Re: [suse-security] iptables firewall -newbie
![](https://seccdn.libravatar.org/avatar/c9e8c4215e9b0f166da67a2e8ce45c8d.jpg?s=120&d=mm&r=g)
just having a quick look .. but i **think** you are too strict about the
rules.
if 10.10.0.180 is able to contact someone out there, the response would be
immediately dropped by the INPUT rule's default policy, try adding this
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
somewhere.
also, if you only want some trusted ips to surf the net, you would do
something like
iptables -t nat -A POSTROUTING -s 10.10.0.180/32 -o ppp0 -j MASQUERADE
----- Original Message -----
From: "Mario Ohnewald"
Hello! I have a little network, one firewall/router. I want to allow some ips to surf the net, and some are not allowed to leave the trusted net. I messed around a lot, and that what i have so far, (but it doesnt work at all!)
...
![](https://seccdn.libravatar.org/avatar/60440029b5f54112e1e65f13cdda4d7b.jpg?s=120&d=mm&r=g)
Hi! On Sat, 9 Mar 2002, Michael Stern wrote:
just having a quick look .. but i **think** you are too strict about the rules. if 10.10.0.180 is able to contact someone out there, the response would be immediately dropped by the INPUT rule's default policy, try adding this iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT somewhere.
Sorry, this is wrong - forwarded packets don`t run throgh the INPUT/OUTPUT chains AT ALL (they did with ipchains, but this was changed!). But if your additional rule gets added to the FORWARD chain instead, I think things should work: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT (The original INPUT rule can be removed, too, unless the client wants to contact some port on the firewall itself...)
also, if you only want some trusted ips to surf the net, you would do something like
iptables -t nat -A POSTROUTING -s 10.10.0.180/32 -o ppp0 -j MASQUERADE
This is, of course, right. In adddition, I would restrict access even further by only allowing certain porotocols/ports; but for surfing alone I'd rather use a proxy (like Squid) instead of masquerading... Bye, Martin
participants (2)
-
Martin Köhling
-
Michael Stern