test account a écrit : > eth0 as Internet side and eth1 as the LAN user's side. > > # FLUSH TABLE RULES > $IPTABLES -F > > # FLUSH NAT-CHAIN TABLE RULES > $IPTABLES -t nat -F > > # ENABLE IP FORWARDING > echo 1 > /proc/sys/net/ipv4/ip_forward [...] > I would think with this configuration I should be able to browse the > Internet from a LAN PC, but I cannot. ?????? Probably because your LAN uses (possibly private) IP addresses not routed on the public internet (at least not routed back to you). > If I add this rule to rc.iptables > > $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE So that outgoing packets take the public IP address of your router as their source address and the replies can be routed back to you. > If I then add this rule. > > IPTABLES -A INPUT -i eth1 -p tcp --dport 1:1054 -j DROP [...] > I would think that would block just about everything again Not quite. It is the INPUT chain, so it just blocks packets destined to the ports 1-1054 of the router itself. It does not block packets destined to the outside, nor packets destined to a port above 1054 (why this value by the way ?). If you want to filter packets between the LAN and the public internet, use the FORWARD chain instead. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
