From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Adrian C." Subject: Re: iptables & vypress Date: Fri, 15 Jul 2005 12:47:56 +0300 Message-ID: <60a7468905071502471b4d0369@mail.gmail.com> References: <42D6970C.7040800@infinito.it> Reply-To: "Adrian C." Mime-Version: 1.0 Content-Transfer-Encoding: 7BIT Return-path: In-Reply-To: <42D6970C.7040800@infinito.it> Content-Disposition: inline Sender: linux-admin-owner@vger.kernel.org List-Id: Content-Type: text/plain; charset="us-ascii" To: Luca Ferrari Cc: linux-admin@vger.kernel.org Let me get this right LAN192.168.4.0-----------[eth0]---iptables-firewall--[eth1]-------------LAN192.168.1.0 You need 2 set of rules for both directions from .4. to .1. iptables -A FORWARD -s 192.168.4.0/24 -d 192.168.1.0/24 -p tcp -j ACCEPT iptables -A FORWARD -s 192.168.4.0/24 -d 192.168.1.0/24 -p udp -j ACCEPT from .1. to .4. iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.4.0/24 -p tcp -j ACCEPT iptables -A FORWARD -s 192.168.4.0/24 -d 192.168.1.0/24 -p udp -j ACCEPT INPUT & OUTPUT chains are for local processes (bind, squid, pppd) not forward. I've never been a big fan of default DROP policy on chains. Sometimes yes, it can be of some help but otherwise you don't want to be ssh-ing to another country and accidentally invoking iptables -F :) --Adrian Oriflame Romania SysAdmin On 7/14/05, Luca Ferrari wrote: > Hi, > I've got two networks, 192.168.1.0 and 192.168.4.0, that are connected > thru an ADSL and a couple of firewalls (with iptables). Now I've got > some problems with the Vypress Messenger, a chat program that > communicates using the 7777 port. The problem is that outgoing traffic > from 192.168.4.0 is permitted, while incoming not, thus 192.168.4.0 can > send messages to the other network, but the 192.168.1.0 cannot. The > following is an excerpt of the iptables configuration for the network > 192.168.1.0 on the 192.168.4.0 firewall: > > [root@firewall script]# iptables-save | grep 192.168.1 > -A INPUT -s 192.168.4.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -p > tcp -j ACCEPT > -A INPUT -s 192.168.4.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -p > udp -j ACCEPT > -A FORWARD -s 192.168.4.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -p > tcp -j ACCEPT > -A FORWARD -s 192.168.4.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -p > udp -j ACCEPT > -A OUTPUT -d 192.168.1.0/255.255.255.0 -o eth1 -p udp -j ACCEPT > > > I cannot see what's wrong here, since all the traffic among 192.168.1.0 > and 192.168.4.0 is permitted. I'm pretty sure the problem is in the > iptables of 192.168.4.0 network cause if I cannot directly (i.e., > bypassing the iptable firewall) vypress works. > Any suggestion? > > Thanks, > Luca > > -- > Luca Ferrari > fluca1978@infinito.it > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >