Re: rules to allow LAN navigation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Friday 2011-03-18 03:15, Pandu Poluan wrote:

>(sorry for top posting; Gmail mobile can only top-post)
>
>Can you post the output of iptables-save? iptables -L always give me
>the headache.

So does the ASCII graphic which is completely misaligned. Rule: use 
a monospace font and make sure it does not exceed 72 cols.
(Graphviz notation would be best.)

>On 2011-03-18, Esteban Cacavelos <estebancacavelos@xxxxxxxxx> wrote:
>> Hi all, i am new on the list and i have the following scenario.
>>
>> ------------------------------------
>> ---------------------------------------
>> --------------------------------------------
>> | router        Â | | linux server
>> (ubuntu)|ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ |
>> ÂÂÂÂÂÂÂÂÂÂÂ |
>> |ÂÂ LAN: 192.168.3.xÂÂÂÂÂ | -------------- |ÂÂÂÂÂ eth0:192.168.3.12
>> |Â -----------------------------Â |ÂÂÂ (WINDOWS PCs, etc)ÂÂÂ |
>> |ÂÂ WAN: internetÂÂÂÂÂÂÂÂÂÂ |ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ | Â ÂÂ eth1:192.168.2.1
>> ÂÂ |ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ |ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ LAN
>> ÂÂÂ |
>> -------------------------------------
>> ---------------------------------------
>> |ÂÂÂÂÂÂÂ 192.168.2.xÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ |
>>
>>
>> -----------------------------------------------
>>
>>
>> I want to: the computers in the LAN to navigate through internet.
>>
>> When the policies for INPUT, OUTPUT and FORWARD are ACCEPT, everithing
>> works well (pcs in the LANÂ can navigate), BUT, when i change the
>> policy to DROP for the INPUT chain i dont know how to allow http
>> traffic for the LAN.
>>
>> My actual iptables configuration is :
>>
>> iptables -L
>> Chain INPUT (policy DROP)
>> targetÂÂÂÂ prot opt sourceÂÂÂÂÂÂÂÂÂÂÂÂÂÂ destination
>> ACCEPT all -- anywhere anywhere ctstate
>> RELATED,ESTABLISHED
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT tcp -- anywhere anywhere tcp dpt:www
>> LOG all -- anywhere anywhere limit:
>> avg 5/min burst 5 LOG level debug prefix `iptables denied: '
>> ACCEPT tcp -- anywhere anywhere tcp dpt:www
>> ACCEPT all -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> ACCEPT tcp -- anywhere anywhere tcp dpt:2223
>> ACCEPT all -- 192.168.2.1 anywhere
>> ACCEPT all -- 192.168.2.0 anywhere
>>
>>
>> Thanks for the help.
>>
>>
>>
>> --
>> Esteban L. Cacavelos de Amoriza
>> Cel: 0981 220 429
>>
>
>
>-- 
>--
>Pandu E Poluan - IT Optimizer
>My website: http://pandu.poluan.info/
>N?????r??y??????X??Çv???)Þ{.n?????z???×?{ay?ÊÚ??j??f???h??????w??????j:+v???w????????????zZ+???????j"????i

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux