Hi,
I have just started learning about ip tables. I have read "Iptables Tutorial 1.2.0 by Oskar Andreasson" Very in depth look at ip tables. Maybe too in depth for me.

I have decided to build a script for my computer network. It contains 1 linux box connected to the ethernet continuously and one ipaq connected to the linux box and accessing the internet using ppp. The ipaq has static address.

I would like all outgoing data from my lan (ipaq) to go out without restrictions.
iptables -A INPUT -s ipaq -j ACCEPT
iptables -A FORWARD -s ipaq -j ACCEPT

I was wondering if I need to add the FORWARD line if I already send all data from my ipaq to the INPUT chain. Does the input chain only end up at the local processes on my main linux box or will the packets addressed to the outside world be sent to the output chain. Or maybe I could send it to the PREROUTING chain of the nat table and then just let it go through as usual.

Question number two would be how do I set it up so that only packets for requested connection pass through to the ipaq from the ethernet for internet related stuff.

I hope this is not too much. Thanks a bunch
Amish

I have just started learning about ip tables. I have read "Iptables Tutorial 1.2.0 by Oskar Andreasson" Very in depth look at ip tables. Maybe too in depth for me.
Probably one of the best tutorials available. Tinker around with iptables for awhile and you'll start to get the hang of it. Then try re-reading Oskar's guide.

The ipaq has static address.
Is this a private (non-routeable) LAN address like 10.0.0.0 or 192.168.0.0 or is this a static public IP address?

I was wondering if I need to add the FORWARD line if I already send all data from my ipaq to the INPUT chain. Does the input chain only end up at the local processes on my main linux box or will the packets addressed to the outside world be sent to the output chain
The INPUT chain will only handle packets addressed to that box, so packets from the Ipaq to the internet will not be processed by INPUT or OUTPUT, but will be handled by FORWARD instead. For clarity, pinging or trying to connect directly to the firewall/gateway would be handled by INPUT.

Or maybe I could send it to the PREROUTING chain of the nat table and then just let it go through as usual.
All incoming packets (including INPUT and FORWARD) will be handled by initially handled by PREROUTING. However you should never do filtering in PREROUTING. It's really meant for modifying packets (doing NAT for example).

Question number two would be how do I set it up so that only packets for requested connection pass through to the ipaq from the ethernet for internet related stuff.
Best way is to allow outgoing traffic, but limit incoming packets to be only of the ESTABLISHED or RELATED state. That way your Ipaq would need to initiate outgoing traffic to any host on the internet before any incoming packets would be accepted. So you'd want to do something like this:
I hope this is not too much. Thanks a bunch
Amish[/QUOTE]

Thanks for the answer it was really helpful. To answer your question, the ipaq has a static private ip. This is my setup:

NOTE: ipaq, desktoplinux and desktopwin are aliases in my /etc/hosts file. Will iptables understand them?????

#I want to filter all input and only allow the ones that match my rule:
iptables -P INPUT DROP
iptables -P FORWARD DROP

#Anything can go out.
iptables -P OUTPUT ACCEPT

#Accept any data from my ipaq to my main machine
iptables --append INPUT --source ipaq --in-interface ppp0 -j ACCEPT

#Accept any data from my ipaq to the outside
iptables --append FORWARD --source ipaq --in-interface ppp0 -j ACCEPT

#Accept only data from my windows machine to my main linux machine
iptables --append INPUT --source desktopwin --in-interface eth0 -j ACCEPT

#Accept only data from my windows machine to my ipaq???? Can I ssh directly into my ipaq from the outside with this
iptables --append FORWARD --source desktopwin --in-interface eth0 -j ACCEPT

#Accept packets from the outside if they are part of the established #connection
iptables --append INPUT --in-interface eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --append FORWARD --in-interface eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

**Does this work with tcp, ssh and ftp???***

I am guessing I need to set up some NAT rules for packets coming out and in since my ipaq is on a private ip which cannot be seen from the outside.
#Change the source ip of packets from ipaq to outside
iptables -t nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE --to-source desktoplinux

#Change the destination ip of packets from outside to ipaq???????
This is something I do not understand. If the packet has an ip with destination address my main linux box (although it is for the ipaq), how does iptables know that the packet is destined for my ipaq and therefore change it's destination address to my ipaq's address
iptables -t nat --append PREROUTING --in-interface eth0 -j MASQUERADE --to-destination ipaq

Thanks a lot for any help,
Amish