----- Original Message -----
From: "Ray Leach"
On Mon, 2002-07-22 at 14:49, Thiego Xavier (MIU) wrote:
Ok Ray Leach It could send me the rule of iptables please? Thanks?
To enable Kazaa clients to share with other internet users: iptables -A FORWARD -p tcp --dport 1214 -j ACCEPT
iptables -A FORWARD -i $INTERNAL_INTERFACE -p tcp --dport 1024: -s $INTERNAT_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNAL_INTERFACE -p udp --dport 1024: -s $INTERNET_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNET_INTERFACE -p tcp --sport 1024: -d $INTERNAL_NET -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNET_INTERFACE -p udp --sport 1024: -d $INTERNAL_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
SuSEfirewall2 does the same with following Rule (without Masquerading): 13.) [...] FW_FORWARD="192.168.0.0/24,0.0.0.0/0,tcp,1024: 192.168.0.0/24,0.0.0.0/0,udp,1024: 0.0.0.0/0,192.168.0.0/24,tcp.1024: 0.0.0.0/0,192.168.0.0/24,udp,1024:" Add forther rules for Portrange to do not forward to the Internet (e.g. 1024:3305 3307:65535 for not showing Mysql ...)
If you run a NAT firewall also these: iptables -t nat -A POSTROUTING -o $INTERNET_INTERFACE -p tcp --dport 1024: -s $INTERNAL_NET -j SNAT --to-source $INET_IP iptables -t nat -A POSTROUTING -o $INTERNET_INTERFACE -p udp --dport 1024: -s $INTERNAL_NET -j SNAT --to-source $INET_IP
Use following Rule with SuSEfirewall2 and Masquerading: 14.) [...] FW_FORWARD_MASQ="192.168.0.0/24,0.0.0.0/0,tcp,1024: 192.168.0.0/24,0.0.0.0/0,udp,1024: 0.0.0.0/0,192.168.0.0/24,tcp.1024: 0.0.0.0/0,192.168.0.0/24,udp,1024:"
Substitute the correct interfaces and ips for the $VARIABLES.
Interfaces have to be set correct in 2.) FW_DEV_EXT="DEVICE" 3.) FW_DEV_INT="DEVICE" and 4.) FW_DEV_DMZ="DEVICE" Philippe