On Wednesday 15 May 2002 12:56 am, PAUL WILLIAMSON wrote: > Ok, here are my rules... > > #First, flush all > iptables -F > > iptables -A INPUT -i lo -p all -j ACCEPT > iptables -A OUTPUT -o lo -p all -j ACCEPT > iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset > iptables -A INPUT -p tcp -i eth0 --dport 23 -j ACCEPT > iptables -A INPUT -p udp -i eth0 --dport 23 -j ACCEPT > iptables -A INPUT -p tcp -i eth1 --dport 23 -j ACCEPT > iptables -A INPUT -p udp -i eth1 --dport 23 -j ACCEPT > iptables -A INPUT -p tcp -i eth1 --dport 53 -j ACCEPT > iptables -A INPUT -p udp -i eth1 --dport 53 -j ACCEPT > iptables -P INPUT DROP > iptables -A OUTPUT -p icmp -d 0/0 -j DROP > > # NAT section > modprobe iptable_nat > > # In the NAT table (-t nat), append a rule (-A) after routing > # (POSTROUTING) for all packets going out eth0 (-o eth0) which > # says to MASQUERADE the connection (-j MASQUERADE) > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > # Turn on IP forwarding > echo 1 > /proc/sys/net/ipv4/ip_forward > > # end of iptables config
Why don't I see anything here referring to the FORWARD chain ? I know you're using the firewall as a DNS proxy, so that only needs INPUT and OUTPUT rules, but one of your requirements was: "I'd like anything sourced from inside to be able to get outside." Which tells me you should have some rules for FORWARDing packets between inside and outside ? You're not getting confused by the difference between IPchains and IPtables, are you, where packets going through an IPchains machine traverse all three INPUT, FORWARD and OUTPUT chains, whereas with IPtables they only go through the FORWARD chain ? Just a thought..... Antony.
