|
Routing via Iptables wonīt work
Hello,
I have setup a linuxbox running a dhcp and dns server for the internal LAN to work as Router/Gateway for the LAN. The box has two network interfaces (eth0 - connected to the LAN - and eth1 directly connected to the ADSL Modem) the internet connection is initiated with pptp and when the connection is established itīs reachable via ppp0. I have then setup this iptables rules, but for some reason forwarding to the internal LAN wonīt work, i get the correct IPīs and so on, but nothing comes back from the router and i have no idea why. # EXTERNAL=eth1 directly connected to ADSL-Modem # INTERNAL=eth0 # Internet=ppp0 after initiating the connection with pptp iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -i eth0 -p all -j ACCEPT iptables -A OUTPUT -o eth0 -p all -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A OUTPUT -p icmp -j ACCEPT iptables -A INPUT -p all -s localhost -i ppp0 -j DROP iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE iptables -A FORWARD -i eth0 -j ACCEPT So everything from the internet should be blocked expect the connections initiated by one of the boxes on the LAN and of course the router, and everything from the internal net to the router should be accepted. Thanks for any hints / help. tiuz |
iptables -A INPUT -p all -s localhost -i ppp0 -j DROP
What are you trying to do with that line ? It looks like any input that comes from localhost via the interface ppp0 is dropped. How can that be ? How can a packet be sourced from localhost but come in through ppp0 ? Surely in the best case that drops all packets coming in from the world. http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html http://www.netfilter.org/documentati...T-HOWTO-8.html http://www.netfilter.org/documentati...O-4.html#ss4.1 |
> iptables -A INPUT -p all -s localhost -i ppp0 -j DROP
Takes from http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html Section: Adding more security rules to your gateway: I canīt remember everything on that since itīs been ages since i last setup a FW via iptables but i guess itīs something to do with "spoofing" > What are you trying to do with that line ? > It looks like any input that comes from localhost via the interface ppp0 > is dropped. > How can that be ? How can a packet be sourced from localhost but come in > through ppp0 ? Surely in the best case that drops all packets coming in > from the world. > > http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html > > http://www.netfilter.org/documentati...T-HOWTO-8.html > > http://www.netfilter.org/documentati...O-4.html#ss4.1 Thanks !! |
Ok, I see now.
How about your last line : iptables -A FORWARD -i eth0 -j ACCEPT shouldn't there be a -o option too ? iptables -A FORWARD -o eth0 -j ACCEPT and perhaps put both those lines before the : iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE ? http://www.redhat.com/docs/manuals/e...l-ipt-fwd.html and the page that follows it. regards Alan |
Ahh YES ! That was the trick :-)
Thanks very much !! Perhaps i should save the configfile this time :-) |
No worries,
please understand I am learning just as much as you are here. I am no guru, but I like a nice problem. Luckily I have the time to find these things out at the moment. I'm as pleased as you are. Glad I could help. regards Alan ps. did you put those lines before the masquerade line in the end ? |
| All times are GMT -5. The time now is 07:57 AM. |