Am 09.03.2012 04:22, schrieb nullv@xxxxxxx: >> what you are doing wrong is change working things >> the following works perfectly (eth1: WAN, eth0: LAN) > >> iptables -A FORWARD -i eth1 -d 192.168.1.0/24 -j ACCEPT >> ipatbles -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth1 -j MASQUERADE > > the thing is I don't want to allow all my local machines to access the net. > Only selected services (POP3S, DNS, and SMTPS) are allowed. Although there > are exceptions like 10.0.0.3. Additionaly my ISP limits the amount of traffic > from 1 IP. I have 5 public addresses I want to roundrobin them so that traffic > gets distributed accross the IPs. hm - OK thats a different story but after read your ogrional post why did you not mention what you like to do? usually nobody will read your rules and start imagnine you intention especially if your rules do not work to disallow completly on a machine i would remove the gateway on the client >> what is this???????????????????????? >> -A INPUT -i eth1 -j ACCEPT > > that's allow local packets from the lan (eth1) into the server this is a very very bad idea, what happens if there is started a unwanted service by accident? as long as you do not care about your servers security in the internal network in my opinion the policy above is not a topic - network security starts generally at the most vulnerable machines
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
