iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE ok worked after one restart i dont know what was the problem but worked, but still didnt drop the connection by this command. i can stil ssh and even send receive email iptables -t filter -P FORWARD DROP
as shared, so i can open all the ports 1 by 1. Thanks On Fri, Apr 20, 2012 at 8:15 PM, Muhammad Yousuf Khan <sir...@gmail.com> wrote: > On Sat, Apr 14, 2012 at 3:40 PM, Pascal Hambourg <pas...@plouf.fr.eu.org> > wrote: >> Hello, >> >>> Muhammad Yousuf Khan <sir...@gmail.com> wrote: >>> >>>> now the problem part is i want to ping outside host to verify the >>>> connectivity of internet for that all the time i have to open the SSH >>>> the console and ping. but what i want is, i should also ping it from >>>> host computers as well. however i don't want to NAT all the traffic >>>> coming from inside and going outside. rather what i want is just to >>>> NAT only ICMP Echo Rep and Req so that i can at least ping outside >>>> host >> >> As Joe wrote, this is not the right way to do things. See below. >> >>> with out SSH the Squid console. which is very bothering. >>>> My network diagram is very simple >>>> >>>> <Squid >>>> Box>--------eth0(192.18.30.2)----------------------<192.168.30.1-ISP >>>> Router> >>>> I >>>> I >>>> eth1(192.168.1.1) >>>> I >>>> I >>>> (local network 192.168.1.0/24) >>>> >>>> >>>> And why i am using Squid as a Gateway because i just want to minimize >>>> unwanted nods that needs to be monitor all the time and batter >>>> control over traffic with IPtables firewall. i am using this line to >>>> NAT very specific ports to allow certain facilities like Email , >>>> Remote desktop and stuff. and this is working for me. >>>> >>>> iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE >> >> This is not the right way to do things. NAT is not intended for >> filtering. By not masquerading outgoing traffic, you just let packets go >> out with their original source address instead of dropping them. You >> just rely on the ISP router not knowing how to handle the original >> source address. This is wrong. >> >> The right way is to only accept specific through your router, and then >> NAT all traffic that was allowed to go out. Ok, it is a bit more >> complicated. >> >> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >> iptables -t filter -P FORWARD DROP >> iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED \ >> -j ACCEPT >> iptables -t filter -A FORWARD -o eth0 -m state --state NEW \ >> -p tcp --dport 110 -j ACCEPT >> > sorry for the late responce but i was stucked in some other taskes. > now its my time to hit my head by the wall i tried every single > configuration on the internet. but i can not reach nor ping the > destination by below example. even fwbuilder is also generating the > same script but its not working > however my outside interface was eth1 and inside eth0 so i repeace my > setting accordingly but it doest work either. > please share > > iptables -F > iptables -t nat -F > iptables -t mangle -F > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > i check several website telling me the same thing but when i can not > ping the outside destination 8.8.4.4 which is google DNS . i am lost > kindly help > > > >>>> now i am stuck on allowing the ping traffic. please help >> >> iptables -t filter -A FORWARD -0 eth0 -p icmp --icmp-type echo-request \ >> -j ACCEPT >> >> Joe wrote : >>> only TCP and UDP have 'ports' >> >> No. ICMP does not have ports, but other protocols such as SCTP and DCCP >> have ports too. >> >> >> -- >> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org >> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org >> Archive: http://lists.debian.org/4f89541a.8080...@plouf.fr.eu.org >> -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAGWVfM=zebd0qlwpqmcsmvezm8jduuu1mswfw1zdfuuf+7k...@mail.gmail.com
