David - Where are your OUTPUT chain Rules? If you want to ping (or anything else) your ISP gateway from the firewall itself, you need rules in your OUTPUT chain to permit this. If your OUTPUT default policy is set to DROP, then all packets generated by your firewall are being dropped. -----Original Message----- From: David H. Askew [mailto:daskew2@xxxxxxxxx] Sent: Sunday, October 19, 2003 2:44 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: firewall host problem ok .. so 'I'm trying to setup my first iptables firewall .. and I've got a semi functional setup so far ... but I do have one small problem .. my firewall machine .. which is performing NAT for my home network.. cannot access the Internet with any standard tools ... tracepath .. ping .. etc. I know network connectivity is fine .. because my internal machines function properly. My router/firewall has 3 interfaces .... eth0: ISP eth1: Home Subnet 1 eth2: Home Subnet 2 eth2 can ping my ISP gateway eth1 can ping my ISP gateway eth0 can not ping my ISP gateway my firewall script is below ... I've recently switched from an ACCEPT default policy to the DROP default policy below. I didn't have this problem previously, so I know i'I've just forgotten to allow something .. but I'm having trouble coming to a logical conclusion .... ...any help .. critique ... advice you could provide would be helpful -dave iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain # Enable packet forwarding in the kernel echo 1 > /proc/sys/net/ipv4/ip_forward # Setup IP FORWARDing and Masquerading iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT iptables --append FORWARD --in-interface eth2 -j ACCEPT #enable connection tracking iptables -I FORWARD -m state --state INVALID -j DROP iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -i eth0 -s 0/0 -d 0/0 --dport 22 -j ACCEPT iptables -A INPUT -p udp -i eth0 -s 0/0 -d 0/0 --dport 22 -j ACCEPT iptables -A INPUT -p tcp -i eth2 -s 0/0 -d 0/0 --dport 22 -j ACCEPT iptables -A INPUT -p udp -i eth2 -s 0/0 -d 0/0 --dport 22 -j ACCEPT iptables -P INPUT DROP -- How many Microsoft engineers does it take to change a light bulb ? Answer : None, they just declare darkness a new standard.
