Hi! On Sat, 9 Mar 2002, Michael Stern wrote:
just having a quick look .. but i **think** you are too strict about the rules. if 10.10.0.180 is able to contact someone out there, the response would be immediately dropped by the INPUT rule's default policy, try adding this iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT somewhere.
Sorry, this is wrong - forwarded packets don`t run throgh the INPUT/OUTPUT chains AT ALL (they did with ipchains, but this was changed!). But if your additional rule gets added to the FORWARD chain instead, I think things should work: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT (The original INPUT rule can be removed, too, unless the client wants to contact some port on the firewall itself...)
also, if you only want some trusted ips to surf the net, you would do something like
iptables -t nat -A POSTROUTING -s 10.10.0.180/32 -o ppp0 -j MASQUERADE
This is, of course, right. In adddition, I would restrict access even further by only allowing certain porotocols/ports; but for surfing alone I'd rather use a proxy (like Squid) instead of masquerading... Bye, Martin