Iptables Forwarding problem

Posted by ankit on Server Fault See other posts from Server Fault or by ankit
Published on 2011-02-11T14:46:31Z Indexed on 2011/02/11 15:26 UTC
Read the original article Hit count: 378

Hi all,

I had initally asked question about sertting up my linux box for natting for my home network and was given suggestions in the thread here. Did not want to clutter the old question so starting a new one here.

based on the earlier suggestions, i have come up with the following rules ...

:PREROUTING ACCEPT [1:48]
:OUTPUT ACCEPT [12:860]
:POSTROUTING ACCEPT [3:228]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

*filter
:INPUT DROP [3:228]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth1 -p icmp -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT

If you notice, i do have the proper MASQURADING rule and the proper FORWARD filter rule as well. However i am facing 2 problems

  1. On the linux box itself DNS resolving is not working
  2. the lan clients connected to the linux box, are still not able to get to internet. when i ping something from them, i see the DROP count in iptables INPUT rule increasing.

now my question is, when i am pinging something from the lan client, how come it is being matched by the input chain ?! should it be in the forward chain ?

Chain INPUT (policy DROP 20 packets, 2314 bytes)
 pkts bytes target     prot opt in     out     source               destination
   99  9891 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     icmp --  eth0   any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:http
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:https
  122  9092 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:ssh

Thanks ankit

© Server Fault or respective owner

Related posts about iptables

Related posts about linux-server