get: >> >> $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state \ >> NEW,ESTABLISHED,RELATED -j ACCEPT >> >> iptables: No chain/target/match by that name > > Hm, you do not seem to have your kernel configured for connection state > matching. > > Just start with basic rules: > $ iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT > $ iptables -A FORWARD -o eth0 -i ppp0 -j ACCEPT > > (instead of the "iptables -A" settings mentioned before) > > But note that those would potentially allow inbound connections to get > routed to any desired machine (desired by the party outside your > network, that is). So make sure that either such requests aren't > getting forwarded to your router (and this is most probably already the > case for your setup -- DSL or cable, I guess?) or your LAN doesn't care > (i.e. is secured). Most PPP endpoints, however, would drop such traffic > anyway, so you should be secure if you trust your provider. > > Basically I think this is what the Gentoo wiki guide *intended* to do. > > -hwh
Now the kernel can handle connection state matching :) I can apply your rules with one exception: iptables -A POSTROUTING -o ppp0 -j MASQUERADE The same error message as before. I've enabled basically everything in the kernel's netfilter submenu that can be compiled as a module and since these modules were automatically inserted when necessary I don't know what's the problem right now. I'll attach lsmod and the kernel config, just in case... Oh, and I've still got 100% packet loss when trying to ping Google's IP from anywhere but the router.
config.bz2
Description: application/bzip
Module Size Used by xt_state 3136 0 ipt_MASQUERADE 4096 3 iptable_nat 8452 1 nf_nat 19884 2 ipt_MASQUERADE,iptable_nat nf_conntrack_ipv4 18640 2 iptable_nat nf_conntrack 61980 5 xt_state,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4 iptable_filter 3712 1 ip_tables 19632 2 iptable_nat,iptable_filter x_tables 20296 4 xt_state,ipt_MASQUERADE,iptable_nat,ip_tables option 11648 1 usbserial 33968 3 option b44 28236 0 sr_mod 18020 0 cdrom 35944 1 sr_mod sg 26016 0
