Hello, > Muhammad Yousuf Khan <sir...@gmail.com> wrote: > >> now the problem part is i want to ping outside host to verify the >> connectivity of internet for that all the time i have to open the SSH >> the console and ping. but what i want is, i should also ping it from >> host computers as well. however i don't want to NAT all the traffic >> coming from inside and going outside. rather what i want is just to >> NAT only ICMP Echo Rep and Req so that i can at least ping outside >> host
As Joe wrote, this is not the right way to do things. See below. > with out SSH the Squid console. which is very bothering. >> My network diagram is very simple >> >> <Squid >> Box>--------eth0(192.18.30.2)----------------------<192.168.30.1-ISP >> Router> >> I >> I >> eth1(192.168.1.1) >> I >> I >> (local network 192.168.1.0/24) >> >> >> And why i am using Squid as a Gateway because i just want to minimize >> unwanted nods that needs to be monitor all the time and batter >> control over traffic with IPtables firewall. i am using this line to >> NAT very specific ports to allow certain facilities like Email , >> Remote desktop and stuff. and this is working for me. >> >> iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE This is not the right way to do things. NAT is not intended for filtering. By not masquerading outgoing traffic, you just let packets go out with their original source address instead of dropping them. You just rely on the ISP router not knowing how to handle the original source address. This is wrong. The right way is to only accept specific through your router, and then NAT all traffic that was allowed to go out. Ok, it is a bit more complicated. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t filter -P FORWARD DROP iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED \ -j ACCEPT iptables -t filter -A FORWARD -o eth0 -m state --state NEW \ -p tcp --dport 110 -j ACCEPT >> now i am stuck on allowing the ping traffic. please help iptables -t filter -A FORWARD -0 eth0 -p icmp --icmp-type echo-request \ -j ACCEPT Joe wrote : > only TCP and UDP have 'ports' No. ICMP does not have ports, but other protocols such as SCTP and DCCP have ports too. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f89541a.8080...@plouf.fr.eu.org
