From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bart Subject: Re: Newbie question Date: Tue, 10 Dec 2002 14:09:20 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3DF5E780.8080802@myland.org> References: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="------------060501010404060404090102" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Net Filter --------------060501010404060404090102 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Glen Spidal wrote: > What IPTables commands do I need to issue in a script to allow port 25 > and 110 (email) to work. See attached PDF file. Can't you set up the Windows 2000 Pro as a client, and use Linux as the main router ? Otherwise you need to do: 1) add destination(192.168.254.X)-gateway(192.168.0.47) route for each client PC on the windows PC, since the client IP's are dynamic, this is impractical. OR 2) enable MASQUERADING on the linuxbox iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE In both cases enable ip_forwarding on the linuxbox. echo "1" > /proc/sys/net/ipv4/ip_forward This offcourse doesn't matter for http if you use a proxy, but anything else won't work without one of the two mentioned above. Then you can add some rules like: iptables -P forward drop iptables -A forward -i eth0 -o eth1 -sport 25 -m state --state ESTABLISHED -j ACCEPT iptables -A forward -i eth1 -o eth0 -dport 25 -j ACCEPT iptables -A forward -i eth0 -o eth1 -sport 110 -m state --state ESTABLISHED -j ACCEPT iptables -A forward -i eth1 -o eth0 -dport 110 -j ACCEPT The ip of eth0 (192.168.254.250) is the same as the dhcp-server (192.168.254.250) which doesn't make sense (to me). ( eth0 = connected to windows, eth1 connect to switch ) HTH greetz B.Mermuys > > Glen Spidal > Hillsboro Oregon USA > PH: 503-681-9786 FX: 503-615-2936 > www.cybercorpinc.com > --------------060501010404060404090102 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit
Glen Spidal wrote:
What IPTables commands do I need to issue in a script to allow port 25 and 110 (email) to work.  See attached PDF file.
Can't you set up the Windows 2000 Pro as a client, and use Linux as the main router ?

Otherwise you need to do:

1) add destination(192.168.254.X)-gateway(192.168.0.47) route for each client PC on the windows PC,  
since the client IP's are dynamic, this is impractical.
OR
2) enable MASQUERADING on the linuxbox
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


In both cases enable ip_forwarding on the linuxbox.
echo "1" > /proc/sys/net/ipv4/ip_forward

This offcourse doesn't matter for http if you use a proxy, but anything else 
won't work without one of the two mentioned above.

Then you can add some rules like:
  iptables -P forward drop

  iptables -A forward -i eth0 -o eth1 -sport 25 -m state --state ESTABLISHED -j ACCEPT
  iptables -A forward -i eth1 -o eth0 -dport 25 -j ACCEPT

  iptables -A forward -i eth0 -o eth1 -sport 110 -m state --state ESTABLISHED -j ACCEPT
  iptables -A forward -i eth1 -o eth0 -dport 110 -j ACCEPT


The ip of eth0 (192.168.254.250) is the same as the dhcp-server (192.168.254.250) which
doesn't make sense (to me).

( eth0 = connected to windows, eth1 connect to switch )

HTH
greetz
B.Mermuys


 
Glen Spidal
Hillsboro Oregon USA
PH: 503-681-9786  FX: 503-615-2936 
 

--------------060501010404060404090102--