RE: [Solved] Re: Debian gateway problem
Hi Mett,
> Just a final update on this thread.
>
> I end up with the script below working perfectly, except if I use both following rules at the beginning of the script.
> ---------------------------
> iptables -t nat -F
> iptables -t mangle -F
> ---------------------------
>
> I don't fully understand why but I'll investigate that later.
Do a
iptables -t nat -L -v
iptables -t mangle -L -v
to see what is in those tables that you cannot delete
You probably need those because....
>
> script:
> ------------------------------------------------------
> #!/bin/sh
>
> PATH=/usr/sbin:/sbin:/bin:/usr/bin
>
> #
> # delete all existing rules.
> #
> iptables -F
>
> iptables -X
This does NOT delete ALL existing rules. Those lines just delete the rules in the default INPUT, FORWARD and OUTPUT chains in the table "filter". I have the following at the beginning of my firewall scripts to delete ALL rules in all chains in all tables.
# Flush all rules in all chains and then delete all chains
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do $IPTABLES -t $i -F; done
for i in $chains; do $IPTABLES -t $i -X; done
# Reset all counters for default chains
$IPTABLES -Z
I do not set the PATH variable, I use the $IPTABLES variable which I set at the beginning of my script
IPTABLES=/sbin/iptables
# For testing
#IPTABLES="echo iptables"
The testing option allows me to easily see what the result of my script lines is as I use A LOT of variables. Spotting a typo can be hard sometimes. ;-)
> ## nat/POSTROUTING
> # Masquerade <=> Changed to SNAT(seemed wiser in my situation after #reading doc...).
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j SNAT --to-source EXT.FIX.IP.ADD
>
The "nat" table is not the default table which is why with this command you need to add the -t nat option. The same for the "mangle" table if you use it.
> ## filter/FORWARD
>
> # Allow New outgoing connections from the LAN side.
> iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j ACCEPT
Although it is not wrong, you do not need the -t filter option here. The "filter" table is the default table.
> [....]
> # Enable routing.
> echo 1 > /proc/sys/net/ipv4/ip_forward
I have a
# Disable routing.
echo 0 > /proc/sys/net/ipv4/ip_forward
at the beginning of my script too, that way when I run the script for a second time forwarding is turned off before removing all firewall rules.
Reply to: