>Op vrijdag 16 mei 2003 17:16, schreef David T-G: > Florent, et al -- > > ...and then Aide Florent said... > % > % Le Vendredi 16 Mai 2003 00:45, David T-G a écrit : > % > Hi again, all -- > ... > % > I've attached `iptables -L` so that you can see if anything looks > wrong. % > % you should try > % > % iptables -t nat -nvL > % > % if you want to see what is "NATed" by your machine. > > Ah. Oops! Now *that* is attached. > > > % > % Hope it helps. > > I don't really know what I'm reading, but I admit that it looks somewhat > sparse. I hope someone can tell me what pieces I'm missing! > > > % > % Florent AIDE > > > Thanks again & HAND > > :-D At first I thought somebody would notice ,but you have a hugh hole in your firewall : so you do: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere 255.255.255.255 udp spt:bootps dpt:bootpc ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- dns1.rcsntx.sbcglobal.net anywhere state NEW udp spt:domain dpts:1024:65535 ACCEPT udp -- dns1.snfcca.sbcglobal.net anywhere state NEW udp spt:domain dpts:1024:65535 LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-NEW-CONNECT ' ACCEPT udp -- anywhere anywhere state ESTABLISHED udp dpts:61000:65095 input_ext all -- anywhere anywhere ACCEPT all -- anywhere anywhere Iptables behaviour is , the first match counts !! so if you set the first rule INPUT chain : ACCEPT all -- anywhere anywhere it means that all traffic both ways may pass.This behaviour is not acceptable. Actualy ALL the other rules 2,3,4 enz. of the INPUT chain are not matched. You could be more filtering by interface. Then the FORWARD chain: Chain FORWARD (policy DROP) target prot opt source destination TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU reject_func all -- anywhere anywhere ACCEPT all -- anywhere anywhere it seems you have an ppp adapter , but only a clamp to PMTU is not enough to get it working.it only corrects the PMTU value . Your Policy says DROP , but your reject_func , rejects furder traffic , so the ACCEPT all -- anywhere anywhere is not matched , you override your own POLICY if it did. So you have to make a rule with an state NEW , before the reject_func, and let everything pass from intern network to WWW . example: iptables -A FORWARD -m state --state NEW -i $int_if -o $ext_if -j ACCEPT Now the firewall knows how to forward between interfaces. this should do the job , let us know !! Pascal
