I thought about that too.. but This output seems to indicate a default policy of ACCEPT on the output chain. I've not yet formulated a set of rules to handle outbound traffic. iptables -L .. partial output ... Chain OUTPUT (policy ACCEPT) target prot opt source destination or .. am I missing your point ? On Sun, 2003-10-19 at 20:44, Mark E. Donaldson wrote: > David - Where are your OUTPUT chain Rules? If you want to ping (or anything > else) your ISP gateway from the firewall itself, you need rules in your > OUTPUT chain to permit this. If your OUTPUT default policy is set to DROP, > then all packets generated by your firewall are being dropped. > > -----Original Message----- > From: David H. Askew [mailto:daskew2@xxxxxxxxx] > Sent: Sunday, October 19, 2003 2:44 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: firewall host problem > > > > ok .. so 'I'm trying to setup my first iptables firewall .. and I've got > a semi functional setup so far ... but I do have one small problem .. my > firewall machine .. which is performing NAT for my home network.. cannot > access the Internet with any standard tools ... tracepath .. ping .. > etc. I know network connectivity is fine .. because my internal > machines function properly. > > My router/firewall has 3 interfaces .... > eth0: ISP > eth1: Home Subnet 1 > eth2: Home Subnet 2 > > eth2 can ping my ISP gateway > eth1 can ping my ISP gateway > eth0 can not ping my ISP gateway > > > my firewall script is below ... > > I've recently switched from an ACCEPT default policy to the DROP default > policy below. I didn't have this problem previously, so I know i'I've > just forgotten to allow something .. but I'm having trouble coming to a > logical conclusion .... > > ...any help .. critique ... advice you could provide would be helpful > > -dave > > > iptables --flush > iptables --table nat --flush > iptables --delete-chain > iptables --table nat --delete-chain > > > # Enable packet forwarding in the kernel > echo 1 > /proc/sys/net/ipv4/ip_forward > > # Setup IP FORWARDing and Masquerading > iptables --table nat --append POSTROUTING --out-interface eth0 -j > MASQUERADE > iptables --append FORWARD --in-interface eth1 -j ACCEPT > iptables --append FORWARD --in-interface eth2 -j ACCEPT > > > #enable connection tracking > iptables -I FORWARD -m state --state INVALID -j DROP > iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > > iptables -A INPUT -p tcp -i eth0 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > iptables -A INPUT -p udp -i eth0 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > > iptables -A INPUT -p tcp -i eth2 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > iptables -A INPUT -p udp -i eth2 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > > iptables -P INPUT DROP > > > -- > How many Microsoft engineers does it take to change a light bulb ? > > Answer : None, they just declare darkness a new standard. > -- How many Microsoft engineers does it take to change a light bulb ? Answer : None, they just declare darkness a new standard.
Attachment:
signature.asc
Description: This is a digitally signed message part
