From: "Adrian C." <drupix@gmail.com>
To: Luca Ferrari <fluca1978@infinito.it>
Cc: linux-admin@vger.kernel.org
Subject: Re: iptables & vypress
Date: Fri, 15 Jul 2005 12:47:56 +0300 [thread overview]
Message-ID: <60a7468905071502471b4d0369@mail.gmail.com> (raw)
In-Reply-To: <42D6970C.7040800@infinito.it>
Let me get this right
LAN192.168.4.0-----------[eth0]---iptables-firewall--[eth1]-------------LAN192.168.1.0
You need 2 set of rules for both directions
from .4. to .1.
iptables -A FORWARD -s 192.168.4.0/24 -d 192.168.1.0/24 -p tcp -j ACCEPT
iptables -A FORWARD -s 192.168.4.0/24 -d 192.168.1.0/24 -p udp -j ACCEPT
from .1. to .4.
iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.4.0/24 -p tcp -j ACCEPT
iptables -A FORWARD -s 192.168.4.0/24 -d 192.168.1.0/24 -p udp -j ACCEPT
INPUT & OUTPUT chains are for local processes (bind, squid, pppd) not forward.
I've never been a big fan of default DROP policy on chains. Sometimes
yes, it can be of some help but otherwise you don't want to be ssh-ing
to another country and accidentally invoking iptables -F :)
--Adrian
Oriflame Romania SysAdmin
On 7/14/05, Luca Ferrari <fluca1978@infinito.it> wrote:
> Hi,
> I've got two networks, 192.168.1.0 and 192.168.4.0, that are connected
> thru an ADSL and a couple of firewalls (with iptables). Now I've got
> some problems with the Vypress Messenger, a chat program that
> communicates using the 7777 port. The problem is that outgoing traffic
> from 192.168.4.0 is permitted, while incoming not, thus 192.168.4.0 can
> send messages to the other network, but the 192.168.1.0 cannot. The
> following is an excerpt of the iptables configuration for the network
> 192.168.1.0 on the 192.168.4.0 firewall:
>
> [root@firewall script]# iptables-save | grep 192.168.1
> -A INPUT -s 192.168.4.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -p
> tcp -j ACCEPT
> -A INPUT -s 192.168.4.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -p
> udp -j ACCEPT
> -A FORWARD -s 192.168.4.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -p
> tcp -j ACCEPT
> -A FORWARD -s 192.168.4.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -p
> udp -j ACCEPT
> -A OUTPUT -d 192.168.1.0/255.255.255.0 -o eth1 -p udp -j ACCEPT
>
>
> I cannot see what's wrong here, since all the traffic among 192.168.1.0
> and 192.168.4.0 is permitted. I'm pretty sure the problem is in the
> iptables of 192.168.4.0 network cause if I cannot directly (i.e.,
> bypassing the iptable firewall) vypress works.
> Any suggestion?
>
> Thanks,
> Luca
>
> --
> Luca Ferrari
> fluca1978@infinito.it
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2005-07-15 9:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-14 16:47 iptables & vypress Luca Ferrari
2005-07-15 9:47 ` Adrian C. [this message]
2005-07-15 11:00 ` Luca Ferrari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=60a7468905071502471b4d0369@mail.gmail.com \
--to=drupix@gmail.com \
--cc=fluca1978@infinito.it \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).