from: http://netfilter.samba.org/documentation/HOWTO//packet-filtering-HOWTO-5.htm l
iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT iptables -A block -j DROP iptables -A INPUT -j block iptables -A FORWARD -j block for your case--i replaced ppp0, with eth0 (your external interface) in the above example you will also need a NAT rule... from: http://netfilter.samba.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE once again, i replaced ppp0 with eth0 in the above example for your situation now, enable ip forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward that's it. run 'service iptables stop' before issuing the above commands to reset everything the reason you can't access the internet from your internal hosts after running 'service iptables stop' is because it removes NAT and disables ip forwarding--this is by design hope this helps. jason -----Original Message----- From: Ron Darling [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 07, 2002 8:22 AM To: Netfilter Mailing List Cc: Scott Smith Subject: HELP: I just want to see something work I have a small home/office Microsoft/Novell based network. I have had an NT based proxy, NAT, email setup since 1996 sharing a modem and phone line. I have made a lot of money from this setup since 1996, it has worked fine and I have even gone out and setup the same configuration for a lot of small businesses. I just purchased a DSL connection and would like to replace the proxy with a Linux based box. I have a Linux box up and running Redhat 7.2, two NICS, IPTables 1.2.4. ETH0 is bound to my fixed Internet IP Address. ETH1 is bound to my internal IP 192.168.0.125. ================= I have learned to: Upgrade the kernel (Agent Update) Update IPTables (Agent Update) DISABLE IPChains. Reset IPTables to Default Settings - service iptables stop. I have a script that feeds new settings to IPTables. Got this from the book "Redhat Linux the Complete Ref - Richard Peterson" I can interrogate the new settings with iptables -L -n and see the difference in the output from running the script and having just stopped the service tables stop. ================= When I have just run - service iptables stop. >From the Linux box I can: ping the internet. Ping both nics on the Linux box. browse the internet and I suspect any other TCP/IP type function I want to Ping boxes on the internal network. Ping ETH1 on the Linux box from the internal boxes on network. I cannot browse the internet from internal boxes. ================= When I run the script: I cannot ping anything from the Linux box. I cannot browse the internet from the Linux box I cannot ping the Linux box from a internal network box I cannot browse the internet from an internal network box ***************** For the moment I would just like to be able to: Browse the internet from an internal network box with IPTables turned on with just enough rules to perform NAT and allow the http request to flow. Internal network box is Win2k. IP: 192.168.0.42 Gateway: 192.168.0.125 (ETH1 on Linux box). All proxy settings in IE6 have been disabled on the win2k box. Can someone point me to a simple script to just perform this. Ron Darling President Ix.sys, Inc. http://www.ixsys.com [EMAIL PROTECTED] 817.377.0925
