1 |
Hi, |
2 |
|
3 |
On Tue, 11 Sep 2007 18:50:52 +0200 Florian Philipp |
4 |
<f.philipp@××××××.de> wrote: |
5 |
|
6 |
> > My suggestion for a proper setup would be |
7 |
> > |
8 |
> > $ iptables -F FORWARD |
9 |
> > $ iptables -P FORWARD DROP |
10 |
> > $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state |
11 |
> > NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -o |
12 |
> > eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ...plus rules |
13 |
> > allowing for forwarding designated ports, if any |
14 |
> > |
15 |
> > You'll certainly want to keep this: |
16 |
> > $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE |
17 |
> > in place, too. |
18 |
> > |
19 |
> > Note that this trusts any box connecting via eth0, not just a single |
20 |
> > client. |
21 |
> [...] |
22 |
> When I try to apply the rules you've posted I get: |
23 |
> |
24 |
> $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state \ |
25 |
> NEW,ESTABLISHED,RELATED -j ACCEPT |
26 |
> |
27 |
> iptables: No chain/target/match by that name |
28 |
|
29 |
Hm, you do not seem to have your kernel configured for connection state |
30 |
matching. |
31 |
|
32 |
Just start with basic rules: |
33 |
$ iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT |
34 |
$ iptables -A FORWARD -o eth0 -i ppp0 -j ACCEPT |
35 |
|
36 |
(instead of the "iptables -A" settings mentioned before) |
37 |
|
38 |
But note that those would potentially allow inbound connections to get |
39 |
routed to any desired machine (desired by the party outside your |
40 |
network, that is). So make sure that either such requests aren't |
41 |
getting forwarded to your router (and this is most probably already the |
42 |
case for your setup -- DSL or cable, I guess?) or your LAN doesn't care |
43 |
(i.e. is secured). Most PPP endpoints, however, would drop such traffic |
44 |
anyway, so you should be secure if you trust your provider. |
45 |
|
46 |
Basically I think this is what the Gentoo wiki guide *intended* to do. |
47 |
|
48 |
-hwh |
49 |
-- |
50 |
gentoo-user@g.o mailing list |