On Monday 08 July 2002 12:32 am, Tim wrote: > Hey ppl, > > echo "[--Setting Policies--]" > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD ACCEPT
Please set this one to DROP as well :-) > # > # > ## Allow inside traffic to get to the DMZ and back > iptables -A FORWARD -i $INTERNAL_NET -o $DMZ_NET -j ACCEPT > iptables -A FORWARD -i $DMZ_NET -o $INTERNAL_NET -j ACCEPT > iptables -A INPUT -i $INTERNAL_NET -s 192.168.1.0/24 -d 172.16.1.0/24 > -p icmp -j ACCEPT > iptables -A OUTPUT -o $DMZ_NET -s 172.16.1.0/24 -d 192.168.1.0/24 -p icmp > -j ACCEPT > iptables -A INPUT -i $DMZ_NET -s 192.168.1.0/24 -d 172.16.1.0/24 -p icmp > -j ACCEPT > iptables -A OUTPUT -o $INTERNAL_NET -s 192.168.1.0/24 -d 172.16.1.0/24 > -p icmp -j ACCEPT # You seem to have a big misunderstanding of how packets go through the chains in iptables (hint: it's very different from ipchains...) The INPUT chain is *only* for packets addressed to the firewall itself. The FORWARD chain is *only* for packets going through the firewall from a machine on one side to another machine on the other. The OUTPUT chain is *only* for packets originated on the firewall itself. No packet will ever go through both INPUT and FORWARD, or through both FORWARD and OUTPUT. Antony.
