ip tables with MASQUERADE

ryedunn · 03-28-2004, 09:20 AM

this should work....what am I doing wrong..

Code:

iptables -t nat -L:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Looks good right?
now my rc.firewall

Code:

#!/bin/sh

IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

#Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#This allows all data that has been sent out for the computer running the
#firewall to come back (for all of ICMP/TCP/UDP). For example, if a ping
#request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p udp

#Accept everything from eth1
$IPTABLES -A INPUT -i eth1 -j ACCEPT
#Forward packets from eth1 through eth0
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allow incoming FTP requests
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT

#Allow incoming SSH requests
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

#Allow incoming HTTP requests (to Web server)
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

I can ping both ways, I can connect to the internet from the linux box, shh works from my xp box.... but I cannot ping anything on the internet from XP...

Im sure my XP box is setup correct as it was working before I bought this new box....

the only thing strange is

Code:

service network restart
Shutting down interface eth0:                                   [  OK  ]
Shutting down interface eth1:                                   [  OK  ]
Shutting down loopback interface:                               [  OK  ]
Setting network parameters:                                     [  OK  ]
Bringing up loopback interface:                                 [  OK  ]
Bringing up interface eth0:                                     [FAILED]
Bringing up interface eth1:                                     [  OK  ]

any suggestions?

ryedunn · 03-28-2004, 04:13 PM

ok it seems like it works when it wants to...
twice I have been looking at the rc.firewall and it just started working?
very confusing.

ryedunn · 03-28-2004, 07:40 PM

Im an idiot.