-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 30 January 2005 10:36, Jürgen Mell wrote:
iptables -A FORWARD -i $INT -o $EXT -p TCP --dport 8000:8006 \ -j ACCEPT
and
iptables -A FORWARD -i $EXT -o $INT -m state \ --state ESTABLISHED,RELATED -p TCP --sport 8000 -j ACCEPT ($INT and $EXT are the internal resp. external interfaces)
The second rule only allows established TCP connection packets to pass when they are coming in from port 8000. You should fix this if they will also be coming from other ports in your 8000-8006 range.
So far - so good. But what I am missing now is the masquerading of the IP address of the computer on the internal network (it gets a dynamic IP from the private address range 192.168.x.y). In the firewall script I have disabled masquerading (FW_MASQUERADE="no") to prevent any packets going out without using the squid proxy. Is there any way to open direct connections from the internal network _only_ for destination ports 8000 to 8006 without opening everything else (file-sharing networks etc.)? What iptables commands do I need for this purpose? Is there any better way to get this wounderful piece of software to work?
Yes, and it isn't very complicated. iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j MASQUERADE Or, if you have a static IP address on $EXT interface, you'll be better off with iptables -t nat -A POSTROUTING -o $EXT -p tcp \ --dport 8000:8006 -j SNAT --to-source <your static IP address> This way, when the $EXT link goes down, the connection tracking information is preserved and when it comes back up, TCP connections will continue to function without being broken. But this only works when $EXT gets the same IP address it had before going down, if it doesn't you'll have to use MASQUERADE. For inbound packets, connection tracking will do all the magic, the rule in the FORWARD table you set up yourself is all you need for it to work. - -- Jure Koren, n.i. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQFB/K119iFCvmuhrCIRAtH6AKCa4k1sqg/XbGNQuIHbcHcvbPQ2BwCfdXld 1YY1dXPfB9wZdWAH1g+L40c= =IFXG -----END PGP SIGNATURE-----