----- Original Message ----
From: Bonnel Christophe <mage.tophinus@free.fr>
To: chindea mihai <misubs24@yahoo.com>
Cc: debian-amd64@lists.debian.org
Sent: Tuesday, April 1, 2008 4:22:38 AM
Subject: Re: NAT and IPTABLES problem
Hi,
I think there is two problems here :
>
> #Forward LAN traffic from LAN $INTIF to Internet $EXTIF
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state
> NEW,ESTABLISHED -j ACCEPT
You allow only NEW and ESTABLISHED output to the web. Don't you forget
RELATED ?
You must also let your gateway forward input datas from
the web :
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,
RELATED -j ACCEPT
You should also redifined the default policy :
$IPTABLES -P INPUT -j DROP
$IPTABLES -P OUTPUT -j DROP
$IPTABLES -P FORWARD -j DROP
$IPTABLES -t NAT -P PREROUTING ACCEPT
$IPTABLES -t NAT -P POSTROUTING ACCEPT
$IPTABLES -t NAT -P OUTPUT ACCEPT
Now, this line :
>
> $IPTABLES -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth1 -j SNAT
> --to xx.xx.xx.xxx, and it's still not working.
>
You should use it if you want DMZ for example, so you don't need it here.
Hope this helps
Christophe
I made those changes, but unfortunately I still get "Request times out", at ping attempts, from subnet pc.
You know it's weird, cause I have VMware installed, and apparently NAT connection works just fine for it, well vmware doesn't use
iptables.
Mihai,