Re: rules to allow LAN navigation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

2011/3/18 Jan Engelhardt <jengelh@xxxxxxxxxx>:
> On Friday 2011-03-18 03:15, Pandu Poluan wrote:
>
>>(sorry for top posting; Gmail mobile can only top-post)
>>
>>Can you post the output of iptables-save? iptables -L always give me
>>the headache.
>
> So does the ASCII graphic which is completely misaligned. Rule: use
> a monospace font and make sure it does not exceed 72 cols.
> (Graphviz notation would be best.)
>
>>On 2011-03-18, Esteban Cacavelos <estebancacavelos@xxxxxxxxx> wrote:
>>> Hi all, i am new on the list and i have the following scenario.
>>>
>>> ------------------------------------
>>> ---------------------------------------
>>> --------------------------------------------
>>> | router        Â | | linux server
>>> (ubuntu)|ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ |
>>> ÂÂÂÂÂÂÂÂÂÂÂ |
>>> |ÂÂ LAN: 192.168.3.xÂÂÂÂÂ | -------------- |ÂÂÂÂÂ eth0:192.168.3.12
>>> |Â -----------------------------Â |ÂÂÂ (WINDOWS PCs, etc)ÂÂÂ |
>>> |ÂÂ WAN: internetÂÂÂÂÂÂÂÂÂÂ |ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ | Â ÂÂ eth1:192.168.2.1
>>> ÂÂ |ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ |ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ LAN
>>> ÂÂÂ |
>>> -------------------------------------
>>> ---------------------------------------
>>> |ÂÂÂÂÂÂÂ 192.168.2.xÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ |
>>>
>>>
>>> -----------------------------------------------
>>>
>>>
>>> I want to: the computers in the LAN to navigate through internet.
>>>
>>> When the policies for INPUT, OUTPUT and FORWARD are ACCEPT, everithing
>>> works well (pcs in the LANÂ can navigate), BUT, when i change the
>>> policy to DROP for the INPUT chain i dont know how to allow http
>>> traffic for the LAN.
>>>
>>> My actual iptables configuration is :
>>>
>>> iptables -L
>>> Chain INPUT (policy DROP)
>>> targetÂÂÂÂ prot opt sourceÂÂÂÂÂÂÂÂÂÂÂÂÂÂ destination
>>> ACCEPT all -- anywhere anywhere ctstate
>>> RELATED,ESTABLISHED
>>> ACCEPT all -- anywhere anywhere state
>>> RELATED,ESTABLISHED
>>> ACCEPT tcp -- anywhere anywhere tcp dpt:www
>>> LOG all -- anywhere anywhere limit:
>>> avg 5/min burst 5 LOG level debug prefix `iptables denied: '
>>> ACCEPT tcp -- anywhere anywhere tcp dpt:www
>>> ACCEPT all -- anywhere anywhere
>>> ACCEPT all -- anywhere anywhere
>>> ACCEPT all -- anywhere anywhere
>>> ACCEPT tcp -- anywhere anywhere tcp dpt:2223
>>> ACCEPT all -- 192.168.2.1 anywhere
>>> ACCEPT all -- 192.168.2.0 anywhere
>>>
>>>
>>> Thanks for the help.
>>>
>>>
>>>
>>> --
>>> Esteban L. Cacavelos de Amoriza
>>> Cel: 0981 220 429
>>>
>>
>>
>>--
>>--
>>Pandu E Poluan - IT Optimizer
>>My website: http://pandu.poluan.info/
>>N?????r??y??????X??Çv???)Þ{.n?????z???×?{ay? ÊÚ??j ??f???h????? ?w??? ???j:+v???w???????? ????zZ+???????j"????i
>
>

thanks for the quick response .


the problem was the masquerade. I got confused with the interfaces
(masquerade eth0 instead of eth2).





regards,


-- 
Esteban L. Cacavelos de Amoriza
Cel: 0981 220 429
ÿô.nlj·Ÿ®‰­†+%ŠË±é¥Šwÿº{.nlj·§z×–×þ)íèjg¬±¨¶‰šŽŠÝjÿ¾«þG«é¸¢·¦j:+v‰¨Šwèm¶Ÿÿþø®w¥þŠà£¢·hšâÿ†Ù
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux