> iptables -F FORWARD > iptables -P FORWARD DROP > iptables -A FORWARD -m tcp -p tcp -s 0/0 --sport 80 -d > 172.16.1.0/24 --syn -j DROP > iptables -A FORWARD -m tcp -p tcp -s 172.16.1.0/24 --sport > 80 -d 0/0 -j ACCEPT > iptables -A FORWARD -m tcp -p tcp -d 172.16.1.0/24 --dport > 80 -s 0/0 -j ACCEPT > > i dont kinda understand this... > firstly 2nd line whats the -P. i guess its the default > policy. but i could have given as > iptables -A FORWARD -j DROP Yes, it's default policy and indeed you could also do that to with -A, but then it should be your last rule ; you can easily forget to do that when setting up you rules. Normally you start with DROPing everything and after that create rules for packets you want to accept. See : man iptables and the iptables tutorial (http://iptables-tutorial.frozentux.net/). > 2nddly 3rd line why the -j DROP i thought it should be ACCEPT No. You _don't_ want new incomming connections (--syn) from port 80 to be forwarded because you didn't initiate them. I cannot imagine a webserver sending out packets to one of my workstations by all itself (so I didn't make a request to it) ;-).. Can you ? > 3rdly since it says access the WWW servers on the internet > why is it that on the 4th linethe --sport is 80 > the source doesnt necessarily have to be 80 it could be any > unprivileged port. the --dport should be infact 80 What they want to do is to let return packets pass, as they don't use the RELATED,ESTABLISHED states. But, as you say, a packet is coming FROM 172.16.1.0/24 TO port 80/tcp. Thus it should be -d. And in the next line a packet is going TO 172.16.1.0/24 FROM port 80/tcp thus should be -s as we most likely are not listening on port 80. I wouldn't do it this way. The state framework is easier to use. > and the last line also seems confusing to me. where the -d is > the network-ip > > please help me/ suggest. iptables -F FORWARD iptables -P FORWARD DROP iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD [-i if_in] -s 172.16.1.0/24 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD [-i if_in] -s 172.16.1.0/24 -p tcp --dport 443 -j ACCEPT (The part I'm missing here :) iptables -t nat -A POSTROUTING [-o if_out] -s 172.16.1.0/24 -p tcp --dport 80 -j SNAT --to-source <ip_ext> iptables -t nat -A POSTROUTING [-o if_out] -s 172.16.1.0/24 -p tcp --dport 443 -j SNAT --to-source <ip_ext> Flush all rules. Set default policy to DROP. RELATED,ESTABLISHED will take care of any return packets. Accept packets to webservers (http and https) in the FORWARD chain. SNAT packets to webservers in the nat table POSTROUTING chain. Rob
