Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: iptables, masquerading & forwarding
Jens Georg wrote (on 23 Jan 2002 at 10:25):

> at the beginning i would like to achieve the following:
>
> 1. blocking all incoming requests to ports 0-1023 with
> 2. masquerading, so all clients on my network can talk to the net
> via eth1
>
> first point can be done with iptables -A INPUT -p tcp --dport
> 1:1023 -j DROP, second with iptables -t nat -A POSTROUTING -s
> 192.168.0.0/24 -d 0/0 -j MASQUERADE, right ?

Almost!

You want to make sure internal traffic is not masqueraded, so
you want your MASQ rule to trigger on output interface:

iptables -t nat -I POSTROUTING -o ppp+ -j MASQUERADE

> what i don't understand is how to "route" packets between eth0 &
> eth1, so packets from/to the internet are routed via eth1
> *WITHOUT* bypassing my firewall. is "echo 1 >
> /proc/sys/net/ipv4/ip_forward" the right choice ?

iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT

Or change the -I to -A and wedge these in where you want them.


--
-- Tony Crawford
-- tc@xxxxxxxxxxxx
-- +49-3341-30 99 99
--


< Previous Next >
References