[H-GEN] weird iptables problem

[Russell Stuart]

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Wed, 2003-04-23 at 08:52, Johann wrote:
> However when I start iptables, even with a default setting only for 
> masquerading, and all policies set to accept, from the gateway machine I 
> can no longer ping eth0, eth1 or lo, but I can ping any other valid 
> address, sendmail is no longer accessable from the gateway machine 
> (error message just indicates that the email client is being denied 
> access to the sendmail port. I'm not too sure about the internal network 
> at this stage as I can't get access to a machine to test it).
> 
>  The error I get when pinging is:
> 
> ping: sendmsg: Operation not permitted
> 
> which seems to me that iptables is filtering and dropping the packets.
> 
> In case I had accidently added something to the ruleset, I cut things 
> down to the following rules, which should allow everything and set up 
> masquerading
> 
> /sbin/iptables -F
> /sbin/iptables -F -t nat
> /sbin/iptables -X
> 
> followed by
> 
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> /sbin/iptables -A FORWARD -i eth0 -j ACCEPT
> 
> eth0 is the internal interface and eth1 is the external interface.

Johann,

You are masquerading incoming packets are well as outgoing ones.  I
don't have time to give a full explanation of why this is bad, so for
now if you just insert this rule before the -j MASQUERADE one you should
be OK:

/sbin/iptables -t nat -A POSTROUTING -s ! <internal-network> -j ACCEPT

eg, if you are using IP addresses 192.168.10.0 .. 192.168.10.255 for
your internal network, then this is what you would want:

/sbin/iptables -t nat -A POSTROUTING -s ! 192.168.10.0/8 -j ACCEPT


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/