From mboxrd@z Thu Jan 1 00:00:00 1970 From: "David H. Askew" Subject: RE: firewall host problem Date: Sun, 19 Oct 2003 20:49:50 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1066614589.2282.3.camel@lappy> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-QNfdGUTMNtw8r63f0CNp" Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: markee@bandwidthco.com Cc: netfilter users mailing list --=-QNfdGUTMNtw8r63f0CNp Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I thought about that too.. but This output seems to indicate a default policy of ACCEPT on the output chain. I've not yet formulated a set of rules to handle outbound traffic. =20 iptables -L .. partial output ... Chain OUTPUT (policy ACCEPT) target prot opt source destination or .. am I missing your point ? On Sun, 2003-10-19 at 20:44, Mark E. Donaldson wrote: > David - Where are your OUTPUT chain Rules? If you want to ping (or anyth= ing > else) your ISP gateway from the firewall itself, you need rules in your > OUTPUT chain to permit this. If your OUTPUT default policy is set to DRO= P, > then all packets generated by your firewall are being dropped. >=20 > -----Original Message----- > From: David H. Askew [mailto:daskew2@kc.rr.com] > Sent: Sunday, October 19, 2003 2:44 PM > To: netfilter@lists.netfilter.org > Subject: firewall host problem >=20 >=20 >=20 > ok .. so 'I'm trying to setup my first iptables firewall .. and I've got > a semi functional setup so far ... but I do have one small problem .. my > firewall machine .. which is performing NAT for my home network.. cannot > access the Internet with any standard tools ... tracepath .. ping .. > etc. I know network connectivity is fine .. because my internal > machines function properly. >=20 > My router/firewall has 3 interfaces .... > eth0: ISP > eth1: Home Subnet 1 > eth2: Home Subnet 2 >=20 > eth2 can ping my ISP gateway > eth1 can ping my ISP gateway > eth0 can not ping my ISP gateway >=20 >=20 > my firewall script is below ... >=20 > I've recently switched from an ACCEPT default policy to the DROP default > policy below. I didn't have this problem previously, so I know i'I've > just forgotten to allow something .. but I'm having trouble coming to a > logical conclusion .... >=20 > ...any help .. critique ... advice you could provide would be helpful >=20 > -dave >=20 >=20 > iptables --flush > iptables --table nat --flush > iptables --delete-chain > iptables --table nat --delete-chain >=20 >=20 > # Enable packet forwarding in the kernel > echo 1 > /proc/sys/net/ipv4/ip_forward >=20 > # Setup IP FORWARDing and Masquerading > iptables --table nat --append POSTROUTING --out-interface eth0 -j > MASQUERADE > iptables --append FORWARD --in-interface eth1 -j ACCEPT > iptables --append FORWARD --in-interface eth2 -j ACCEPT >=20 >=20 > #enable connection tracking > iptables -I FORWARD -m state --state INVALID -j DROP > iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT >=20 > iptables -A INPUT -p tcp -i eth0 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > iptables -A INPUT -p udp -i eth0 -s 0/0 -d 0/0 --dport 22 -j ACCEPT >=20 > iptables -A INPUT -p tcp -i eth2 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > iptables -A INPUT -p udp -i eth2 -s 0/0 -d 0/0 --dport 22 -j ACCEPT >=20 > iptables -P INPUT DROP >=20 >=20 > -- > How many Microsoft engineers does it take to change a light bulb ? >=20 > Answer : None, they just declare darkness a new standard. >=20 --=20 How many Microsoft engineers does it take to change a light bulb ? Answer : None, they just declare darkness a new standard.=20 --=-QNfdGUTMNtw8r63f0CNp Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQA/kz89y2JQXGULrAERAimYAKC7Q9VARMioSS+4UAx5N8iANRgdTgCfSlu9 gixn7+8JGA99zgJwgEHVWkg= =MD6P -----END PGP SIGNATURE----- --=-QNfdGUTMNtw8r63f0CNp--