Hello,
Basically I am allowing internet on the
firewall as well as nating to 2 clients.
I am not able to ssh from the firewall
to a client. Though the reverse is
working.
I would also like to put :
-A OUTPUT -j DROP
But if I do that clients are not able to connect
to the net. I need add a rule which I could
not figure out.
Please comment and correct.
My rules as follows.
# Generated by iptables-save v1.3.3 on Sat Jul 22 13:14:10 2006
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s 192.168.15.0/24 -j MASQUERADE
COMMIT
# Completed on Sat Jul 22 13:14:10 2006
# Generated by iptables-save v1.3.3 on Sat Jul 22 13:14:10 2006
*mangle
:PREROUTING ACCEPT [80:13056]
:INPUT ACCEPT [80:13056]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [80:13056]
:POSTROUTING ACCEPT [80:13056]
COMMIT
# Completed on Sat Jul 22 13:14:10 2006
# Generated by iptables-save v1.3.3 on Sat Jul 22 13:14:10 2006
*filter
:INPUT ACCEPT [80:13056]
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
-A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT
-A INPUT -p udp -i eth0 --dport 53 -j ACCEPT
-A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT
-A INPUT -j DROP
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [80:13056]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A FORWARD -i eth1 -o eth0 -s 192.168.15.5 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -s 192.168.15.9 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp --dport 25 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp --dport 110 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp --dport 119 -j ACCEPT
-A FORWARD -p udp --dport 53 -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Sat Jul 22 13:14:10 2006
---------- end rules --------------
Thanks
Varun
