Hi, On Wed, 22 Jun 2005 22:50:18 +0600 "askar ..." <[EMAIL PROTECTED]> wrote:
> > Note that this should be better done in the ppp-connect script rather > > than here. The iptables should be set up at boot time, I'd suggest. So > > you're not imposing a (rather short) open firewall situation. In fact, > > iptables doesn't care if interfaces are already available when setting > > up routes. > > But is it ok if I keep /bin/echo 1 > /proc/sys/net/ipv4/ip_forward in > my iptables rule? I have never used ppp-connect script. At home I use > rp-pppoe. Well, I didn't meant any specific script, but in your case it would be some script called by rp-pppoe (I'm not using any ppp(oe) thingies myself). > > > #echo -e " - Allowing access to the SSH server" > > > $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT > > > > > > #echo -e " - Allowing access to the HTTP server" > > > $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT > > > > Not needed, as all respective packets will get rewritten to 192.168.0.2 > > and will never hit the INPUT table. That doesn't include packets from > > internal LAN, see respective rule below. > Do you mean about dport22 and dport80 both? Or only about dport80? Only port 80. If those packets hit the nat PREROUTING chain, they'll get rewritten to destination 192.168.0.2 and therefore aren't hitting the INPUT chain. > > > # block out all other Internet access on $EXTIF > > > $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP > > > Hm, you may switch that to a simple > > $IPTABLES -P INPUT DROP > $IPTABLES -P INPUT DROP stopped internet connection You may want to allow all incoming traffic that's been already established by inserting a rule like $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT but I'd strongly suggest to set the general INPUT policy to DROP. Well, actually, this should be done carefully to not interrupt other IP based communication, especially ICMP. But this should be covered by above mentioned rule. > > [from here use proposed parts below, I'll continue commenting] > > > > > $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP > > > > ?!? This would drop all requests from ppp0, especially the ones to the > > www port... > You mean I can leave it as it is? No, you should remove it. As said, it's definately interrupting all "NEW" communication, reagrdless if it is to the www port or not. This should be covered by "DROP" policy for the "FORWARD" chain. ... > My iptables rule with taking into account your comments became: > > #!/bin/bash > IPTABLES='/sbin/iptables' > > # Set interface values > EXTIF='ppp0' > INTIF1='eth0' > > # enable ip forwarding in the kernel > /bin/echo 1 > /proc/sys/net/ipv4/ip_forward Again, note that at this point ppp0 must be _up_. But if it wasn't, you would have outgoing connection, either, so I guess it's issued after connecting and everything is well. > # flush rules and delete chains > $IPTABLES -F > $IPTABLES -X > > # enable masquerading to allow LAN internet access > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > # forward LAN traffic from $INTIF1 to Internet interface $EXTIF > $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state > NEW,ESTABLISHED -j ACCEPT again, I think, you should add RELATED here. > $IPTABLES -A FORWARD -i eth0 -o ppp0 -j LOG --log-prefix "Dropped outgoing: " > $IPTABLES -A FORWARD -i ppp0 -o eth0 -j LOG --log-prefix "Dropped incoming: " hm, both optional and the text of the log message may be wrong as the packet may be accepted later, so better remove those... > # block out all other Internet access on $EXTIF > $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP > $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP that last one should be removed, the first one too, but you'd need to insert above mentioned line and the DROP policy for the INPUT chain. > $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 80 -d 192.168.0.2 -m > state --state NEW,ESTABLISHED,RELATED -j ACCE$ this should, of course, read "ACCEPT". > $IPTABLES -P FORWARD DROP > > $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT > --to 192.168.0.2 > > -------------- > Unfortunately, I'm still unable to see my web page from LAN, when I > try to access my domain.com... :( Try to start with removing those both "DROP" rules and then refine until everything works with the INPUT chain set to DROP policy. HWH -- [email protected] mailing list
