> Chain FORWARD (policy ACCEPT) > target prot opt source destination > DROP all -- anywhere 192.168.0.0/16 > DROP all -- anywhere 192.168.0.0/16 > DROP all -- anywhere 192.168.0.0/16 > DROP all -- anywhere 192.168.0.0/16 > ACCEPT all -- 192.168.0.0/16 anywhere > ACCEPT all -- anywhere 192.168.0.0/16 > ACCEPT all -- 192.168.0.0/16 anywhere > ACCEPT all -- anywhere 192.168.0.0/16 > LOG all -- anywhere anywhere LOG level > warning prefix `Dropped outgoing: ' > LOG all -- anywhere anywhere LOG level > warning prefix `Dropped incoming: ' > ACCEPT all -- 192.168.0.0/16 anywhere > ACCEPT all -- anywhere 192.168.0.0/16 > ACCEPT all -- 192.168.0.0/16 anywhere > ACCEPT all -- anywhere 192.168.0.0/16
Well this would seem to indicate your problem. The first couple of rules (which look like dups) will drop any incoming packets headed to the intranet (192.168.0.0 network). I think you need to readjust the rules similar to the following: # Flush the forward table iptables -F FORWARD # Define the default forward policy as drop. iptables -P FORWARD DROP # Allow established traffic from the internet to the intranet iptables -A FORWARD -I eth0 -O eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow the intranet to create and maintain connections to the internet. iptables -A FORWARD -I eth1 -O eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Log packets that are being dropped iptables -A FORWARD -j LOG --log-prefix "Dropped forwarded packets: " These rules will allow new outgoing connections and established incoming connections. You really shouldn't need to filter on IP address as the invalid destination addresses would be dropped by the intranet and only valid established connections will allow the incoming internet packets to be delivered anyway. These rules rely on the state module being available and loaded. -- gentoo-user@gentoo.org mailing list
