Re: [tlug] IP masquerading problem

[Ray Mancy <0721265801@example.com>]

Cheers, I did actually try taking the $IPTABLES -P FORWARD ROP out of 
it, but it didnt make a difference, I guess I had to add the other lines.
Thanks again


Ray

Godwin Stewart wrote:

> On Thu, 04 Apr 2002 21:17:04 -0800, Ray Mancy <0721265801@example.com>
> wrote to tlug@example.com:
> 
> 
>>#!/bin/sh
>>IPTABLES=/usr/local/sbin/iptables
>>EXTIF="eth1"
>>INTIF="eth0"
>>$IPTABLES -P FORWARD DROP
>>$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.1.3 -j MASQUERADE
>>$IPTABLES -A INPUT -i $EXTIF -m state  --state NEW,INVALID -j DROP
>>$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
>>
> 
> You're dropping everything going through the FORWARD chain of the filter
> table. Your default destination is "DROP" and on top of that you're DROPping
> stuff coming from the outside which is new. You should explicitly allow
> everything else you want FORWARDed, like:
> 
> $IPTABLES -A FORWARD -i $EXTIF -p tcp --sport 80 -j ACCEPT
> $IPTABLES -A FORWARD -o $EXTIF -p tcp --dport 80 -j ACCEPT
> 
> ...if you want to allow http traffic through the box, or
> 
> $IPTABLES -A FORWARD -i $EXTIF -p udp --sport 53 -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -p tcp --sport 53 -j ACCEPT
> $IPTABLES -A FORWARD -o $EXTIF -p udp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -o $EXTIF -p tcp --dport 53 -j ACCEPT
> 
> ...if you want to allow other boxes to do DNS.
> 
> Same rules apply to ports 25 for smtp, 110 for pop3, 443 for https, 22 for
> ssh etc...
> 
> 
>