Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 10-29-2003, 02:03 PM   #1
LQ Newbie
Registered: Oct 2003
Posts: 2

Rep: Reputation: 0
Linux gateway/firewall problem


I have a Linux box working as a gateway/firewall and a windows box connected to the internet through it. I'm trying give the Windows box access to the internet, but only with ports 80 (http) and 22 (ssh).

My iptables setup:
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

How can I give the Windows box access to the net?
A command such as: iptables -A FORWARD -p tcp --dport 80 -j ACCEPT doesn't do the job. Of course, it works with iptables -P FORWARD ACCEPT but I don't like to keep all the ports open.
Old 10-29-2003, 05:01 PM   #2
LQ Newbie
Registered: Oct 2003
Posts: 28

Rep: Reputation: 15
OK, from greenhorn to greenhorn (but it is working in my case):

You have to implement the NAT (Network Address Translation) rules as well.

iptables -t nat -A POSTROUTING --out-interface ppp0 -j MASQUERADE

If it is connected via DSL you need the following:
iptables -t filter -A FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Further the IP_FORWARDING must be activated:

echo 1 > /proc/sys/net/ipv4/ip_forward

Hope that is everything, otherwise I would have to post the whole script!
Old 10-30-2003, 01:22 AM   #3
LQ Newbie
Registered: Oct 2003
Posts: 2

Original Poster
Rep: Reputation: 0
NAT is already implemented and as I said in my previous post, everything works fine with just iptables -P FORWARD ACCEPT, but if I set it to DROP it doesn't work.
The line iptables -t filter -A FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu didn't help at all

The thing that I'm still looking for is an iptables command to open a specific port for the Windows client with iptables -P FORWARD DROP being set at the same time.
Old 10-31-2003, 03:53 AM   #4
LQ Newbie
Registered: Oct 2003
Posts: 28

Rep: Reputation: 15
OK now an attempt without having neither my script nor the documentation around (the iptables documentation is actually very good from my point of view).

First of all, the MASQUARADE commandis very important, because otherwise the router will try to forward the orignal ip of the other PC.

When you just add the DROP line it's clear that it is not working anymore. You have to add afterwards a rule for forwarding with expicit mentioning the port you want to allow!
I can later on post my complete scirpt (which is not perfect as I am also having a small problem but in principle it is working)!


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Using Linux as a firewall/gateway Dovid Linux - Networking 4 04-21-2005 09:13 PM
Firewall Gateway Setup Problem danfiggolfer Linux - Newbie 1 01-02-2005 09:05 PM
Linux as firewall / gateway + using ADSL Gianni Linux - Security 3 07-22-2003 11:05 AM
DirectPlay, Linux Gateway, Firewall, oh my Hegemon Linux - General 2 03-03-2003 01:06 PM
linux gateway/firewall with MASQUERADE willix Linux - Networking 2 08-06-2002 05:37 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:41 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration