Thanks all for help. Let me make clear what I'd like to do:
At home I have to PCs. PC1 is router. (eth0 for lan, eth1 for WAN, connected with ADSL modem) PC2 is another pc ina LAN. I'm planning to run web server on PC2 with ip address 192.168.0.2. > > The iptables scripts as follows: > > --------------------------------------------- > > #!/bin/bash > > IPTABLES='/sbin/iptables' > > > > # Set interface values > > EXTIF='ppp0' > > INTIF1='eth0' > > > > # enable ip forwarding in the kernel > > /bin/echo 1 > /proc/sys/net/ipv4/ip_forward > > Note that this should be better done in the ppp-connect script rather > than here. The iptables should be set up at boot time, I'd suggest. So > you're not imposing a (rather short) open firewall situation. In fact, > iptables doesn't care if interfaces are already available when setting > up routes. But is it ok if I keep /bin/echo 1 > /proc/sys/net/ipv4/ip_forward in my iptables rule? I have never used ppp-connect script. At home I use rp-pppoe. > > #echo -e " - Allowing access to the SSH server" > > $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT > > > > #echo -e " - Allowing access to the HTTP server" > > $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT > > Not needed, as all respective packets will get rewritten to 192.168.0.2 > and will never hit the INPUT table. That doesn't include packets from > internal LAN, see respective rule below. Do you mean about dport22 and dport80 both? Or only about dport80? > > # block out all other Internet access on $EXTIF > > $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP > Hm, you may switch that to a simple > $IPTABLES -P INPUT DROP $IPTABLES -P INPUT DROP stopped internet connection > [from here use proposed parts below, I'll continue commenting] > > > $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP > > ?!? This would drop all requests from ppp0, especially the ones to the > www port... You mean I can leave it as it is? > > $IPTABLES -A FORWARD -i ppp0 -d 192.168.0.2 -p tcp --dport 80 -m state > > --state NEW,RELATED,ESTABLISHED -j ACCEPT > > and thus this cannot match, either. > > > so from above [...] marked point, the approach would be > > $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 80 -d 192.168.0.2 \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -P FORWARD DROP > > $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \ > -j DNAT --to 192.168.0.2 > > This will alter the destination IP and let FORWARD rules apply. > > Note that any Logging entries must be inserted before the respective > ACCEPTs or DROPs. My iptables rule with taking into account your comments became: #!/bin/bash IPTABLES='/sbin/iptables' # Set interface values EXTIF='ppp0' INTIF1='eth0' # enable ip forwarding in the kernel /bin/echo 1 > /proc/sys/net/ipv4/ip_forward # flush rules and delete chains $IPTABLES -F $IPTABLES -X # enable masquerading to allow LAN internet access $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # forward LAN traffic from $INTIF1 to Internet interface $EXTIF $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i eth0 -o ppp0 -j LOG --log-prefix "Dropped outgoing: " $IPTABLES -A FORWARD -i ppp0 -o eth0 -j LOG --log-prefix "Dropped incoming: " # block out all other Internet access on $EXTIF $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 80 -d 192.168.0.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCE$ $IPTABLES -P FORWARD DROP $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.0.2 -------------- Unfortunately, I'm still unable to see my web page from LAN, when I try to access my domain.com... :( askar -- gentoo-user@gentoo.org mailing list
