> Hello, > > Basically I am allowing internet on the > firewall as well as nating to 2 clients. > > I am not able to ssh from the firewall > to a client. Though the reverse is > working. > > I would also like to put : > > -A OUTPUT -j DROP > > But if I do that clients are not able to connect > to the net. I need add a rule which I could > not figure out. You should allow SSH out when you want to be able to use it. SSH listens on port 22, so this should do it: -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p tcp --dport 22 -j ACCEPT -A OUTPUT -j DROP > Please comment and correct. > > My rules as follows. > > > # Generated by iptables-save v1.3.3 on Sat Jul 22 13:14:10 2006 > *nat >: OUTPUT ACCEPT [0:0] >: PREROUTING ACCEPT [0:0] >: POSTROUTING ACCEPT [0:0] > -A POSTROUTING -o eth0 -s 192.168.15.0/24 -j MASQUERADE > COMMIT > # Completed on Sat Jul 22 13:14:10 2006 > # Generated by iptables-save v1.3.3 on Sat Jul 22 13:14:10 2006 > *mangle >: PREROUTING ACCEPT [80:13056] >: INPUT ACCEPT [80:13056] >: FORWARD ACCEPT [0:0] >: OUTPUT ACCEPT [80:13056] >: POSTROUTING ACCEPT [80:13056] > COMMIT > # Completed on Sat Jul 22 13:14:10 2006 > # Generated by iptables-save v1.3.3 on Sat Jul 22 13:14:10 2006 > *filter >: INPUT ACCEPT [80:13056] > -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT It looks like eth0 is connected to the internet and eth1 to your LAN. Check if outgoing ssh works using: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT > -A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT > -A INPUT -p udp -i eth0 --dport 53 -j ACCEPT > -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT > -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT So, you are accepting ftp for the firewall on eth1. See below (FORWARD). > -A INPUT -j DROP >: FORWARD ACCEPT [0:0] >: OUTPUT ACCEPT [80:13056] > -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED > -j ACCEPT I would make that: -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth1 -o eth0 -s 192.168.15.5 -j ACCEPT > -A FORWARD -i eth1 -o eth0 -s 192.168.15.9 -j ACCEPT > -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT And you allow ftp forwarding on eth1 to eth0. Either one (see above) is going to work, not both. Since you are masquerading everything from 192.168.15.0/24 via eth0, I'd say this rule has hits and the rule in the INPUT chain doesn't. (Check with "iptables -nvL INPUT" and "iptables -nvL FORWARD".) > -A FORWARD -i eth1 -o eth0 -p tcp --dport 25 -j ACCEPT > -A FORWARD -i eth1 -o eth0 -p tcp --dport 110 -j ACCEPT > -A FORWARD -i eth1 -o eth0 -p tcp --dport 119 -j ACCEPT > -A FORWARD -p udp --dport 53 -j ACCEPT > -A FORWARD -j DROP > -A OUTPUT -j ACCEPT > -A OUTPUT -o lo -j ACCEPT This seems useless to me. There are no DROP rules in the OUTPUT chain and policy is set to ACCEPT. These packets would be accepted anyway. > COMMIT > # Completed on Sat Jul 22 13:14:10 2006 > > ---------- end rules -------------- Instead of have a last rule with a DROP target, you can also just set the chain policy to DROP. Gr, Rob
