On Wednesday, 23 October 2019, zrm <zrm@xxxxxxxxxxxxxxx> wrote: >> >> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE >> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT >> iptables -A FORWARD -i enp5s5 -j ACCEPT >> iptables -P FORWARD DROP >> >> And then reject the things you actually want to prohibit, e.g.: >> >> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE >> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT >> iptables -A FORWARD -i enp4s0 -p tcp --dport 25 -j REJECT --comment "no spamming" >> iptables -A FORWARD -i enp4s0 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP" >> iptables -A FORWARD -i enp5s5 -j ACCEPT >> iptables -P FORWARD DROP >> > > That should've been this, using the internal interface rather than the external one: > > iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -i enp5s5 -p tcp --dport 25 -j REJECT --comment "no spamming" > iptables -A FORWARD -i enp5s5 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP" > iptables -A FORWARD -i enp5s5 -j ACCEPT > iptables -P FORWARD DROP Okay I was confused about that. > > Note that this is a strong reason to rename your interfaces to something meaningful instead of using the ugly meaningless default names. Yes I miss eth0 and eth1 ! Many thanks hopefully that clears everything up I suspected I had done something stupid. And half suspected I needed to use the filter table. Cheers, Aaron
