Hi, On Thu, 21 Apr 2005 22:38:25 +0600 "askar ..." <[EMAIL PROTECTED]> wrote:
> 11) # iptables -F > # iptables -t nat -F > # iptables -I INPUT 1 -i eth0 -j ACCEPT > # iptables -I INPUT 1 -i lo -j ACCEPT > # iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT > # iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT > # iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT > # iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP > # iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP > # iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP > # iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT > # iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT FORWARD doesn't see those as destinated to 192.168.0.0/16, i guess. I'd rather use "state" module and write them as follows: iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED \ -j ACCEPT iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED \ -j ACCEPT I guess you've also set FORWARD's policy to DROP/REJECT? > # iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > # echo 1 > /proc/sys/net/ipv4/ip_forward > # for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; > # done You could use /proc/sys/net/ipv4/conf/all here... HTH, Hans-Werner -- This message is made of 100% recycled bits and bytes! -- gentoo-user@gentoo.org mailing list
