Re: iptables problem (two network interfaces)

From: Nuno Paquete (nmp_at_ispgaya.pt)
Date: 07/04/04

Next message: James Knott: "Re: Reserving IP when DHCP is used"
Previous message: Klaus Kreil: "Re: weird name resolution problem w/ bind"
In reply to: crowl: "iptables problem (two network interfaces)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sun, 04 Jul 2004 12:22:29 +0100

> iptables -t nat -F

You don't need this. "iptables -F" do what you want.

> # *** INPUT ***
> # no internet connection with a local ip!
> iptables -A INPUT -i $IFACE_EXT -s 10.0.0.0/8 -j DROP
> iptables -A INPUT -i $IFACE_EXT -s 172.16.0.0/16 -j DROP

You forgot "iptables -A INPUT -i $IFACE_EXT -s 192.168.0.0/24 -j DROP"

> # *** FORWARD ***
>
> # intranet -> internet allow all
> iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -j ACCEPT

You don't need to do that. Just do:
"iptables -A FORWARD -i $IFACE_INT -j ACCEPT"
The firewall knows that if it have to forward a packet from $IFACE_INT, it
knows that it have to be to $IFACE_EXT

> # internet -> intranet only if for established connection
> iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -m state \
> --state ESTABLISHED,RELATED -j ACCEPT

You don't need that. Just need this:
iptables -A FORWARD -m state \
--state ESTABLISHED,RELATED -j ACCEPT

To give your internal hosts permission to ping external hosts, append this
rules:

iptables -A OUTPUT -m state --state NEW -p icmp --icmp-type echo-request -j
ACCEPT
iptables -A FORWARD -m state --state NEW -i $IFACE_INT -p icmp --icmp-type
echo-request -j ACCEPT

I hope this could help.

Nuno Paquete.

Next message: James Knott: "Re: Reserving IP when DHCP is used"
Previous message: Klaus Kreil: "Re: weird name resolution problem w/ bind"
In reply to: crowl: "iptables problem (two network interfaces)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: Newbie... with questions
... > The win2k box is connected via a wireless access point. ... So are you trying to share the internet connection on the linux box with ... "man iptables" is somewhere to start. ... > I'm looking forward to becoming a linux convert. ...
(linux.redhat)
Re: Linux Forums unreachable.
... iptables -P INPUT ACCEPT ... If those 4 commands broke your internet connection, ... Later, Ray Parrish ...
(Ubuntu)
Re: How do i Re-direct specific http request to another gateway
... > 2nd Machine linux with internet connection and dynamic ip is configured ... > Is there any configuration available with squid or iptables, ... the squid traffic from 2nd one is correctly routed ...
(comp.os.linux.networking)
Re: decrypting iptables?
... I used to set mine using a script, with a pile of iptables commands. ...
(Fedora)