On Wed, 22 Apr 2009 03:35:33 -0600, Thomas Jacob <jacob@xxxxxxxxxxxxx> wrote: >> >> I tightened up the policies and added rules to pass any packets, for new connections or otherwise, to or from eth0 (the LAN), and drop NEW connection packets except those from the local machine and from LAN. : >> >> iptables -t filter -P INPUT DROP >> iptables -t filter -P OUTPUT ACCEPT >> iptables -t filter -P FORWARD DROP >> >> iptables -t mangle -A INPUT -i eth0 -j ACCEPT >> iptables -t mangle -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> iptables -t mangle -A FORWARD -i eth0 -j ACCEPT >> iptables -t mangle -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT > > Do you have the ESTABLISHED stuff also in Output? Otherwise you will > block direct access to that box (see the packet traversal graph > again).... I have the OUTPUT policy set to ACCEPT (I want to accept any packets sent by my local box). According to my understanding, any packet that does not match an OUTPUT rule would therefore be accepted. It should not be necessary to have any OUTPUT rule, is that right? My setup is working for LAN-connected machines access only when I set the INPUT policy to ACCEPT, which is too loose for my taste, even though I am behind my ISP's nat/firewall. Therefore, it seems that the problem must be in my INPUT chain rules. I got load-balancing for LAN-connected machines (which are natting to both ppp0 or ppp1) working. I fixed it to configure any single interface (no load-balancing), or both ppp0 and ppp1 for load-balancing, if both interfaces are up. I put the script in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d, which allows this to auto-configure the interfaces whenever an interface comes up or goes down. It works very well. When there is but a single interface up, then, all the load balancing stuff (MARK, CONNTRACK, etc.) is skipped, and the iptables commands become very simple (just a simple firewall with nat for the LAN). Only the following commands are used when only one interface is up: src0=`ip route show dev ppp0 2>/dev/null | head -n1 | cut --delimiter=" " --fields=10` src1=`ip route show dev ppp1 2>/dev/null | head -n1 | cut --delimiter=" " --fields=10` gw0=`ip route show dev ppp0 2>/dev/null | head -n1 | cut --delimiter=" " --fields=1` gw1=`ip route show dev ppp1 2>/dev/null | head -n1 | cut --delimiter=" " --fields=1` # flush all iptables entries iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -t filter -P INPUT DROP iptables -t filter -P OUTPUT ACCEPT iptables -t filter -P FORWARD DROP iptables -t mangle -A INPUT -i lo -j ACCEPT iptables -t mangle -A INPUT -i eth0 -j ACCEPT iptables -t mangle -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t mangle -A FORWARD -i eth0 -j ACCEPT iptables -t mangle -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t mangle -A OUTPUT -o eth0 -j ACCEPT iptables -t mangle -A OUTPUT -o lo -j ACCEPT if [ "$src0" == "" -o "$src1" == "" ]; then # echo a device is not online, setting default gateway and quitting ip route del default dev ppp0 2>/dev/null ip route del default dev ppp1 2>/dev/null if [ "$src0" != "" ]; then ip route add default dev ppp0 iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE fi if [ "$src1" != "" ]; then ip route add default dev ppp1 iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE fi exit fi I have studied the iptables flow diagram, it seems to me that my INPUT rules above should allow all traffic to/from a LAN-connected (eth0) machine. However, I am missing something, since I have to set the INPUT policy to ACCEPT to get connectivity from the LAN. And I have to set the FORWARD policy to ACCEPT to allow my load-balancing stuff to work! (When this is all fixed I'll post an article about it on my "Linux Notes" site at http://www.voluntary-simplicity.org/linux.) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html