On Fri, Apr 2, 2010 at 1:22 AM, Arun Khan <[email protected]> wrote: > iptables -A FORWARD -i $EXTIF -o $INTIF1 -m state --state > ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
I'm not sure if this is the "right way" to write to do this. Blocking on FORWARD chain can cause some tricky problems. Best thing is to block all incoming on EXTIF and permit selected/all on INTIF. Pass all on outgoing and forward chains. Additionally, you may want to selectively permit only management IPs to access the firewall itself on INTIF. > iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > One idea I am mulling is to add the "remote" subnets with the "-s" and > "-d" options in above (respective) lines to make it network/iface > specific. Don't think that will make any difference. > Would appreciate any comments/suggestions to allow clients from > "remote" locations access to the Internet via the main office router. Before you start troubleshooting NAT it's best to check if routing is working correctly. Best way to test is to ping EXTIP from remote VPN clients. Also, traceroute and see if remote VPN clients can reach your Debian firewall over the VPN interface, and can touch the EXTIF EXTIP. If this does not work, then set your gateways accordingly! Depending on who you speak to, it may be considered bad practice to back haul internet traffic to HQ as it doubles WAN traffic, and also increases latency for internet traffic. Direct-to-net is a preferred approach. That is unless you want enforce compliance/security/audit policies from a central location. HTH, - Raja _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
