Hans-Werner Hilse schrieb: > Hi, > > On Tue, 11 Sep 2007 17:30:51 +0200 Florian Philipp > <[EMAIL PROTECTED]> wrote: > >>> Hm, OK. This: >>> ----snip---- >>> Chain FORWARD (policy ACCEPT) >>> target prot opt source destination >>> ACCEPT all -- 10.8.0.1 anywhere >>> ACCEPT all -- anywhere 10.8.0.1 >>> DROP all -- !10.8.0.1 anywhere >>> ----snip---- >>> >>> is on what computer? On the "server" (I guess it's the router) the >>> last line would effectively prevent routing for the client (but I >>> don't know why ICMP works...). I would suggest starting without it >>> and then setting up proper rules -- and then setting the chain's >>> policy to DROP (plus some REJECT rules for proper answers). >> I followed the howto's nomenclature of "server" and "client". >> I'm a bit puzzled right now. Is there anything essentially wrong with >> the howto ( http://gentoo-wiki.com/HOWTO_quick_routing )? I followed >> it word by word. >> The drop rule is explained as "#prevent others ip from conecting to >> my eth0" > > Hm, judging from that the article on Routing uses a "Client" and > "Server" nomenclature, I consider the article being at least partly > crap ;-) > > And yes, that guide really seems to be a bunch of BS (sorry, but that's > the way it seems to be). It is outright horrible. Personally I hate > discussing on Wikis' Discussion Pages, so, no, I won't correct it (but > looking at its discussion page, others considered it bad, too, and are > planning to correct/delete it). > > That iptables setup is absolutely stupid. It accepts packets from and > to the machine itself (note that 10.8.0.1 is the router's IP), but will > drop any packet not originating from 10.8.0.1. The latter should be > true for all packets originating from the client (since it has the > address 10.8.0.2). So all the client's communication is dropped, and > that's it, end of story. > > Better have a look at netfilter's set of HOWTOs, especially the NAT > howto. Better learn what you're doing... Otherwise, just take the hints > from my previous posting. > > My suggestion for a proper setup would be > > $ iptables -F FORWARD > $ iptables -P FORWARD DROP > $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > $ iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j > ACCEPT > ...plus rules allowing for forwarding designated ports, if any > > You'll certainly want to keep this: > $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE > in place, too. > > Note that this trusts any box connecting via eth0, not just a single > client. > > -hwh
Thanks! In fact I'd really like to learn more about iptables but at the moment I hardly find the time to do it. When I try to apply the rules you've posted I get: $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state \ NEW,ESTABLISHED,RELATED -j ACCEPT iptables: No chain/target/match by that name A syntax error, maybe? -- [EMAIL PROTECTED] mailing list
