for some reason I can't make a connection to the external mail server from inside the lan. even from the 10.0.0.3 address which should be allowed to do anything. everything used to work when i used MASQUERADing but stopped once i switched to SNAT. Can anybody help me? What am I doing wrong??
what you are doing wrong is change working things the following works perfectly (eth1: WAN, eth0: LAN)
iptables -t filter -P INPUT ACCEPT iptables -t filter -P FORWARD ACCEPT iptables -t filter -P OUTPUT ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -A FORWARD -i eth1 -d 192.168.1.0/24 -j ACCEPT ipatbles -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth1 -j MASQUERADE
the thing is I don't want to allow all my local machines to access the net. Only selected services (POP3S, DNS, and SMTPS) are allowed. Although there are exceptions like 10.0.0.3. Additionaly my ISP limits the amount of traffic from 1 IP. I have 5 public addresses I want to roundrobin them so that traffic gets distributed accross the IPs.
what is this???????????????????????? -A INPUT -i eth1 -j ACCEPT
that's allow local packets from the lan (eth1) into the server.
Am 09.03.2012 04:22, schrieb nullv@gmx.com:
what you are doing wrong is change working things the following works perfectly (eth1: WAN, eth0: LAN)
iptables -A FORWARD -i eth1 -d 192.168.1.0/24 -j ACCEPT ipatbles -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth1 -j MASQUERADE
the thing is I don't want to allow all my local machines to access the net. Only selected services (POP3S, DNS, and SMTPS) are allowed. Although there are exceptions like 10.0.0.3. Additionaly my ISP limits the amount of traffic from 1 IP. I have 5 public addresses I want to roundrobin them so that traffic gets distributed accross the IPs.
hm - OK thats a different story but after read your ogrional post why did you not mention what you like to do?
usually nobody will read your rules and start imagnine you intention especially if your rules do not work
to disallow completly on a machine i would remove the gateway on the client
what is this???????????????????????? -A INPUT -i eth1 -j ACCEPT
that's allow local packets from the lan (eth1) into the server
this is a very very bad idea, what happens if there is started a unwanted service by accident?
as long as you do not care about your servers security in the internal network in my opinion the policy above is not a topic - network security starts generally at the most vulnerable machines