Re: NAT and IPTABLES problem

To: chindea mihai <misubs24@yahoo.com>
Cc: debian-amd64@lists.debian.org
Subject: Re: NAT and IPTABLES problem
From: Bonnel Christophe <mage.tophinus@free.fr>
Date: Tue, 01 Apr 2008 06:22:38 +0200
Message-id: <[🔎] 47F1B88E.3080103@free.fr>
In-reply-to: <[🔎] 25852.657.qm@web54106.mail.re2.yahoo.com>
References: <[🔎] 25852.657.qm@web54106.mail.re2.yahoo.com>

Hi,

I think there is two problems here :

#Forward LAN traffic from LAN $INTIF to Internet $EXTIF
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --stateNEW,ESTABLISHED -j ACCEPT

You allow only NEW and ESTABLISHED output to the web. Don't you forgetRELATED ?


You must also let your gateway forward input datas from the web :

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT


You should also redifined the default policy :
$IPTABLES -P INPUT -j DROP
$IPTABLES -P OUTPUT -j DROP
$IPTABLES -P FORWARD -j DROP
$IPTABLES -t NAT -P PREROUTING ACCEPT
$IPTABLES -t NAT -P POSTROUTING ACCEPT
$IPTABLES -t NAT -P OUTPUT ACCEPT

Now, this line  :

$IPTABLES -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth1 -j SNAT--to xx.xx.xx.xxx, and it's still not working.

You should use it if you want DMZ for example, so you don't need it here.

Hope this helps

Christophe

Reply to:

References:
- NAT and IPTABLES problem
  - From: chindea mihai <misubs24@yahoo.com>

Prev by Date: Re: P5K-VM v BFG NVidia 8800GT OC
Next by Date: Re: NAT and IPTABLES problem
Previous by thread: NAT and IPTABLES problem
Next by thread: Re: NAT and IPTABLES problem
Index(es):
- Date
- Thread