Am Die, 2003-08-26 um 10.35 schrieb Payal Rathod: > $IPTABLES -P INPUT DROP > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -P FORWARD DROP > > $IPTABLES -t nat -A POSTROUTING -j MASQUERADE > > $IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 21 -j ACCEPT > $IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 80 -j ACCEPT > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -p icmp --icmp-type 0 -j ACCEPT > > When I make FORWARD POLICY as ACCEPT it works, but not when I make it > to DROP? Is there any bad rule anywhere? Yes, apply masquerading only to the external interface, like $IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE If 125.125.125.0 is your internal ip-range you should be able to browse to: http://217.160.128.61 But since you do not allow any DNS traffic you can't resolve any hostnames. Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org
