| 3a2roub |
02-22-2011 01:28 PM |
Another iptables nat configuration question
hello, i have this script for my centos nat gateway. net.ipv4.ip_forward is set to 1 in sysctl.conf. i need to grant internet access through my gateway to the ips i choose, and only mail access (ports 25,110) for other ips. it goes like this:
Code:
#!/bin/sh
ipt=/sbin/iptables
extip=192.168.1.70 # ur internet external - eth1
lan=192.168.100.0/24 # ur lan - eth0
chains=`cat /proc/net/ip_tables_names`
for i in $chains; do
$debug $ipt -t $i -F
$debug $ipt -t $i -X
$debug $ipt -t $i -Z
done
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $extip
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i eth0 -s $lan -j ACCEPT
$ipt -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A INPUT -p tcp --destination-port 22 -j ACCEPT
$ipt -A FORWARD -i eth0 -s 192.168.100.144 -j ACCEPT
$ipt -A FORWARD -i eth0 -s 192.168.100.125 -j ACCEPT
$ipt -A FORWARD -i eth0 -p tcp -m tcp -s 192.168.100.126 --dport 25 -j ACCEPT
$ipt -A FORWARD -i eth0 -p tcp -m tcp -s 192.168.100.126 --dport 110 -j ACCEPT
$ipt -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i eth0 -s $lan -j REJECT
service iptables save
service iptables restart
the ips of my local lan {192.168.100.144-145} have internet access, but the ip 192.168.100.126 still cant connect to outlook. what am i doing wrong? |
