Hi, I hope you can help, please be gentle as it's my first time with raw iptables, I have used other firewalls though. I have a working config, my internal network can get out to the internet but because of a lack of understanding I have opened up SSH on the firewall to the internet: 1# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012 2*mangle 3:PREROUTING ACCEPT [3292:1334085] 4:INPUT ACCEPT [462:36946] 5:FORWARD ACCEPT [2826:1297011] 6:OUTPUT ACCEPT [268:37651] 7:POSTROUTING ACCEPT [3075:1327352] 8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu 9COMMIT 10# Completed on Tue Apr 24 16:51:19 2012 11# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012 12*nat 13:PREROUTING ACCEPT [130:12667] 14:INPUT ACCEPT [4:586] 15:OUTPUT ACCEPT [4:264] 16:POSTROUTING ACCEPT [0:0] 17-A POSTROUTING -o ppp0 -j MASQUERADE 18COMMIT 19# Completed on Tue Apr 24 16:51:19 2012 20# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012 21*filter 22:INPUT DROP [0:0] 23:FORWARD DROP [0:0] 24:OUTPUT DROP [0:0] 25-A INPUT -i lo -j ACCEPT 26-A INPUT -d 192.168.100.254/32 -p tcp -m physdev --physdev-in eth2 -m tcp --dport 22 -j ACCEPT 27-A INPUT -i ppp0 -j ACCEPT 28-A INPUT -j DROP 29-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 30-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 31-A FORWARD -i br0 -o ppp0 -j ACCEPT 32-A FORWARD -j DROP 33-A OUTPUT -o lo -j ACCEPT 34-A OUTPUT -o br0 -j ACCEPT 35-A OUTPUT -o ppp0 -j ACCEPT 36-A OUTPUT -j DROP 37COMMIT 37# Completed on Tue Apr 24 16:51:19 2012 I believe my mistake is in either line 27 or line 35 but if I remove either of them my firewall fails to be able to access the internet locally for apt and stuff. To add some background basically I have the following running on an ubuntu 12.04 server: ppp0 brought up on eth0 br0 a bridge which includes wlan0 and eth2 (office lan) eth3 (lab mgmt) eth4 (lab) eth5 (quarantined pc) So the firewall should be able to access the internet but the internet should not be able to access the firewall. Users on br0 should be able to access the internet, lab, lab mgmt, firewall The lab should be able to access the internet Lab mgmt should be able to access the internet, there are 8 IPs in here and I have public IPs for them all but I need to setup SNAT and fwknop doing DNAT to access them: iptables -t nat -A POSTROUTING -s x.x.x.x -o eth0 -j SNAT --to-source y.y.y.y With the above I am worried that this will conflict with line 17... I believe fwknop will handle the DNAT stuff automagically. The quarantined PC should be able to access the internet but nothing else I have a way to go :) Thanks for looking. Kind Regards Richard -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
