xxx.xxx.xxx.xxx is internet ip. eth0 internet interface eth1 lan interface
******************* *nat :PREROUTING ACCEPT [678915:47234902] :POSTROUTING ACCEPT [36934:2160799] :OUTPUT ACCEPT [35607:2143032] -A POSTROUTING -o tunnel0 -j MASQUERADE COMMIT # Completed on Wed Feb 4 08:15:38 2004 # Generated by iptables-save v1.2.7a on Wed Feb 4 08:15:38 2004 *mangle :PREROUTING ACCEPT [15137995:7366304630] :INPUT ACCEPT [5934119:3407840707] :FORWARD ACCEPT [9046926:3942957156] :OUTPUT ACCEPT [5005001:930279054] :POSTROUTING ACCEPT [14042840:4872546468] COMMIT # Completed on Wed Feb 4 08:15:38 2004 # Generated by iptables-save v1.2.7a on Wed Feb 4 08:15:38 2004 *filter :INPUT DROP [6317:1242856] :FORWARD DROP [107:11548] :OUTPUT ACCEPT [841:137965] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -d 127.0.0.1 -i lo -j ACCEPT -A INPUT -s 127.0.0.1 -i lo -j ACCEPT -A INPUT -s 192.168.0.1 -i lo -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx -i lo -j ACCEPT -A INPUT -d xxx.xxx.xxx.xxx -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth1 -j ACCEPT -A FORWARD -i eth1 -o eth2 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT -A OUTPUT -s 127.0.0.1 -j ACCEPT -A OUTPUT -s 192.168.0.1 -j ACCEPT -A OUTPUT -s xxx.xxx.xxx.xxx -j ACCEPT COMMIT
*********************
With these rules LAN users can access to internet but from server I can not access to internet. I get error "resolving host".
Help me to solve this problem.
Thanks for support.
From: "ads nat" <adsnat@xxxxxxxxxxx> To: JALaramie@xxxxxxxxxxxxxxxxxxx, netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Setting up default policy to 'DROP' problem Date: Tue, 03 Feb 2004 21:23:04 +0530
I realy appretiat your support and feelings to help others.
With your support I have succedded in setting up default policy drop for INPUT, OUTPUT and FORWARD. Will post rules soon.
I know I have taken long time to understand this technology. But I can not rush until I get my fundas clear.
Once again Thanks for support.
From: Jeffrey Laramie <JALaramie@xxxxxxxxxxxxxxxxxxx> To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Setting up default policy to 'DROP' problem Date: Tue, 03 Feb 2004 08:49:39 -0500
ads nat wrote:
I have setup DMZ firewall as per Oskar Anderson tutorial on Netfilter.org site.
When I set up default policy to drop for INPUT, OUTPUT and FORWARD chains as mentioned in the tutorial my connection drops.
I am attaching my iptables rules listing.
Is there anything wrong in the IPtable rules.
When I setup default to ACCEPT everything works fine.
Help appreciated.
Thanks
I've responded to your postings before, so I was hoping someone new might give this a shot. I know that you've been trying for months to get this configured, but you're having problems with the basics and you've still got a long way to go. Oskar's tutorial is a great place to start, but you may want to try reading some other documentation to see if it helps you. You may also want to look at using a tool like shorewall to help you create rules.
That said, I'll do what I can to help you. Try using: iptables -L -n -v -x > /var/log/iptables.report. Open up iptables.report in a text editor and turn off word wrap so you can see one rule on each line. When I review rules I make the font really small and print the ruleset out 'landscape' oriented so I can see a whole rule printed out on a line.
Look at the number of packets hitting each rule. I think you'll be surprised where the packets are going. Remember that the rules are transversed from top to bottom in each ruleset. As soon as a packet matches a rule it stops (except logging) and doesn't go to the next rule in the chain. Try starting out with a new script and only a couple rules. Test the configuration and then use iptables -L -n -v -x again to see if the packets are going where you think they should. For more details you can also add logging rules then check /var/log/messages to see the packet flow in more detail. Once you have the basic routing working you can add the filtering rules back in. If you have problems post your new rules back to the list so we can see what you've done.
Good Luck
Jeff
_________________________________________________________________
Gifts for Him & Her. Valentine?s Day. http://go.msnserver.com/IN/42197.asp At MSN Shopping.
_________________________________________________________________
Marriage? Join BharatMatrimony.com. http://www.bharatmatrimony.com/cgi-bin/bmclicks1.cgi?74
