On point 1 do the following rule.
iptables -A INPUT -i local -j ACCEPT
iptables -A OUTPUT -i local -j ACCEPT
The second rule only applies if you have your OUTPUT policy set to default DROP.
On point 2 do the following.
I assume you want to ssh into the linux system itself. This would not need to be natted and you say if you disable nat it works, why then still persue natting? Any connection destined for the linux system would be "guarded" by your input chain, as any natting is only used for connections not destined for the local system i.e packets going through the linux box.
On point 3.
Are you looking to ssh again. Look at your rule. Remember when making a network TCP connection your packet contains a source and destination port. Your source port is assigned by your operating system. It will use whatever is not being used at that time. Your destination is the important thing to look at. Your rule in point three refers to a source port. So if I understand your question correctly you can simply making your --sport to --dport in other words specify the destination port and not the source port.
I am by no means a guru but understand main principals pretty good.
Hope this helps
-----Original Message-----
From: ImpulseFG@netscape.net [mailto:ImpulseFG@netscape.net]
Sent: 04 03 2003 22:56 PM
To: netfilter@lists.netfilter.org
Subject: Port Forwarding and opening ports.
I have iptables setup to port forward ftp , web, and a game server to another server on the local network. It works great. I have also set it up so it only accepts incoming and outgoing connections on port 22. I'm having 2 problems and a couple of questions.
1. I can ssh into the machine which is 192.168.1.1 from any computer on the local network. But I can't run X programs without allowing all incoming and outgoing connections on this machine. I've tried: $iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
This wouldn't fix the problem. So I tried.
$iptables -A INPUT -s 192.168.1.2-192.168.1.255 -j ACCEPT
$iptables -A OUTPUT -d 192.168.1.2-192.68.1.255 -j ACCEPT
This didn't work either. Only only accepting all incomeing and outgoing connections would.
2. I'm having problems with the nat features.
I want to be able to ssh into the routing machine from of the local network but I can't. I have it set to accept local connections on port 22 for udp and tcp.
But nat is nating the packets before it can accept them.
The only way I am able to get them to accept them is to disable nat.
I tried natting all the ports around 22. See the attache script but for some reason that wouln't work either.
Does anyone have any idea how to do this?
3. Does anyone know why? iptables -A mytable -p all --sport 22 -j ACCEPT won't work? It seems that the all keywork doesn't work at all.
I am using iptables v.1.2.5 with RH7.3 most updated kernel.
Sorry for the lenght of this post I'm just looking for some solutions. Thanks for any help. I changed my IP in the firewall script. to 128.x.x.x hope this doesn't confuse anyone.
-Impulse
__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp
Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ << File: rc.firewall-2.4.mailing >>
