Hi Jorge, Well, the scenary is that you want to allow outgoing traffic to tcp port number 22 from your internal LAN. The rules suggested 1) $ipt -P FORWARD DROP 2) $ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 3) $ipt -A FORWARD -m state --state NEW -p tcp --dport 22 -j ACCEPT are for: 1) Apply a POLICY to DROP any packet that does not match any rule in the chain (in this case, the FORWARD chain) 2) Allow incoming traffic in response to traffic generated from your internal network or from the GNU/Linux router itself. If you does not use that rule (the second rule) you will not able to "speak" with the world 3) Allow packets marked with the SYN flag to travel to the world, but if the second rule does not exists, the traffic in response to the initial request to initiate a ssh sesion will not receive an answer from the world. I suggest you try to understand the mechanics to establish a tcp sesion. Best regards, Jorge Dávila. On Wed, Jun 24, 2009 at 9:45 AM, Jorge Bastos<mysql.jorge@xxxxxxxxxx> wrote: >> You are always advised to make the default rule (Ie policy) drop with >> any firewall then only explicitly allow traffic you wish allow: >> >> (I am assuming here you want to allow connections *to* port 22 on the >> external network from your internal network, for my example the >> internal network has an ip address of 192.168.0.0/24) >> iptables -t filter -F FORWARD # Clear out what exists already >> iptables -t filter -P FORWARD -j drop # Set default to drop >> iptables -t filter -A FORWARD -s 192.168.0.0/24 -d ! 192.168.0.0/24 -p >> tcp --dport 22 -j ACCEPT > > > cisne:/etc/rc.d# iptables -t filter -P FORWARD -j DROP > iptables v1.4.4: -P requires a chain and a policy > Try `iptables -h' or 'iptables --help' for more information. > > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Jorge Isaac Dávila López +505 8430 5462 jorgedavilalopez@xxxxxxxxx --- Esta tierra es Linux. En las noches calladas puede escucharse a las máquinas Windows re-iniciándose... -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
