On Thu, May 05, 2005 at 11:53:52AM +0200, Chadley Wilson wrote:
> #Clear All Tables
> ${ipt} -t filter -F
> ${ipt} -t nat -F
After cleaning the tables, you should set the policies to DROP.
(iptables -P)
> ## allow all from local interfaces [localhost]
> ${ipt} -t filter -A INPUT -s 127.0.0.1 -j ACCEPT
That's weird. You try to accept all traffic on INPUT chain originating
at localhost. Wouldn't it be just simplier to accept INPUT traffic on
interface lo?
> ##Allow {chad} to etel internet direct
> ${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -d ${etel} -p tcp -m tcp
> --dport 80 --state NEW,ESTABLISHED,RELATED -j ACCEPT
> ${ipt} -t filter -A FORWARD -p tcp -m tcp -s ${chad} -d ${etel} -o ${ext}
> --dport 80 -j MASQUERADE
>
>
>
> Please could someone help me with a simpler rule?
1. You swapped the targets in those chains. You should ACCEPT in filter
and MASQUERADE in nat.
2. If you have static IP, why not use SNAT?
3. You need more rules, depending on what you want to achieve. If you
want a 1-1 mapping, you may look at modules like, IIRC, netmap, but
probably DNAT target would be sufficient.
4. Do you really need statefull filtering of forwarded packet?
--
[------------------------] 1*2*3*3*37 - the prime factorization of the
[ Kruk@xxxxxxxxxxxxxx ] number of the beast
[ http://epsilon.eu.org/ ]
[------------------------]
