----- Original Message ----- From: Jason Opperisano <opie@xxxxxxxxxxx> Date: Thursday, January 27, 2005 7:49 pm Subject: Re: myfirewall help > On Thu, 2005-01-27 at 05:13, varun_saa@xxxxxxxx wrote: > > Hello, > > My server is Mandrake 10.1 > > eth0 is WAN with static IP connected to 512k DSL > > eth1 is LAN > > > > I am trying to write iptables rules and I am > > stuck with some error. > > > > My iptable file is as follows : > > > > # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004 > > *nat > > :OUTPUT ACCEPT [0:0] > > :PREROUTING ACCEPT [0:0] > > :POSTROUTING ACCEPT [0:0] > > -A POSTROUTING -o eth0 -j MASQUERADE > > COMMIT > > # Completed on Thu Oct 21 05:32:36 2004 > > # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004 > > *mangle > > :PREROUTING ACCEPT [32056:3889577] > > :INPUT ACCEPT [32010:3885659] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [31637:4617585] > > :POSTROUTING ACCEPT [31639:4618071] > > COMMIT > > # Completed on Thu Oct 21 05:32:36 2004 > > # Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004 > > *filter > > :FORWARD ACCEPT [0:0] > > :INPUT DROP [0:0] > > :OUTPUT ACCEPT [0:0] > > -A INPUT -j ACCEPT > > -A INPUT -s 127.0.0.1 -j ACCEPT > > -A INPUT -p tcp -m tcp -i eth1 -o eth0 --dport 3128 --sport 80 -j > ACCEPT> -A INPUT -p udp -m udp -i eth1 -o eth0 --dport 3128 --sport > 80 -j ACCEPT > > COMMIT > > # Completed on Thu Oct 21 05:32:36 2004 > > > > When I am trying to save I get the following error : > > > > iptables-restore v1.2.9: Can't use -o with INPUT > > > > Error occurred at line: 25 > > Try `iptables-restore -h' or 'iptables-restore --help' for more > information.> > > Can anybody guide me ? > > yeah--you can't use "-o" with INPUT. > > if you are under the impression that the traffic you're trying to > filterhas both an inbound and outbound interface and that the > packet is > FORWARD-ed from one to the other--you should be adding that rule to > theFORWARD chain, not the INPUT chain. > > btw--what traffic do you believe has a source port of 80 and a > destination port of 3128? > > -j > > -- First I have very little experience with iptables. Basically I want clients to be able to : 1. send and recieve mails 2. access the net 3. use MSN or Yahoo I am using webmin -> netowrking -> linux firewall to set the rules. Now coming to my rule : -A INPUT -p tcp -m tcp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT What I want is that the firewall allow http traffic with sport as 80 and dport as 3128 from coming from eth1. Same for udp. So what do you think ? Tell me I you think I should be doing it differently. Thanks Varun
