Re: [tlug] IP masquerading problem

[Godwin Stewart <gstewart@example.com>]

On Thu, 04 Apr 2002 21:17:04 -0800, Ray Mancy <0721265801@example.com>
wrote to tlug@example.com:

> #!/bin/sh
> IPTABLES=/usr/local/sbin/iptables
> EXTIF="eth1"
> INTIF="eth0"
> $IPTABLES -P FORWARD DROP
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.1.3 -j MASQUERADE
> $IPTABLES -A INPUT -i $EXTIF -m state  --state NEW,INVALID -j DROP
> $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP

You're dropping everything going through the FORWARD chain of the filter
table. Your default destination is "DROP" and on top of that you're DROPping
stuff coming from the outside which is new. You should explicitly allow
everything else you want FORWARDed, like:

$IPTABLES -A FORWARD -i $EXTIF -p tcp --sport 80 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -p tcp --dport 80 -j ACCEPT

...if you want to allow http traffic through the box, or

$IPTABLES -A FORWARD -i $EXTIF -p udp --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p tcp --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -p udp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -p tcp --dport 53 -j ACCEPT

...if you want to allow other boxes to do DNS.

Same rules apply to ports 25 for smtp, 110 for pop3, 443 for https, 22 for
ssh etc...


-- 
 ____________________________________________
| G. Stewart   --   gstewart@example.com |
| Port de Pontille, FR-37500 CHINON, FRANCE. |
 ____________________________________________