1 |
Hans-Werner Hilse schrieb: |
2 |
> Hi, |
3 |
> |
4 |
> On Tue, 11 Sep 2007 17:30:51 +0200 Florian Philipp |
5 |
> <f.philipp@××××××.de> wrote: |
6 |
> |
7 |
>>> Hm, OK. This: |
8 |
>>> ----snip---- |
9 |
>>> Chain FORWARD (policy ACCEPT) |
10 |
>>> target prot opt source destination |
11 |
>>> ACCEPT all -- 10.8.0.1 anywhere |
12 |
>>> ACCEPT all -- anywhere 10.8.0.1 |
13 |
>>> DROP all -- !10.8.0.1 anywhere |
14 |
>>> ----snip---- |
15 |
>>> |
16 |
>>> is on what computer? On the "server" (I guess it's the router) the |
17 |
>>> last line would effectively prevent routing for the client (but I |
18 |
>>> don't know why ICMP works...). I would suggest starting without it |
19 |
>>> and then setting up proper rules -- and then setting the chain's |
20 |
>>> policy to DROP (plus some REJECT rules for proper answers). |
21 |
>> I followed the howto's nomenclature of "server" and "client". |
22 |
>> I'm a bit puzzled right now. Is there anything essentially wrong with |
23 |
>> the howto ( http://gentoo-wiki.com/HOWTO_quick_routing )? I followed |
24 |
>> it word by word. |
25 |
>> The drop rule is explained as "#prevent others ip from conecting to |
26 |
>> my eth0" |
27 |
> |
28 |
> Hm, judging from that the article on Routing uses a "Client" and |
29 |
> "Server" nomenclature, I consider the article being at least partly |
30 |
> crap ;-) |
31 |
> |
32 |
> And yes, that guide really seems to be a bunch of BS (sorry, but that's |
33 |
> the way it seems to be). It is outright horrible. Personally I hate |
34 |
> discussing on Wikis' Discussion Pages, so, no, I won't correct it (but |
35 |
> looking at its discussion page, others considered it bad, too, and are |
36 |
> planning to correct/delete it). |
37 |
> |
38 |
> That iptables setup is absolutely stupid. It accepts packets from and |
39 |
> to the machine itself (note that 10.8.0.1 is the router's IP), but will |
40 |
> drop any packet not originating from 10.8.0.1. The latter should be |
41 |
> true for all packets originating from the client (since it has the |
42 |
> address 10.8.0.2). So all the client's communication is dropped, and |
43 |
> that's it, end of story. |
44 |
> |
45 |
> Better have a look at netfilter's set of HOWTOs, especially the NAT |
46 |
> howto. Better learn what you're doing... Otherwise, just take the hints |
47 |
> from my previous posting. |
48 |
> |
49 |
> My suggestion for a proper setup would be |
50 |
> |
51 |
> $ iptables -F FORWARD |
52 |
> $ iptables -P FORWARD DROP |
53 |
> $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
54 |
> $ iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT |
55 |
> ...plus rules allowing for forwarding designated ports, if any |
56 |
> |
57 |
> You'll certainly want to keep this: |
58 |
> $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE |
59 |
> in place, too. |
60 |
> |
61 |
> Note that this trusts any box connecting via eth0, not just a single |
62 |
> client. |
63 |
> |
64 |
> -hwh |
65 |
|
66 |
Thanks! |
67 |
|
68 |
In fact I'd really like to learn more about iptables but at the moment I |
69 |
hardly find the time to do it. |
70 |
|
71 |
When I try to apply the rules you've posted I get: |
72 |
|
73 |
$ iptables -A FORWARD -i eth0 -o ppp0 -m state --state \ |
74 |
NEW,ESTABLISHED,RELATED -j ACCEPT |
75 |
|
76 |
iptables: No chain/target/match by that name |
77 |
|
78 |
A syntax error, maybe? |
79 |
-- |
80 |
gentoo-user@g.o mailing list |