Re: using apt through firewall ... (what am i missing ?...)
On Monday 18 August 2003 14:38, CaRLoS mOGUeL wrote:
> Blessings All...
>
> I'm trying to set up my Home-LAN Firewall... but I
> cant apt-get... what am I missing ?. I just need the
> masquerading and ssh connection only from my LAN.
>
> Advices ?... opinions ?.
> # Input, Forward and Output...
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
First things first, as a general rule I don't use DROP policy on the INPUT or
OUTPUT chains, for the sole reason that an accidently 'iptables -F' at the
wrong time can kill your access to the machine. Better to leave the policy as
ACCEPT and put a DROP rule at the end of your rules instead.
> # Input States...
> iptables -A INPUT -p tcp -m state --state
> RELATED,ESTABLISHED -j ACCEPT
Drop the "-p tcp". You want to allow other related protocols back in, such as
icmp.
> # Accepting the LoopBack...
> iptables -A INPUT -p tcp -i lo -j ACCEPT
>
> # Accepting SSH from the LAN... for admin things.
> iptables -A INPUT -p tcp --dport 22 -i $LAN_INTERFACE
> -j ACCEPT
Looks ok.
> # Forwarding States...
> # Accepting Forwarding to Related and Established
> # States...apt should work here, right ?.
> iptables -A FORWARD -p tcp -m state --state
> RELATED,ESTABLISHED -j ACCEPT
Drop the "-p tcp".
> # Accepting Forwarding from the LAN...
> iptables -A FORWARD -p tcp -s $LAN_IP_ADDRESS -j
> ACCEPT
You should add "-m state --state NEW" to this line, and also drop the "-p
tcp".
> # Masquerading the LAN...
> iptables -t nat -A POSTROUTING -s $LAN_IP_ADDRESS -j
> MASQUERADE
I think you may need to specify the output interface, ie: '-o ppp0', otherwise
netfilter won't know what IP address to masquerade the connection as.
Hope this helps.
t
--
GPG: http://n12turbo.com/tarragon/public.key
Reply to: