Iptables Forwarding problem
- by ankit
Hi all,
I had initally asked question about sertting up my linux box for natting for my home network and was given suggestions in the thread here. Did not want to clutter the old question so starting a new one here.
based on the earlier suggestions, i have come up with the following rules ...
:PREROUTING ACCEPT [1:48]
:OUTPUT ACCEPT [12:860]
:POSTROUTING ACCEPT [3:228]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [3:228]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth1 -p icmp -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
If you notice, i do have the proper MASQURADING rule and the proper FORWARD filter rule as well.
However i am facing 2 problems
On the linux box itself DNS resolving is not working
the lan clients connected to the linux box, are still not able to get to internet. when i ping something from them, i see the DROP count in iptables INPUT rule increasing.
now my question is, when i am pinging something from the lan client, how come it is being matched by the input chain ?! should it be in the forward chain ?
Chain INPUT (policy DROP 20 packets, 2314 bytes)
pkts bytes target prot opt in out source destination
99 9891 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- eth0 any anywhere anywhere
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https
122 9092 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh
Thanks ankit