> $iptables -P INPUT ACCEPT > $iptables -P OUTPUT ACCEPT > $iptables -P FORWARD ACCEPT > > $iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.1.0/24 -J MASQUERADE > $iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT > > $iptables -A INPUT -d 0/0 -p tcp -j DROP > $iptables -A INPUT -d 0/0 -p udp -j DROP > $iptables -A INPUT -d 0/0 -p icmp -j DROP > > > Thanks! > Kevin > How about: ipt -P INPUT DROP ipt -P OUTPUT ACCEPT ipt -P FORWARD DROP
ipt -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to ex.ip ipt -A FORWARD -m state --state ESTABLISHED,RELATED -i eth0 -o eth1 -j ACCEPT ipt -A FORWARD -m state --state NEW -i eth1 -j ACCEPT ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Also for this to work you need the conntrack module, for ftp,irc dcc. you need proper conntrack modules loaded, as such: modprobe ip_conntrack modprobe iptable_nat the above two, will probably load with initiating iptable commands modprobe ip_conntack_ftp modprobe ip_nat_ftp I advise you to use those in modules not compiled into kernel, to let yourself supply additional parameters to the modules. This way you are using iptables technology, otherwise, writing a script like you did, makes no difference between iptables and ipchains. This allows you to work on your router, initiate new connections, let them back in, and the same goes for NAT'ed connections from your LAN. of course if you feel more comfident using MASQUERADE target, do so. But please read on SNAT/DNAT - it is really powerful. Best of luck, Maciej Soltysiak
