You are only allowing port 22 for input, you have to allow related traffic back. Something like: iptables -A FORWARD -p tcp -i <input interface> -m state --state ESTABLISHED,RELATED -j ACCEPT > I thought about that too.. but > > This output seems to indicate a default policy of ACCEPT on the output > chain. I've not yet formulated a set of rules to handle outbound > traffic. > > iptables -L .. partial output ... > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > or .. am I missing your point ? > > On Sun, 2003-10-19 at 20:44, Mark E. Donaldson wrote: >> David - Where are your OUTPUT chain Rules? If you want to ping (or >> anything >> else) your ISP gateway from the firewall itself, you need rules in your >> OUTPUT chain to permit this. If your OUTPUT default policy is set to >> DROP, >> then all packets generated by your firewall are being dropped. >> >> -----Original Message----- >> From: David H. Askew [mailto:daskew2@xxxxxxxxx] >> Sent: Sunday, October 19, 2003 2:44 PM >> To: netfilter@xxxxxxxxxxxxxxxxxxx >> Subject: firewall host problem >> >> >> >> ok .. so 'I'm trying to setup my first iptables firewall .. and I've got >> a semi functional setup so far ... but I do have one small problem .. my >> firewall machine .. which is performing NAT for my home network.. cannot >> access the Internet with any standard tools ... tracepath .. ping .. >> etc. I know network connectivity is fine .. because my internal >> machines function properly. >> >> My router/firewall has 3 interfaces .... >> eth0: ISP >> eth1: Home Subnet 1 >> eth2: Home Subnet 2 >> >> eth2 can ping my ISP gateway >> eth1 can ping my ISP gateway >> eth0 can not ping my ISP gateway >> >> >> my firewall script is below ... >> >> I've recently switched from an ACCEPT default policy to the DROP default >> policy below. I didn't have this problem previously, so I know i'I've >> just forgotten to allow something .. but I'm having trouble coming to a >> logical conclusion .... >> >> ...any help .. critique ... advice you could provide would be helpful >> >> -dave >> >> >> iptables --flush >> iptables --table nat --flush >> iptables --delete-chain >> iptables --table nat --delete-chain >> >> >> # Enable packet forwarding in the kernel >> echo 1 > /proc/sys/net/ipv4/ip_forward >> >> # Setup IP FORWARDing and Masquerading >> iptables --table nat --append POSTROUTING --out-interface eth0 -j >> MASQUERADE >> iptables --append FORWARD --in-interface eth1 -j ACCEPT >> iptables --append FORWARD --in-interface eth2 -j ACCEPT >> >> >> #enable connection tracking >> iptables -I FORWARD -m state --state INVALID -j DROP >> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT >> >> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d 0/0 --dport 22 -j ACCEPT >> iptables -A INPUT -p udp -i eth0 -s 0/0 -d 0/0 --dport 22 -j ACCEPT >> >> iptables -A INPUT -p tcp -i eth2 -s 0/0 -d 0/0 --dport 22 -j ACCEPT >> iptables -A INPUT -p udp -i eth2 -s 0/0 -d 0/0 --dport 22 -j ACCEPT >> >> iptables -P INPUT DROP >> >> >> -- >> How many Microsoft engineers does it take to change a light bulb ? >> >> Answer : None, they just declare darkness a new standard. >> > -- > How many Microsoft engineers does it take to change a light bulb ? > > Answer : None, they just declare darkness a new standard. > > Thanks, Josh Berry, CTO LinkNet-Solutions 469-831-8543 josh.berry@xxxxxxxxxxxxxxxxxxxxx
