Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a Linux box working as a gateway/firewall and a windows box connected to the internet through it. I'm trying give the Windows box access to the internet, but only with ports 80 (http) and 22 (ssh).
My iptables setup:
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
How can I give the Windows box access to the net?
A command such as: iptables -A FORWARD -p tcp --dport 80 -j ACCEPT doesn't do the job. Of course, it works with iptables -P FORWARD ACCEPT but I don't like to keep all the ports open.
NAT is already implemented and as I said in my previous post, everything works fine with just iptables -P FORWARD ACCEPT, but if I set it to DROP it doesn't work.
The line iptables -t filter -A FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu didn't help at all
The thing that I'm still looking for is an iptables command to open a specific port for the Windows client with iptables -P FORWARD DROP being set at the same time.
OK now an attempt without having neither my script nor the documentation around (the iptables documentation is actually very good from my point of view).
First of all, the MASQUARADE commandis very important, because otherwise the router will try to forward the orignal ip of the other PC.
When you just add the DROP line it's clear that it is not working anymore. You have to add afterwards a rule for forwarding with expicit mentioning the port you want to allow!
I can later on post my complete scirpt (which is not perfect as I am also having a small problem but in principle it is working)!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.