[Firewall] Can't get NAT - Masquerading to work....

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Thu Oct 26 13:16:24 MDT 2006


Could you also provide us with a dump of 'ifconfig' + anything shown in 
your firewall logs (ie. dropped packets)? For now you could try to set 
"SET_MSS=0" and/or "NO_PMTU_DISCOVERY=1".

Please let us now your findings and provide us with the additional 
information as requested....

a.

mombasa wrote:
>  
> i'm a linux novice and i am trying to build a internet gateway for a 
> network of Windows XP Pro clients.
>  
> I used the latest Suse Linux Distro (i believe v10.1).
> When i configure the firewall and masquerading with the Suse Yast tool, 
> everything works fine and my Windows XP Pro clients can acces the 
> internet trough the Linux gateway machine.
>  
> Because i would like to tighten security, i would like to use arno's 
> Firewall script instead.
>  
> I've made only minimal changes to the config file to try to get the 
> masquerading running, but i can't seem to get it to work.
> When i run the script i can still acces the internet from the Linux box, 
> but my XP Pro clients lose their internet connection.
> I've read all the faqs and browsed trough the mailing list and i don't 
> see what i'm doing wrong.
>  
> It will probably be something stupid of me.
>  
> I hope somebody can help me because it is driving me nuts...
>  
> Here is the config file and the result of running this config file:
>  
>  
> ###############################################################################
> # You should put this config-file in 
> /etc/arno-iptables-firewall/             #
> ###############################################################################
> 
> IPTABLES="/usr/sbin/iptables"
>  
> ###############################################################################
> # External (internet) interface 
> settings                                      #
> ###############################################################################
>  
> 
> EXT_IF="ppp+"
> 
> EXT_IF_DHCP_IP=1
>  
> 
> EXTERNAL_NET=""
>  
> 
> EXT_NET_BCAST_ADDRESS=""
>  
> 
> EXTERNAL_DHCP_SERVER=0
>  
> 
> ###############################################################################
> # Internal (LAN) interface 
> settings                                           #
> ###############################################################################
>  
> 
> INT_IF="eth0"
>  
> 
> INTERNAL_NET="192.168.10.0/24"
>  
> 
> INT_NET_BCAST_ADDRESS=""
>  
> 
> 
> ###############################################################################
> # DMZ (aka DeMilitarized Zone) 
> settings                                       #
> ###############################################################################
>  
> 
> DMZ_IF=""
>  
> 
> DMZ_NET=""
>  
> 
> ###############################################################################
> # NAT (Masquerade, SNAT, DNAT) 
> settings                                       #
> ###############################################################################
>  
> 
> NAT=1
>  
> 
> NAT_INTERNAL_NET="$INTERNAL_NET"
>  
> NAT_TCP_FORWARD=""
> NAT_UDP_FORWARD=""
> NAT_IP_FORWARD=""
>  
> 
> ###############################################################################
> # (ADSL) Modem 
> settings                                                       #
> 
> ###############################################################################
>  
> 
> MODEM_IF="eth1"
>  
> 
> MODEM_INTERNAL_NET=$INTERNAL_NET
>  
> 
> ###############################################################################
> # General 
> settings                                                            #
> ###############################################################################
>  
> 
> DMESG_PANIC_ONLY=1
> 
> MANGLE_TOS=1
>  
> 
> SET_MSS=1
>  
> 
> TTL_INC=0
>  
> 
> RESOLV_IPS=0
> 
> USE_IRC=0
>  
> 
> LOOSE_FORWARD=0
>  
> 
> DROP_PRIVATE_ADDRESSES=0
>  
> 
> DRDOS_PROTECT=0
>  
> 
> IPV6_SUPPORT=0
>  
> 
> NMB_BROADCAST_FIX=0
>  
> 
> TRUSTED_IF=""
>  
> INT_IF_TRUST=""
>  
> 
> CUSTOM_RULES=/etc/arno-iptables-firewall/custom-rules
>  
> 
> ###############################################################################
> # Logging options - All logging is rate limited to prevent log 
> flooding       #
> ###############################################################################
>  
> # Enable logging for explicitly blocked hosts.
> # 
> -----------------------------------------------------------------------------
> BLOCKED_HOST_LOG=1
>  
> # Enable logging for various stealth scans (reliable).
> # 
> -----------------------------------------------------------------------------
> SCAN_LOG=1
>  
> # Enable logging for possible stealth scans (less reliable).
> # 
> -----------------------------------------------------------------------------
> POSSIBLE_SCAN_LOG=0
>  
> # Enable logging for TCP-packets with bad flags.
> # 
> -----------------------------------------------------------------------------
> BAD_FLAGS_LOG=0
>  
> 
> INVALID_PACKET_LOG=0
>  
> # Enable logging of source IP's with reserved addresses.
> # 
> -----------------------------------------------------------------------------
> RESERVED_NET_LOG=1
>  
> # Enable logging of fragmented packets.
> # 
> -----------------------------------------------------------------------------
> FRAG_LOG=1
>  
