Thank you for your fast reply! On Sunday 30 January 2005 10:48, Jure Koren wrote:
On Sunday 30 January 2005 10:36, Jürgen Mell wrote:
iptables -A FORWARD -i $INT -o $EXT -p TCP --dport 8000:8006 \ -j ACCEPT
and
iptables -A FORWARD -i $EXT -o $INT -m state \ --state ESTABLISHED,RELATED -p TCP --sport 8000 -j ACCEPT ($INT and $EXT are the internal resp. external interfaces)
The second rule only allows established TCP connection packets to pass when they are coming in from port 8000. You should fix this if they will also be coming from other ports in your 8000-8006 range.
Yes, I will correct that.
So far - so good. But what I am missing now is the masquerading of the IP address of the computer on the internal network (it gets a dynamic IP from the private address range 192.168.x.y). In the firewall script I have disabled masquerading (FW_MASQUERADE="no") to prevent any packets going out without using the squid proxy. Is there any way to open direct connections from the internal network _only_ for destination ports 8000 to 8006 without opening everything else (file-sharing networks etc.)? What iptables commands do I need for this purpose? Is there any better way to get this wounderful piece of software to work?
Yes, and it isn't very complicated.
iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j MASQUERADE
Or, if you have a static IP address on $EXT interface, you'll be better off with
iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j SNAT --to-source <your static IP address>
This does not work here. I always get iptables: No chain/target/match by that name iptables -t nat -n -L shows: Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Do you have any idea what is wrong here? Jürgen