On Monday 13 October 2003 2:09 pm, Arnt Karlsen wrote: ..you don't need to specify interface nor protocol or ports other than possibly to make data for the nice graphs. KISS: ;-) # Accept everyting connected /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED \ -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED \ -j ACCEPT Wow, that is far more simple than anything I ever saw in any howto. I like it and I'll sure try it. I currently have this input rule: # Allow any related traffic coming back to the MASQ server in $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \ ESTABLISHED,RELATED -j ACCEPT and these forward rules: echo " - FWD: Allow all connections OUT and only existing/related IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT My snat masquerade rule looks like this: $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP Your suggestions will simplify these rules nicely. The problem is that I'm not quite sure how the Java applet thing works - whether the connection is established from the inside, or whether the gov server starts it up from the outside, after the initial http connection - they may be doing that for some security reason. If it is the latter, then the established,related rules won't work and explicit port forwarding rules would be required. To add to my woes, the gov server is down for maintenance at the moment, so I can't test it properly. Thanks, -- Herman Oosthuysen B.Eng(E), MIEEE Aerospace Software Ltd. Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841 Herman@xxxxxxxxxxxxxxxxxxxxx, http://www.AerospaceSoftware.com
