1 |
> I used this script a long time ago. It worked until iptables got |
2 |
> changed. It still worked but it gave a few errors. Maybe some guru can |
3 |
> look at this and update it for us both. Then maybe I can get someone to |
4 |
> upgrade the script on the site. I had to edit the very first bit about |
5 |
> which interface is what. Here it is: |
6 |
|
7 |
I have tested your script! Do you get an error like this: |
8 |
iptables v1.3.5: unknown protocol `ssh' specified |
9 |
|
10 |
I am not sure if it is right but i have replaced this line |
11 |
|
12 |
$IPTABLES -A INPUT --protocol ssh --dport 22 -j ACCEPT |
13 |
by |
14 |
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT |
15 |
|
16 |
and the error disappears. |
17 |
|
18 |
For me using this iptable rules didn't work, i still can't ping the |
19 |
internet rom my desktop and also get the error message by the |
20 |
ntp-client on my desktop. |
21 |
|
22 |
Any other suggestions! |
23 |
|
24 |
|
25 |
|
26 |
|
27 |
Here is how i changed the script to fit my needs! |
28 |
|
29 |
#!/bin/bash |
30 |
|
31 |
IPTABLES='/sbin/iptables' |
32 |
|
33 |
# Set interface values |
34 |
EXTIF='ppp0' |
35 |
#INTIF0='eth0' |
36 |
INTIF1='eth0' |
37 |
INTIF2='eth1' |
38 |
|
39 |
# enable ip forwarding in the kernel |
40 |
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward |
41 |
|
42 |
# flush rules and delete chains |
43 |
$IPTABLES -F |
44 |
$IPTABLES -X |
45 |
|
46 |
# enable masquerading to allow LAN internet access |
47 |
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE |
48 |
|
49 |
# forward LAN traffic from $INTIF1 to Internet interface $EXTIF |
50 |
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state |
51 |
NEW,ESTABLISHED -j ACCEPT |
52 |
|
53 |
# forward LAN traffic from $INTIF2 to Internet interface $EXTIF |
54 |
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state |
55 |
NEW,ESTABLISHED -j ACCEPT |
56 |
|
57 |
#echo -e " - Allowing access to the SSH server" |
58 |
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT |
59 |
|
60 |
#echo -e " - Allowing access to the HTTP server" |
61 |
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT |
62 |
|
63 |
# block out all other Internet access on $EXTIF |
64 |
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP |
65 |
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP |
66 |
-- |
67 |
gentoo-user@g.o mailing list |