This is the line I added .. thank you for your suggestion anyway iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT On Sun, 2003-10-19 at 21:02, Josh Berry wrote: > You are only allowing port 22 for input, you have to allow related traffic > back. Something like: > > iptables -A FORWARD -p tcp -i <input interface> -m state --state > ESTABLISHED,RELATED -j ACCEPT > > > > I thought about that too.. but > > > > This output seems to indicate a default policy of ACCEPT on the output > > chain. I've not yet formulated a set of rules to handle outbound > > traffic. > > > > iptables -L .. partial output ... > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > or .. am I missing your point ? > > > > On Sun, 2003-10-19 at 20:44, Mark E. Donaldson wrote: > >> David - Where are your OUTPUT chain Rules? If you want to ping (or > >> anything > >> else) your ISP gateway from the firewall itself, you need rules in your > >> OUTPUT chain to permit this. If your OUTPUT default policy is set to > >> DROP, > >> then all packets generated by your firewall are being dropped. > >> > >> -----Original Message----- > >> From: David H. Askew [mailto:daskew2@xxxxxxxxx] > >> Sent: Sunday, October 19, 2003 2:44 PM > >> To: netfilter@xxxxxxxxxxxxxxxxxxx > >> Subject: firewall host problem > >> > >> > >> > >> ok .. so 'I'm trying to setup my first iptables firewall .. and I've got > >> a semi functional setup so far ... but I do have one small problem .. my > >> firewall machine .. which is performing NAT for my home network.. cannot > >> access the Internet with any standard tools ... tracepath .. ping .. > >> etc. I know network connectivity is fine .. because my internal > >> machines function properly. > >> > >> My router/firewall has 3 interfaces .... > >> eth0: ISP > >> eth1: Home Subnet 1 > >> eth2: Home Subnet 2 > >> > >> eth2 can ping my ISP gateway > >> eth1 can ping my ISP gateway > >> eth0 can not ping my ISP gateway > >> > >> > >> my firewall script is below ... > >> > >> I've recently switched from an ACCEPT default policy to the DROP default > >> policy below. I didn't have this problem previously, so I know i'I've > >> just forgotten to allow something .. but I'm having trouble coming to a > >> logical conclusion .... > >> > >> ...any help .. critique ... advice you could provide would be helpful > >> > >> -dave > >> > >> > >> iptables --flush > >> iptables --table nat --flush > >> iptables --delete-chain > >> iptables --table nat --delete-chain > >> > >> > >> # Enable packet forwarding in the kernel > >> echo 1 > /proc/sys/net/ipv4/ip_forward > >> > >> # Setup IP FORWARDing and Masquerading > >> iptables --table nat --append POSTROUTING --out-interface eth0 -j > >> MASQUERADE > >> iptables --append FORWARD --in-interface eth1 -j ACCEPT > >> iptables --append FORWARD --in-interface eth2 -j ACCEPT > >> > >> > >> #enable connection tracking > >> iptables -I FORWARD -m state --state INVALID -j DROP > >> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > >> > >> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > >> iptables -A INPUT -p udp -i eth0 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > >> > >> iptables -A INPUT -p tcp -i eth2 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > >> iptables -A INPUT -p udp -i eth2 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > >> > >> iptables -P INPUT DROP > >> > >> > >> -- > >> How many Microsoft engineers does it take to change a light bulb ? > >> > >> Answer : None, they just declare darkness a new standard. > >> > > -- > > How many Microsoft engineers does it take to change a light bulb ? > > > > Answer : None, they just declare darkness a new standard. > > > > > > > Thanks, > Josh Berry, CTO > LinkNet-Solutions > 469-831-8543 > josh.berry@xxxxxxxxxxxxxxxxxxxxx -- How many Microsoft engineers does it take to change a light bulb ? Answer : None, they just declare darkness a new standard.
Attachment:
signature.asc
Description: This is a digitally signed message part
