Hi,Glad it's working, you're making progress. :-) I made a couple of suggestions below.
It's working.
It was my fault.
I am getting Internet bandwidth through iptunnel. IP address of tunnel and my eth0 is different. I was giving access to INPUT for eth0 IP and not for IP of tunnel which is my Internet IP.
Your suggestion of using log at the end of INPUT rule has given this hit.
Thanks for support.
Jeff
From: "ads nat" <adsnat@xxxxxxxxxxx>
To: adsnat@xxxxxxxxxxx, JALaramie@xxxxxxxxxxxxxxxxxxx, netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: Setting up default policy to 'DROP' problem
Date: Wed, 04 Feb 2004 08:26:13 +0530
Following are my iptable rules
xxx.xxx.xxx.xxx is internet ip. eth0 internet interface eth1 lan interface
******************* *nat :PREROUTING ACCEPT [678915:47234902] :POSTROUTING ACCEPT [36934:2160799] :OUTPUT ACCEPT [35607:2143032] -A POSTROUTING -o tunnel0 -j MASQUERADE COMMIT # Completed on Wed Feb 4 08:15:38 2004 # Generated by iptables-save v1.2.7a on Wed Feb 4 08:15:38 2004 *mangle :PREROUTING ACCEPT [15137995:7366304630] :INPUT ACCEPT [5934119:3407840707] :FORWARD ACCEPT [9046926:3942957156] :OUTPUT ACCEPT [5005001:930279054] :POSTROUTING ACCEPT [14042840:4872546468] COMMIT # Completed on Wed Feb 4 08:15:38 2004 # Generated by iptables-save v1.2.7a on Wed Feb 4 08:15:38 2004 *filter :INPUT DROP [6317:1242856] :FORWARD DROP [107:11548] :OUTPUT ACCEPT [841:137965] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -d 127.0.0.1 -i lo -j ACCEPT
I don't think this rule does anything.
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.0.1 -i lo -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx -i lo -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -m state --state RELATED,ESTABLISHED -j ACCEPT
Except for the loopback entries the INPUT rules don't differentiate between interfaces. You may want to have different rules for eth0 and eth1. In particular your first rule lets a lot of stuff in from the outside that you may not want.
-A FORWARD -i eth1 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth1 -j ACCEPT -A FORWARD -i eth1 -o eth2 -j ACCEPT
You don't identify eth2 anywhere else. Is this to the dmz?
-A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT -A OUTPUT -s 127.0.0.1 -j ACCEPT -A OUTPUT -s 192.168.0.1 -j ACCEPT -A OUTPUT -s xxx.xxx.xxx.xxx -j ACCEPT
These are all ACCEPT rules and your default OUTPUT policy is accept. You should either delete these rules or change the default policy.
COMMIT