Jens Georg wrote (on 23 Jan 2002 at 10:25):
at the beginning i would like to achieve the following:
1. blocking all incoming requests to ports 0-1023 with 2. masquerading, so all clients on my network can talk to the net via eth1
first point can be done with iptables -A INPUT -p tcp --dport 1:1023 -j DROP, second with iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -j MASQUERADE, right ?
Almost! You want to make sure internal traffic is not masqueraded, so you want your MASQ rule to trigger on output interface: iptables -t nat -I POSTROUTING -o ppp+ -j MASQUERADE
what i don't understand is how to "route" packets between eth0 & eth1, so packets from/to the internet are routed via eth1 *WITHOUT* bypassing my firewall. is "echo 1 > /proc/sys/net/ipv4/ip_forward" the right choice ?
iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT Or change the -I to -A and wedge these in where you want them. -- -- Tony Crawford -- tc@crawfords.de -- +49-3341-30 99 99 --