Greetings everyone, While building a complex set a rules for my firewall I have stumbbled accross a few problems and would like to know if there is anyone to help me clear a few things in my mind. If I was to set the Forward chain default policy to DROP, what rules would I be required to enter in order to allow e.g my internal network hosts to telnet anywhere on the internet ? For example take this setup: LAN -----------------FIREWALL------------------------ Internet 192.168.1.0/24 public ip: 200.0.0.1 In this simple setup, my guess is that Im required to create 3 rules for the telnet to work. One for the packets travelling from the Lan to the firewall, one for the oppisite (internet to the firewall) and then one more for the postrouting chain to masquerade the packets. Here is what I've done: 1) iptables -P FORWARD DROP 2) iptables -A FORWARD -s 192.168.1.0/24 -p tcp -d 0/0 --dport 23 -j ACCEPT 3) iptables -A FORWARD -p tcp -s 0/0 --sport 23 -d 200.0.0.1 -j ACCEPT 4) iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -p tcp -d 0/0 --dport 23 -j MASQUERADE Would this be correct, and if not, can you please explain why. I'm not to sure if loading ip_conntrack would eliminate the need for rule no. 3. Regards, Chris Partsenidis
<<attachment: winmail.dat>>
