Hi! (your linewrap did make reading this a bit of a challenge ;-) ) All traffic that is neither destined for nor coming from your firewall machine only goes through PREROUTING, FORWARDING and POSTROUTING, which all have the appropriate rules/policies to allow access from your LAN. Outbound traffic from your firewall goes through OUTPUT and POSTROUTING, while inbound traffic comes through PREROUTING and INPUT. So, to make it work you only need a rule to accept the responses from the internet in your INPUT chain: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT This single line magically allows mostly all applications to access the internet from the firewall while shutting out all connection attempts from the outside. ESTABLISHED matches all packets directly belonging to an established connection while RELATED takes care of e.g. ICMP error messages (like destination unreachable et al). On Thu, 23 Jan 2003, Rindolf wrote: > Hi. This is probably a configuration problem, but I'm not sure. It > seems strange. I have a home lan using the 192.168.0.0/24 addresses > behind a firewall machine using NAT. The NAT works just fine, it seems > to be able to keep track of connections, even replies to udp packets > are handled correctly. However, replies to packets sent from the > machine itself, not using NAT, are blocked by the packet filter. This > is of course very inconvenient, as I can't do anything from this > computer that talks to the internet. I can't figure out what's wrong. > I'm using kernel 2.4.10. Perhaps this is a bug that has since been > fixed? I hope this is an appropriate place to ask this. > > $outaddr is the outside address. > > #iptables -t filter -L -n > Chain INPUT (policy DROP) > target prot opt source destination ACCEPT > all -- 192.168.0.0/24 0.0.0.0/0 ACCEPT all -- > 0.0.0.0 0.0.0.0/0 # I put this in to allow dhcp > requests. > LD all -- 0.0.0.0/0 0.0.0.0/0 > Chain FORWARD (policy ACCEPT) > target prot opt source destination > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > Chain LD (1 references) > target prot opt source destination LOG > all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 > DROP all -- 0.0.0.0/0 0.0.0.0/0 > #iptables -t nat -L -n > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > Chain POSTROUTING (policy DROP) > target prot opt source destination SNAT > all -- 192.168.0.0/24 0.0.0.0/0 to:$outaddr > ACCEPT all -- $outaddr 0.0.0.0/0 > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > - > : send the line "unsubscribe linux-net" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Ciao, Roland +---------------------------+-------------------------+ | TU Muenchen | | | Physik-Department E18 | Raum 3558 | | James-Franck-Str. | Telefon 089/289-12592 | | 85747 Garching | | +---------------------------+-------------------------+ "If you think NT is the answer, you didn't understand the question." - Paul Stephens - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
