On Wed, 23 Jul 2003 13:31, L.V.Gandhi wrote: > On Wednesday 23 Jul 2003 4:24 am, Sharrea wrote: > > Disclaimer: I'm NO expert on iptables but I've been playing around with > > these scripts lately too. If my advice here is incorrect, someone > > please correct me. > > I was using IP-masquerading Howto scripts. I have installed iptables in > the gateway. But disabled its daemon service. Then I installed the > scripts given in the above howto. It had default policy of drop for > forward and but below it had > ACCEPT all -- anywhere anywhere > Still when I did ping ISP dns, I was not successful. But making the > default policy ACCEPT for forward, then I could get connected and > browse. Here only I needed clarification why the above line almost equal > to default ploicy of ACCEPT didn't allow me to ping ISP dns.
I think it depends on what rules follow after that one. If the packet is accepted with the first rule, it is then checked with the next rule, then the next, etc until all rules have been traversed - unless one of the rules applies that tells iptables to drop/reject the packet or jumped to another rule/chain. Lastly (I think) it is checked against the default policy. I'm not very good at explaining this I know. If you have a default policy of DROP on your INPUT chain, then you need to specifically allow packets from wherever to whatever ip/port. There are *many* ways of doing this. Examples: ------------------------------ IPTABLES="/sbin/iptables" INET_IFACE="ppp0" LAN_IFACE="eth0" FOR DNS: $IPTABLES -A INPUT -p UDP -s 0/0 --sport 53 -j ACCEPT will accept all udp packets from anywhere with a source port 53. $IPTABLES -A INPUT -p UDP -i $INET_IFACE --dport 53 -j ACCEPT will accept all udp packets that are input via your internet interface (eg. ppp0) and are destined for port 53. $IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 53 -j ACCEPT will accept all udp packets that are input via your LAN interface (eg. eth0) and are destined for port 53. FOR PING: $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT will accept all icmp packets of type 8 from anywhere $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT will accept all icmp packets of type 11 from anywhere --------------------------- ***NOTE*** As I don't know how your script is written, the above rules may not work for you with reference to the variables as shown. Sharrea -- Help Microsoft stamp out piracy - give Linux to a friend today
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
