Hello Guido, > The last three entries are not very secure. In particular, the first two > leave all ports open, while in a real situation you'd better have an > entry for each allowed service/port (by adding "-m state --state NEW -m > tcp -p tcp --dport ALLOWED_SERVICE_PORT", substituting > ALLOWED_SERVICE_PORT with the service you need and perhaps removing -d > 0/0). I know that my rules are not the best regarding the security and I will take care about that when I have basic functionality. That is, in theory when I apply the rules we are talking about I should have proper http traffic from inside to the internet. That's just not happening here. > And remember to do "echo 1 > /proc/sys/net/ipv4/ip_forward" to enable > forwarding. I have ipforwarding enabled. (Remember, I have working opnvpn connection going from tap0 interface to eth1) The only thing I dont have is tcp traffic from inside to internet. >> iptables -t mangle -A FORWARD -i eth1 -o eth0 -p tcp --tcp-flags >> SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > > What do you want to achieve with the last rule ? I tried to set mss in my last rule because this type of problem (acording to iptables man page) can happen because of bigger mss values and fragmenting packets after that. When I say this type of problem I mean "established tcp session but no traffic after that" > iptables -A POSTROUTING -t nat -s 192.168.60.0/24 -o eth0 -j MASQUERADE > > because amongst other things, if you use SNAT then you would also need > DNAT ! I have used -j SNAT because it's recomended way in iptables man page when you have static ip address on outside interface. -j DNAT is used when you want to portforward inside. Bojan -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
