Hello friends, I'm trying to set up a secure NAT firewall in my home, for that I need help with some rules. I've got a total of four computers, including the server. These are the ones who should be NAT'ed: #1 --- 192.168.51.20 --- Should be able to access all internet. #2 --- 192.168.51.40 --- Should be able to access only websites (port 80,443). #3 --- 192.168.51.80 --- Should be able to access only websites (port 80,443). This is how my non-working iptables-script looks like right now: ------------------------------------------------------------------------------------- INT="eth0" EXT="eth1" IPTABLES=/sbin/iptables $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t nat $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -A INPUT -i $INT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT $IPTABLES -A INPUT -p UDP --dport bootps -i $INT -j ACCEPT $IPTABLES -A INPUT -p UDP --dport domain -i $INT -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 192.168.51.20 -o $EXT -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -s 192.168.51.40 -dport 80 -o $EXT -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -s 192.168.51.80 -dport 80 -o $EXT -j MASQUERADE $IPTABLES -A INPUT -j DROP ------------------------------------------------------------------------------------- Somehow, it doesn't work with -dport 80, and I believe that I have missed some allow-rules because the -j DROP denies the computer from 192.168.51.20 too. Any help would be appreciated! Thanks, --Alexander.
