[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: port forward with the ipmasq package and Iptables

> > Should this work with my existing, complicated set of Iptables rules?
> Depends. As this is an "append" rule it might break if there are any 
> DENY/REJECT rules before it in the chain, in which case it would be a matter 
> of tweaking the position in the chain. Also, if you've got DENY/REJECTs in 
> your FORWARD chain, these will potentially effect your connections too.

Okay, I'll stop requiring you to guess and reverse engineer Ipmasq and
post my small Iptables script that still doesn't work.  The result is the
same change from "Connection refused" to "Connection timed out" that I
described earlier.

> > I was assuming that lots of people used the ipmasq package with Iptables
> Not I .. taking a quick look at it, it appears it's one of those 
> auto-generating firewall scripts. I tend to avoid them myself.

The ipmasq package has been trusty to me so far.

My shell script is attached, unless I forget.

Tom Goulet				mail: uid0@em.ca
UID0 Unix Consulting			web:  em.ca/uid0/
set -e
EXTIP="`ifconfig $EXTIF | awk /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

echo 1 >/proc/sys/net/ipv4/ip_forward

iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -j LOG
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d $EXTIP --dport 515 \
	-j DNAT --to $PRINTERIP:515
iptables -I FORWARD 1 -i $EXTIF -o $INTIF -p tcp -d $PRINTERIP --dport 515 \

Reply to: