[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: using apt through firewall ... (what am i missing ?...)

On Monday 18 August 2003 14:38, CaRLoS mOGUeL wrote:
> Blessings All...
> I'm trying to set up my Home-LAN Firewall... but I
> cant  apt-get... what am I missing ?. I just need the
> masquerading and ssh connection only from my LAN.
> Advices ?... opinions ?.

> # Input, Forward and Output...
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT

First things first, as a general rule I don't use DROP policy on the INPUT or 
OUTPUT chains, for the sole reason that an accidently 'iptables -F' at the 
wrong time can kill your access to the machine. Better to leave the policy as 
ACCEPT and put a DROP rule at the end of your rules instead.

> # Input States...
> iptables -A INPUT -p tcp -m state --state

Drop the "-p tcp". You want to allow other related protocols back in, such as 

> # Accepting the LoopBack...
> iptables -A INPUT -p tcp -i lo -j ACCEPT
> # Accepting SSH from the LAN... for admin things.
> iptables -A INPUT -p tcp --dport 22 -i $LAN_INTERFACE

Looks ok.

> # Forwarding States...
> # Accepting Forwarding to Related and Established
> # States...apt should work here, right ?.
> iptables -A FORWARD -p tcp -m state --state

Drop the "-p tcp".

> # Accepting Forwarding from the LAN...
> iptables -A FORWARD -p tcp -s $LAN_IP_ADDRESS -j

You should add "-m state --state NEW" to this line, and also drop the "-p 

> # Masquerading the LAN...
> iptables -t nat -A POSTROUTING -s $LAN_IP_ADDRESS -j

I think you may need to specify the output interface, ie: '-o ppp0', otherwise 
netfilter won't know what IP address to masquerade the connection as.

Hope this helps.

GPG: http://n12turbo.com/tarragon/public.key

Reply to: