Dear David, > % > iptables -A FORWARD -i eth1 -o eth1 -j REJECT > % What are you trying to achieve? > % These rules do not allow any traffic through your firewall (Forward > % REJECT). > > As I said, I was lifting from the HOWTO :-) I thought that that rule > rejected anything coming in on eth1 (external interface) that was due to > go back out on eth1. Sorry my mistake. You are right. I apparently assumed you meant -i eth1 -o eth0. > I'm not sure why I want to do postrouting going out the LAN interface; I > thought that NAT was for internal machines trying to get out. I *think* > that what I want is SNAT == source translation, and the NAT HOWTO doesn't > talk about DNAT == destination translation so I don't know that it's > needed -- but, of course, also don't really know about what I'm speaking. > > [Oh, phooey -- I just realized that I had a typo, and you're obviously > going from what I wrote! eth0 is the LAN and eth1 is the WAN; sorry!] Ok. lets get this straight. You are protecting internal clients which want to access the internet. You need Source NAT and the NAT rules are applied in the Postrouting chain on the external interface: EXTIF=eth1 iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > This is one test case that I didn't try since the firewall was otherwise > locked up. What do you mean be locked up? > > > % > Goal 2: Allow various connections and confirm that they work > % Now you are trying to filter. The filter table has three chains. Each > % chain with a specific task: > % INPUT only filters packets with the local machine as destination > > Oh, INPUT from any interface; OK. > > > % OUTPUT only filters packets originating on the local machine > % FORWARD only sees those packets not covered by INPUT and OUTPUT being > % forwarded by the firewall. > > OK. But this FORWARD is different from the NAT forward, right? There is no nat FORWARD chain. The nat table only has: PREROUTING and OUTPUT for Destination NAT and POSTROUTING for Source NAT. Defining a rule in POSTROUTING only defines the NAT not the filterrules > > I'm close, I think. I'd start with > > # flush everything > iptables -t filter -F ; iptables -t mangle -F ; iptables -t nat -F > # allow masquerading > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > to just forward packets from inside clients and then perhaps add > > # outbound connections through > iptables -t filter -A FORWARD -i eth0 -o eth1 -m match --match NEW -j ACCEPT > # returning connections through > iptables -t filter -A FORWARD -m match --match RELATED,ESTABLISHED -j ACCEPT Do not forget to turn routing on: echo 1 > ... > > to allow things like pings to go out and in. Then I'd need > > # incoming to > iptables -t filter -A INPUT ACCEPT > > to just let everything going to the box -- like my ssh -- get there. Not > yet secure, but a start, right? Yes. But if you just want to allow ssh and web do the following: # Allow ssh and web access to the firewall box iptables -t filter -A INPUT -i $EXTIF -m match NEW,RELATED,ESTABLISHED -j ACCEPT # Allow the firewallbox to answer iptables -t filter -A OUTPUT -o $EXTIF -m match RELATED,ESTABLISHED -j ACCEPT # Block everything else iptables -t filter -P INPUT DROP iptables -t filter -P OUTPUT DROP iptables -t filter -P FORWARD DROP Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org
