| 1 |
Hans-Werner Hilse schrieb: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> On Tue, 11 Sep 2007 17:30:51 +0200 Florian Philipp |
| 5 |
> <f.philipp@××××××.de> wrote: |
| 6 |
> |
| 7 |
>>> Hm, OK. This: |
| 8 |
>>> ----snip---- |
| 9 |
>>> Chain FORWARD (policy ACCEPT) |
| 10 |
>>> target prot opt source destination |
| 11 |
>>> ACCEPT all -- 10.8.0.1 anywhere |
| 12 |
>>> ACCEPT all -- anywhere 10.8.0.1 |
| 13 |
>>> DROP all -- !10.8.0.1 anywhere |
| 14 |
>>> ----snip---- |
| 15 |
>>> |
| 16 |
>>> is on what computer? On the "server" (I guess it's the router) the |
| 17 |
>>> last line would effectively prevent routing for the client (but I |
| 18 |
>>> don't know why ICMP works...). I would suggest starting without it |
| 19 |
>>> and then setting up proper rules -- and then setting the chain's |
| 20 |
>>> policy to DROP (plus some REJECT rules for proper answers). |
| 21 |
>> I followed the howto's nomenclature of "server" and "client". |
| 22 |
>> I'm a bit puzzled right now. Is there anything essentially wrong with |
| 23 |
>> the howto ( http://gentoo-wiki.com/HOWTO_quick_routing )? I followed |
| 24 |
>> it word by word. |
| 25 |
>> The drop rule is explained as "#prevent others ip from conecting to |
| 26 |
>> my eth0" |
| 27 |
> |
| 28 |
> Hm, judging from that the article on Routing uses a "Client" and |
| 29 |
> "Server" nomenclature, I consider the article being at least partly |
| 30 |
> crap ;-) |
| 31 |
> |
| 32 |
> And yes, that guide really seems to be a bunch of BS (sorry, but that's |
| 33 |
> the way it seems to be). It is outright horrible. Personally I hate |
| 34 |
> discussing on Wikis' Discussion Pages, so, no, I won't correct it (but |
| 35 |
> looking at its discussion page, others considered it bad, too, and are |
| 36 |
> planning to correct/delete it). |
| 37 |
> |
| 38 |
> That iptables setup is absolutely stupid. It accepts packets from and |
| 39 |
> to the machine itself (note that 10.8.0.1 is the router's IP), but will |
| 40 |
> drop any packet not originating from 10.8.0.1. The latter should be |
| 41 |
> true for all packets originating from the client (since it has the |
| 42 |
> address 10.8.0.2). So all the client's communication is dropped, and |
| 43 |
> that's it, end of story. |
| 44 |
> |
| 45 |
> Better have a look at netfilter's set of HOWTOs, especially the NAT |
| 46 |
> howto. Better learn what you're doing... Otherwise, just take the hints |
| 47 |
> from my previous posting. |
| 48 |
> |
| 49 |
> My suggestion for a proper setup would be |
| 50 |
> |
| 51 |
> $ iptables -F FORWARD |
| 52 |
> $ iptables -P FORWARD DROP |
| 53 |
> $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
| 54 |
> $ iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT |
| 55 |
> ...plus rules allowing for forwarding designated ports, if any |
| 56 |
> |
| 57 |
> You'll certainly want to keep this: |
| 58 |
> $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE |
| 59 |
> in place, too. |
| 60 |
> |
| 61 |
> Note that this trusts any box connecting via eth0, not just a single |
| 62 |
> client. |
| 63 |
> |
| 64 |
> -hwh |
| 65 |
|
| 66 |
Thanks! |
| 67 |
|
| 68 |
In fact I'd really like to learn more about iptables but at the moment I |
| 69 |
hardly find the time to do it. |
| 70 |
|
| 71 |
When I try to apply the rules you've posted I get: |
| 72 |
|
| 73 |
$ iptables -A FORWARD -i eth0 -o ppp0 -m state --state \ |
| 74 |
NEW,ESTABLISHED,RELATED -j ACCEPT |
| 75 |
|
| 76 |
iptables: No chain/target/match by that name |
| 77 |
|
| 78 |
A syntax error, maybe? |
| 79 |
-- |
| 80 |
gentoo-user@g.o mailing list |
Archives