On Fri, 25 Oct 2019 at 00:59, Aaron Gray <aaronngray.lists@xxxxxxxxx> wrote: > > On Wednesday, 23 October 2019, zrm <zrm@xxxxxxxxxxxxxxx> wrote: > >> > >> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE > >> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > >> iptables -A FORWARD -i enp5s5 -j ACCEPT > >> iptables -P FORWARD DROP > >> > >> And then reject the things you actually want to prohibit, e.g.: > >> > >> iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE > >> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > >> iptables -A FORWARD -i enp4s0 -p tcp --dport 25 -j REJECT --comment "no spamming" > >> iptables -A FORWARD -i enp4s0 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP" > >> iptables -A FORWARD -i enp5s5 -j ACCEPT > >> iptables -P FORWARD DROP > >> > > > > That should've been this, using the internal interface rather than the external one: > > > > iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE > > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > > iptables -A FORWARD -i enp5s5 -p tcp --dport 25 -j REJECT --comment "no spamming" > > iptables -A FORWARD -i enp5s5 -p tcp --dport 80 -j REJECT --comment "no unencrypted HTTP" > > iptables -A FORWARD -i enp5s5 -j ACCEPT > > iptables -P FORWARD DROP > > > Okay I was confused about that. > > > > > Note that this is a strong reason to rename your interfaces to something meaningful instead of using the ugly meaningless default names. > > > Yes I miss eth0 and eth1 ! > > Many thanks hopefully that clears everything up I suspected I had done > something stupid. And half suspected I needed to use the filter table. I did have everything working perfectly then it all stopped working again and I cannot work out why. I need to start from scratch again. Aaron
