Re: Squid as default gateway in proxy mode.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
ok worked after one restart i dont know what was the problem but
worked, but still didnt drop the connection by this command. i can
stil ssh and even send receive email
iptables -t filter -P FORWARD DROP
as shared, so i can open all the ports 1 by 1.
Thanks
On Fri, Apr 20, 2012 at 8:15 PM, Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:
> On Sat, Apr 14, 2012 at 3:40 PM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>> Hello,
>>
>>> Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:
>>>
>>>> now the problem part is i want to ping outside host to verify the
>>>> connectivity of internet for that all the time i have to open the SSH
>>>> the console and ping. but what i want is, i should also ping it from
>>>> host computers as well. however i don't want to NAT all the traffic
>>>> coming from inside and going outside. rather what i want is just to
>>>> NAT only ICMP Echo Rep and Req so that i can at least ping outside
>>>> host
>>
>> As Joe wrote, this is not the right way to do things. See below.
>>
>>> with out SSH the Squid console. which is very bothering.
>>>> My network diagram is very simple
>>>>
>>>> <Squid
>>>> Box>--------eth0(192.18.30.2)----------------------<192.168.30.1-ISP
>>>> Router>
>>>> I
>>>> I
>>>> eth1(192.168.1.1)
>>>> I
>>>> I
>>>> (local network 192.168.1.0/24)
>>>>
>>>>
>>>> And why i am using Squid as a Gateway because i just want to minimize
>>>> unwanted nods that needs to be monitor all the time and batter
>>>> control over traffic with IPtables firewall. i am using this line to
>>>> NAT very specific ports to allow certain facilities like Email ,
>>>> Remote desktop and stuff. and this is working for me.
>>>>
>>>> iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE
>>
>> This is not the right way to do things. NAT is not intended for
>> filtering. By not masquerading outgoing traffic, you just let packets go
>> out with their original source address instead of dropping them. You
>> just rely on the ISP router not knowing how to handle the original
>> source address. This is wrong.
>>
>> The right way is to only accept specific through your router, and then
>> NAT all traffic that was allowed to go out. Ok, it is a bit more
>> complicated.
>>
>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>> iptables -t filter -P FORWARD DROP
>> iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED \
>> -j ACCEPT
>> iptables -t filter -A FORWARD -o eth0 -m state --state NEW \
>> -p tcp --dport 110 -j ACCEPT
>>
> sorry for the late responce but i was stucked in some other taskes.
> now its my time to hit my head by the wall i tried every single
> configuration on the internet. but i can not reach nor ping the
> destination by below example. even fwbuilder is also generating the
> same script but its not working
> however my outside interface was eth1 and inside eth0 so i repeace my
> setting accordingly but it doest work either.
> please share
>
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
> i check several website telling me the same thing but when i can not
> ping the outside destination 8.8.4.4 which is google DNS . i am lost
> kindly help
>
>
>
>>>> now i am stuck on allowing the ping traffic. please help
>>
>> iptables -t filter -A FORWARD -0 eth0 -p icmp --icmp-type echo-request \
>> -j ACCEPT
>>
>> Joe wrote :
>>> only TCP and UDP have 'ports'
>>
>> No. ICMP does not have ports, but other protocols such as SCTP and DCCP
>> have ports too.
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>> Archive: [🔎] 4F89541A.8080501@plouf.fr.eu.org">http://lists.debian.org/[🔎] 4F89541A.8080501@plouf.fr.eu.org
>>
Reply to: