[plug] masq script
Ryan
ryan at is.as.geeky.as
Thu Dec 18 09:08:47 WST 2003
On Thu, 2003-12-18 at 08:54, Adam Hewitt wrote:
> On 17/12/2003, at 5:29 PM, smclevie wrote:
>
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> I may be wrong but this looks like your problem. If you are pinging
> from your WinXP machine through the firewall to the internet, then this
> would be a 'new' connection, not established and not related and
> therefore dropped.
>
> Mind you I haven't really been following this thread, and it was after
> a quick look through your config, so I may be off track.
Likewise, I've been ignoring this thread ... but that line is correct if
you specify a direction and then accept everything in the reverse. I'm
at work now with my limited plug archives, so this might have already
been covered - but it looks like maybe it wasn't.
My usage of it contains out->in interfaces, then an in->out accept for
everything:
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
Up to you, NEW would certainly do it but I've more commonly seen the
above representation of it - probably for manageability and granularity
of lock-down reasons.
Ryan
More information about the plug
mailing list