More IPtable help

To: <debian-firewall@lists.debian.org>
Subject: More IPtable help
From: dude <dude@deletia.com>
Date: Sun, 15 Jul 2001 21:15:15 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.33.0107152104320.31062-100000@leary.csoft.net>

HI all.
Sorry for longish post
but This is my iptable script set up (thanks to all who helped)
The questions is that I am not sure why LINE A (in NAT SECTION)
does not let my client computers connect beyond the firewall
while LINE B lets everything work jsut fine.

In other words.  I let LINE A set up MASQ,
then the firewall/gateway works fine. I can ssh to outside hosts
but the client cnnected to the firewall/gateway, can not ssh
to outside host.  I think it may be that they cannot connect to
the nameserver (my ISP's)

but if I let LINE B set up MASQ
then my clients and firewall/gateway can all connect to outside hosts just
fine

So my question is:
Why doesnt LINE A work?
Looking at it, it seems to be very well defined
but it wont let the clinets connect to outside hosts
even though the iptable rule is allowing the internal
network IP get masq's
ANyway
Again
Thanks for all the help
My script is below:



!/bin/sh

IPTABLES=/sbin/iptables
INTERNAL_IFACE=eth1
EXTERNAL_IFACE=eth0
INTERNAL_IP=192.168.2.1
INTERNAL_NETWORK=192.168.2.1/27
# no EXTERNAL_IP definition because you're presumedly using a dynamic
# address (hence MASQUERADE, right?)


# Start with policy.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# clean up
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z

# Remember that separate tables need separate statements entirely!
# You're implicitly saying -t filter above, and it doesn't affect
# (clean up) the nat table.
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z

#ENABLE NAT
#LINE A
$IPTABLES -t nat -s $INTERNAL_NETWORK -d ! $INTERNAL_NETWORK -o $EXTERNAL_IFACE -j MASQUERADE

#LINE B
#iptables -t nat -A POSTROUTING -j MASQUERADE



$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -s $INTERNAL_NETWORK -i $INTERNAL_IFACE  -j ACCEPT
$IPTABLES -m state -A INPUT -s ! $INTERNAL_NETWORK -i $EXTERNAL_IFACE --state ESTABLISHED,RELATED -j ACCEPT


$IPTABLES -A FORWARD -s $INTERNAL_NETWORK -d ! $INTERNAL_NETWORK -i $INTERNAL_IFACE -o $EXTERNAL_IFACE -j ACCEPT
$IPTABLES -m state -A FORWARD -s ! $INTERNAL_NETWORK -d $INTERNAL_NETWORK -i $EXTERNAL_IFACE -o $INTERNAL_IFACE --state ESTABLISHED,RELATED -j ACCEPT


#THIS ENABLES SSH
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT


#THIS ENABLES DNS DOMAIN
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT

Reply to:

Follow-Ups:
- Re: More IPtable help
  - From: Vineet Kumar <debian-security@virtual.doorstop.net>

Prev by Date: Testing
Next by Date: Re: More IPtable help
Previous by thread: IPtables
Next by thread: Re: More IPtable help
Index(es):
- Date
- Thread