** Reply to message from James Austin <[EMAIL PROTECTED]> on Tue, 02 Apr 2002 23:31:40 +1000
> > My lan n/w is 192.168.1.0/24(eth0 192.168.1.24) and > > internet iface has ip address 172.16.1.111 which is connected to > router. > > A windows m/c which is behind the firewall has ip address > 192.168.1.135 & windows m/c > > outside the firewall has ip address is 172.16.1.100. I've set > > the below rules in the firewall m/c. > > > > /sbin/iptables -A FORWARD -o eth0 -p all -s > 192.168.1.135/255.255.255.255 -j ACCEPT > > /sbin/iptables -t nat -A POSTROUTING -o eth0 -p all -d 0/0 -j SNAT > --to 172.16.1.111 > > I'm getting error in msn messenger from the m/c outside the firewall > as > > If you play it safe and DROP all packets you will need the following > rules > > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > Firstly you need to setup masquerading on the internal LAN > > iptables -t nat -A POSTROUTING -o $OUT_IF -j SNAT --to-source $OUT_IP > > You will need to allow specific packets on the INPUT / OUTPUT and > FORWARD chains > > iptables -A OUTPUT -p ALL -s $LAN -j ACCEPT > iptables -A OUTPUT -p ALL -s $LO -j ACCEPT > iptables -A OUTPUT -p ALL -s $EX_IP -j ACCEPT > > iptables -A FORWARD -i $IN_IF -j ACCEPT > > iptables -A INPUT -p ALL -i lo -j ACCEPT > iptables -A INPUT -p ALL -i $IN_IF -j ACCEPT > iptables -A INPUT -p ALL -i $EX_IF -m state --state ESTABLISHED,RELATED > -j ACCEPT > > This should get you a usable packet filter I use a similar setup here > with great success with IM Note that netfilter defaults to -p ALL if the protocol switch is left off so you can pare this down even more. jb -- Jack Bowling mailto: [EMAIL PROTECTED]
