Hi, On Tue, 11 Sep 2007 18:50:52 +0200 Florian Philipp <[EMAIL PROTECTED]> wrote:
> > My suggestion for a proper setup would be > > > > $ iptables -F FORWARD > > $ iptables -P FORWARD DROP > > $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state > > NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -o > > eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ...plus rules > > allowing for forwarding designated ports, if any > > > > You'll certainly want to keep this: > > $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE > > in place, too. > > > > Note that this trusts any box connecting via eth0, not just a single > > client. > [...] > When I try to apply the rules you've posted I get: > > $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state \ > NEW,ESTABLISHED,RELATED -j ACCEPT > > iptables: No chain/target/match by that name Hm, you do not seem to have your kernel configured for connection state matching. Just start with basic rules: $ iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT $ iptables -A FORWARD -o eth0 -i ppp0 -j ACCEPT (instead of the "iptables -A" settings mentioned before) But note that those would potentially allow inbound connections to get routed to any desired machine (desired by the party outside your network, that is). So make sure that either such requests aren't getting forwarded to your router (and this is most probably already the case for your setup -- DSL or cable, I guess?) or your LAN doesn't care (i.e. is secured). Most PPP endpoints, however, would drop such traffic anyway, so you should be secure if you trust your provider. Basically I think this is what the Gentoo wiki guide *intended* to do. -hwh -- [EMAIL PROTECTED] mailing list
