Re: [squid-users] operation not permitted

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 28 Dec 2003 23:32:48 +0100 (CET)

The only traffic you ever allow out on ppp0 is SSH. No other traffic is
allowed...

I would recommend you to look over what the purpose of your firewall rules
are.

Regards
Henrik

On Sun, 28 Dec 2003, Vincent GAUVIN wrote:

> Henrik Nordstrom wrote:
> > Your INPUT and OUPUT rules looks a little odd.. but as you did not
> > include the full ruleset it is hard to tell.. (iptables -L only gives
> > a summary of the rules.. it is better to use iptables-save)
>
> Thank's a lot, Henrik, for interressing to my pb:-)
>
> here are my iptables rules (eth0 192.168.200.1/16 - eth1 10.0.0.1 on
> ADSL-modem ethernet - workstations are on 192.168.200.10 to 60/16)
> best Regards
> Vincent
>
> #!/bin/sh
> #
> #############################################
>
> # Vider les chaines
> iptables -F
>
> # Supprimer d'eventuelles chaines perso
> iptables -X
>
> # Pointage par defaut sur DROP
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # Pareil avec les tables nat et mangle mais pointent sur ACCEPT
> iptables -t nat -F
> iptables -t nat -X
>
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
>
> # Le serveur est sur
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Le LAN est sur
> iptables -A INPUT -i eth0 -j ACCEPT
> iptables -A OUTPUT -o eth0 -j ACCEPT
>
> #ouvrir ssh
> iptables -A INPUT -p tcp --dport 22 -i ppp0 -j ACCEPT
> iptables -A OUTPUT -p tcp --sport 22 -o ppp0 -j ACCEPT
>
> # Mise en place du nat pour
> # tout ce qui traverse la passerelle
> # en sortant par ppp0
> # le LAN est en 192.168.0.0
>
> iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.0.0 -o ppp0 -j
> MASQUERADE
>
> iptables -A FORWARD -i eth0 -o ppp0 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
Received on Sun Dec 28 2003 - 15:32:56 MST

This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:27 MST