On Mon, 2002-11-11 at 01:58, Bob wrote: > *mangle > :PREROUTING ACCEPT [4:256] > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > COMMIT > # Completed on Mon Nov 11 00:29:53 2002 > # Generated by iptables-save v1.2.6a on Mon Nov 11 00:29:53 2002 > *nat > :PREROUTING ACCEPT [370:28696] > :POSTROUTING ACCEPT [396:23845] > :OUTPUT ACCEPT [406:24455] > -A POSTROUTING -o eth0 -j SNAT --to-source 208.141.xxx.xxx #(my public IP) ### On redhat 8, the iptables system 5 init script reads ### /etc/sysconfig/iptables ### This file has the same content as the output of iptables-save ### so if you make changes to that file you can then do an ### service iptables restart ### Get rid of the line above and replace it with: -A POSTROUTING -s 192.168.108.0/255.255.255.0 -o eth0 -j MASQUERADE ### Replace 192.168.108.0/255.255.255.0 with your internal subnet ### replace eth0 with whatever your internet facing interface is. > COMMIT > # Completed on Mon Nov 11 00:29:53 2002 > # Generated by iptables-save v1.2.6a on Mon Nov 11 00:29:53 2002 > *filter > :INPUT ACCEPT [140:118403] If I were you I would set my INPUT policy to DROP, and then add specific allow rules for what I want to come into my box. Assume that eth0 faces the internet, and eth1 is internal. If your ISP uses DHCP you probably want at least these rules: -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 14 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 16 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 18 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 31 -j ACCEPT If your internal subnet can be considered "trusted" and it's subnet was 192.168.108.0/255.255.255.0 you could add: -A INPUT -i eth1 -s 192.168.108.0/255.255.255.0 -j ACCEPT Also, use "chkconfig --list" to make sure that your iptables is "on" for the runlevel you are using. Then do an /sbin/service iptables restart Also check that your /etc/syconfig/network file has the following line: GATEWAYDEV=eth0 You don't have to worry about manually loading all the iptables modules for this. In RedHat 8 they will get loaded auto-magically if you are using the standard kernel and the standard iptables startup script. -Ben. RHCE
