RE: [Solved] Re: Debian gateway problem

To: mett <mett@pmars.jp>, "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: RE: [Solved] Re: Debian gateway problem
From: Bonno Bloksma <b.bloksma@tio.nl>
Date: Wed, 8 Jan 2014 12:16:24 +0000
Message-id: <[🔎] 89D1798A7351D040B4E74E0A043C69D765DD2E54@EinExch-01.tio.nl>
In-reply-to: <[🔎] 20140108161658.121d9606@asus.tamerr>
References: <20131226142700.4f9f1be6@asus.tamerr> <52BD4518.6010103@freemail.hu> <[🔎] 20140108161658.121d9606@asus.tamerr>

Hi Mett,

> Just a final update on this thread.
> 
> I end up with the script below working perfectly, except if I use both following rules at the beginning of the script.
> ---------------------------
> iptables -t nat -F
> iptables -t mangle -F
> ---------------------------
> 
> I don't fully understand why but I'll investigate that later.
Do a 
iptables -t nat -L -v 
iptables -t mangle -L -v
to see what is in those tables that you cannot delete

You probably need those because....
> 
> script:
> ------------------------------------------------------
> #!/bin/sh
> 
> PATH=/usr/sbin:/sbin:/bin:/usr/bin
> 
> #
> # delete all existing rules.
> #
> iptables -F
> 
> iptables -X

This does NOT delete ALL existing rules. Those lines just delete the rules in the default INPUT, FORWARD and OUTPUT chains in the table "filter". I have the following at the beginning of my firewall scripts to delete ALL rules in all chains in all tables.

# Flush all rules in all chains and then delete all chains
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do $IPTABLES -t $i -F; done
for i in $chains; do $IPTABLES -t $i -X; done
# Reset all counters for default chains
$IPTABLES -Z

I do not set the PATH variable, I use the $IPTABLES variable which I set at the beginning of my script
IPTABLES=/sbin/iptables
# For testing
#IPTABLES="echo iptables"

The testing option allows me to easily see what the result of my script lines is as I use A LOT of variables. Spotting a typo can be hard sometimes. ;-)

> ## nat/POSTROUTING
> # Masquerade <=> Changed to SNAT(seemed wiser in my situation after #reading doc...).
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j SNAT --to-source EXT.FIX.IP.ADD
>
The "nat" table is not the default table which is why with this command you need to add the -t nat option. The same for the "mangle" table if you use it. 

> ## filter/FORWARD
> 
> # Allow New outgoing connections from the LAN side.
> iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j ACCEPT

Although it is not wrong, you do not need the -t filter option here. The "filter" table is the default table.

> [....]
> # Enable routing.
> echo 1 > /proc/sys/net/ipv4/ip_forward

I have a 
# Disable routing.
echo 0 > /proc/sys/net/ipv4/ip_forward
at the beginning of my script too, that way when I run the script for a second time forwarding is turned off before removing all firewall rules.

Reply to:

References:
- [Solved] Re: Debian gateway problem
  - From: mett <mett@pmars.jp>

Prev by Date: Re: how to specify kernel parameter "memmap="
Next by Date: Re: MTP and Android phones
Previous by thread: Re: [Solved] Re: Debian gateway problem
Next by thread: gpm dumping info to /var/log/messages
Index(es):
- Date
- Thread