Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
John Engelbrecht wrote:
> Yea.. i know, you all think FreeBSD's NATd is better, in which I agree.
> But in this case, there is no option to use FreeBSD, not for this guy.
>
> The Question is
> with kernel 2.4.18, and iptables version 1.2.6a
> how do you fix it where workstations behind linux
> can only connect to the web page ports, port 80 and what? 125?
> I have a friend that needs to know this info.
Note that this is just for the forwarding chain.
Make sure forwarding is turned on in the kernel, of course:
echo 1 > /proc/sys/net/ipv4/ip_forward
First, block everything:
iptables -P FORWARD DROP
Then, just let through port 80 for http:
iptables -A FORWARD -p TCP --dport 80 -j ACCEPT
And port 443 for https:
iptables -A FORWARD -p TCP --dport 443 -j ACCEPT
And then forward the responses from the webserver:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
That should do it. If you need NAT set up, the additional rule of:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
This is pretty much like ipchains' old masquerading. If you want
something a bit more exotic, there are some great HOWTOs at
netfilter.samba.org.
Ian
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact