On Thursday 12 December 2002 09:13 am, Damon Brinkley wrote: > Thanks Stu but I'm still doing something wrong. > > Here's the rules I have now. > > ############################### > > echo 0 > /proc/sys/net/ipv4/ip_forward > > /sbin/modprobe iptable_nat > /sbin/modprobe ip_conntrack > /sbin/modprobe ip_conntrack_ftp > > /sbin/iptables -F > /sbin/iptables -t nat -F > /sbin/iptables -X > /sbin/iptables -t nat -X > > /sbin/iptables -P INPUT DROP > /sbin/iptables -P OUTPUT DROP > /sbin/iptables -P FORWARD DROP > > # INPUT CHAIN > # NONUSERS = 172.17.0.0/20 > /sbin/iptables -A INPUT -s $NONUSERS -j ACCEPT > > # FORWARD CHAIN > /sbin/iptables -A FORWARD -s $NONUSERS -j ACCEPT > > # POSTROUTING > /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > echo 1 > /proc/sys/net/ipv4/ip_forward > > ###################################### > > This should give my laptop, IP 172.17.0.244, complete access but I get > Request timed out when pinging www.yahoo.com > > Here's what I get when running iptables -nL You can also run "iptables -t nat -nL" to show the nat table chains. As with most iptables calls, if you don't specify it assumes filter table. anyway, make sure you are also doing: echo 1 > /proc/sys/net/ipv4/ip_dynaddr so that it will actually have (and maintain) the current IP address for masquerading. Finally, you are not allowing any return connection back to the laptop through the FORWARD chain. Try adding: /sbin/iptables -A FORWARD -d $NONUSERS -m state \ --state ESTABLISHED -j ACCEPT and it should work for browsing. If you use "ESTABLISHED,RELATED" instead then it should be more reliable, since it will allow icmp traffic related to the browsing. Also, you are allowing the laptop to communicate to the firewall box local processes (INPUT) but not allowing anything back from it to the laptop (OUTPUT). If you need them to communicate with each other, apart from the firewall forwarding (separate issues) then you need to allow communications in OUTPUT that go to the laptop as well, either simply ACCEPTing appropriate traffic, or using a state rule as above in OUTPUT to allow local processes on the firewall box to reply, but not initiate connections to the laptop. I've never worked with ipchains, just iptables, but I gather that with ipchains it was necessary to allow traffic through INPUT in order to forward. (I've seen this a lot this past week :^) With iptables the packets hit prerouting then netfilter decides whether the packet is destined for the local box, or forwarding, and it goes to EITHER one or the other, but not both. INPUT and OUTPUT are for the local box itself, and don't have any affect at all on forwarding, SNAT/DNAT, etc. j
