First, (and I learned this the hard way) don't muck about with your /etc/sysconfig/iptables file.
You should have an actual script, in which you can add/remove rules to test, and then save them if they work. The numbers in brackets are thresholds for accepting/dropping connections. Why those numbers are so high, I couldn't tell you. Mine are all 0:0. In the script that you'll use to actually generate the firewall (and then save it later via "service iptables save", you should make sure you have: Now, on to the first question...you want to set up masquerading, in order to get your internal systems to properly get out to the net, but not be seen, on their own, like so: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE On Tue, 13 Aug 2002 [EMAIL PROTECTED] wrote: > Hi guys: > > Could someone please help me out troubleshooting my iptables rules ? > > Believe me, I'd love to know much more of iptables to do it myself. :( > > Apart of the current rules, I want to allow any internal machine to open any > tcp ports or service in the internet. > > Our internal interface is eth1 > Our public interface is eth0 > > By the way, who knows what these numbers in [] brackets are for ? > > > All I have is the following basics: > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > ++++++++++ > > # Generated by iptables-save v1.2.5 on Wed Jul 31 13:56:40 2002 > *mangle > :PREROUTING ACCEPT [25730:10309361] > :INPUT ACCEPT [319427:167805465] > :FORWARD ACCEPT [51299:15977485] > :OUTPUT ACCEPT [28110:10309728] > :POSTROUTING ACCEPT [383968:180518409] > COMMIT > # Completed on Wed Jul 31 13:56:40 2002 > # Generated by iptables-save v1.2.5 on Wed Jul 31 13:56:40 2002 > *nat > :PREROUTING ACCEPT [791:51072] > :POSTROUTING ACCEPT [278:16981] > :OUTPUT ACCEPT [245:15293] > [1:60] -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT > --to-destination x.x.x.x > [0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT > --to-destination x.x.x.x > COMMIT > # Completed on Wed Jul 31 13:56:40 2002 > # Generated by iptables-save v1.2.5 on Wed Jul 31 13:56:40 2002 > *filter > :INPUT DROP [455:36384] > :FORWARD ACCEPT [93:4714] > :OUTPUT ACCEPT [22539:7732428] > [102:7920] -A INPUT -i lo -j ACCEPT > [22800:10072493] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 110 -m state --state NEW -j > ACCEPT > [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j > ACCEPT > [279:24256] -A INPUT -i eth1 -m state --state NEW -j ACCEPT > COMMIT > # Completed on Wed Jul 31 13:56:40 2002 > > > > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
