Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
my friend and i are planning to build a linux as our router to our home lan, basically the router will have two network interface card, eth0 connected to our internal lan hub, and the other interface (eth1)connected to our modem and straight to the internet.
so, we have installed slackware to the box, enable /proc/sys/net/ipv4/ip_forward=1, then add iptables rules like this:
so, right now our pc in the internal lan can access the internet.
but the problem come when i try to play with the iptables rules, i wanted to allow selected pc to be able to access the internet, first of all, i blocked all pc from accessing the internet like this:
iptables -A FORWARD -p all -j DROP
and all the user cannot access the internet, so it means that the rule is working, then, i put the rule like below to allow certain pc to access the internet:
iptables -A FORWARD -s 192.168.0.10 -j ACCEPT
iptables -A FORWARD -s 192.168.0.11 -j ACCEPT
but, unfortunately, the selected pc still cannot access the internet. What happened?? can you guys help me...
will match all packets pending forwarding... thus, all packets being forwarded will be dropped before the other two rules are ever reached:
Code:
iptables -A FORWARD -s 192.168.0.10 -j ACCEPT
iptables -A FORWARD -s 192.168.0.11 -j ACCEPT
Simply place that first rule last. Or, even better, just do:
Code:
iptables -P FORWARD DROP
Which will set the policy for the FORWARD chain to drop. When all rules within the FORWARD chain fail to match, iptables will drop the packet by default.
Last edited by zhangmaike; 08-07-2006 at 11:29 PM.
because, from what i know, in pf, the last rule will overwrite the first rule, for example, we have to drop all packet first, then accept/allow packet base on our rules....
Your post is the first I have heard of pf, but based on your description, yes, iptables is different.
iptables rules are evaluated in order. The first rule that matches causes iptables to jump to its target (specified with -j) and, depending on the target, iptables will either: stop evaluating (this happens with terminating targets such as DROP) or continue with the next rule (this happens with non-terminating targets). It is also possible to jump to a user-defined chain (where, of course, evaluation of those rules will continue). If all the rules within a chain are evaluated and the end is reached without any rule matching, than iptables defaults to the specified policy for that chain.
Behavior similar to that which you have experienced in pf could be accomplished simply through omitting your first rule, and instead setting the policy of the FORWARD chain to DROP.
See man iptables for more information.
Last edited by zhangmaike; 08-08-2006 at 12:21 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.