> # Enable logging of denied local (OUTPUT) connections.
> # 
> -----------------------------------------------------------------------------
> OUTPUT_DENY_LOG=1
>  
> # Enable logging of denied LAN output (FORWARD) connections.
> # 
> -----------------------------------------------------------------------------
> LAN_OUTPUT_DENY_LOG=1
>  
> # Enable logging of denied LAN INPUT connections.
> # 
> -----------------------------------------------------------------------------
> LAN_INPUT_DENY_LOG=1
>  
> # Enable logging of denied DMZ output (FORWARD) connections.
> # 
> -----------------------------------------------------------------------------
> DMZ_OUTPUT_DENY_LOG=1
>  
> # Enable logging of denied DMZ input (FORWARD) connections.
> # 
> -----------------------------------------------------------------------------
> DMZ_INPUT_DENY_LOG=1
>  
> # Enable logging of dropped ICMP-request packets (ping).
> # 
> -----------------------------------------------------------------------------
> ICMP_REQUEST_LOG=1
>  
> # Enable logging of dropped "other" ICMP packets.
> # 
> -----------------------------------------------------------------------------
> ICMP_OTHER_LOG=1
>  
> # Enable logging of normal connection attempts to privileged TCP ports.
> # 
> -----------------------------------------------------------------------------
> PRIV_TCP_LOG=1
>  
> # Enable logging of normal connection attempts to privileged UDP ports.
> # 
> -----------------------------------------------------------------------------
> PRIV_UDP_LOG=1
>  
> # Enable logging of normal connection attempts to unprivileged TCP ports.
> # 
> -----------------------------------------------------------------------------
> UNPRIV_TCP_LOG=1
>  
> # Enable logging of normal connection attempts to unprivileged UDP ports.
> # 
> -----------------------------------------------------------------------------
> UNPRIV_UDP_LOG=1
>  
> # Enable logging of normal connection attempts to "other-IP"-protocols (non
> # TCP/UDP/ICMP).
> # 
> -----------------------------------------------------------------------------
> OTHER_IP_LOG=1
>  
> # Enable logging for ICMP flooding.
> # 
> -----------------------------------------------------------------------------
> ICMP_FLOOD_LOG=1
>  
> # Enable logging for not-allowed MAC addresses (if used).
> # 
> -----------------------------------------------------------------------------
> MAC_ADDRESS_LOG=1
>  
> 
>  
> 
> LOGLEVEL=info
>  
> 
> LOG_HOST_TCP_INPUT=""
> LOG_HOST_UDP_INPUT=""
> LOG_HOST_IP_INPUT=""
>  
> 
> LOG_HOST_TCP_OUTPUT=""
> LOG_HOST_UDP_OUTPUT=""
> LOG_HOST_IP_OUTPUT=""
>  
> # Put in the following variables which services you want to log incoming
> # connection attempts for.
> # 
> -----------------------------------------------------------------------------
> LOG_TCP_INPUT=""
> LOG_UDP_INPUT=""
> LOG_IP_INPUT=""
>  
> # Put in the following variables which services you want to log outgoing
> # connection attempts for.
> # 
> -----------------------------------------------------------------------------
> LOG_TCP_OUTPUT=""
> LOG_UDP_OUTPUT=""
> LOG_IP_OUTPUT=""
>  
> # Put in the following variable which hosts you want to log incoming 
> connection
> # (attempts) for.
> # 
> -----------------------------------------------------------------------------
> LOG_HOST_INPUT=""
>  
> # Put in the following variable which hosts you want to log outgoing 
> connection
> # (attempts) to.
> # 
> -----------------------------------------------------------------------------
> LOG_HOST_OUTPUT=""
>  
> 
> ###############################################################################
> # /proc based settings (EXPERT 
> SETTINGS!)                                     #
> ###############################################################################
>  
> # Enable for synflood protection (through /proc/.../tcp_syncookies).
> # 
> -----------------------------------------------------------------------------
> SYN_PROT=1
>  
> # Enable this to reduce the ability of others DOS'ing your machine.
> # 
> -----------------------------------------------------------------------------
> REDUCE_DOS_ABILITY=1
>  
> # Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
> # 
> -----------------------------------------------------------------------------
> ECHO_IGNORE=0
>  
> # Enable to log packets with impossible addresses to the kernel log.
> # 
> -----------------------------------------------------------------------------
> LOG_MARTIANS=0
>  
> # Only disable this if you're NOT using forwarding (required for NAT 
> etc.) for
> # increased security.
> # 
> -----------------------------------------------------------------------------
> IP_FORWARDING=1
>  
> # Enable if you want to accept ICMP redirect messages. Should be set to 
> "0" in
> # case of a router.
> # 
> -----------------------------------------------------------------------------
> ICMP_REDIRECT=0
>  
> # Enable/modify this if you want to be a able to handle a larger (or 
> smaller)
> # number of simultaneous connections. For high traffic machines I 
> recommend to
> # use a value of at least 16384 (note that a higher value (obviously) 
> also uses
> # more memory).
> # 
> -----------------------------------------------------------------------------
> CONNTRACK=16384
>  
> # You may need to enable this to get some internet games to work, but 
> note that
> # it's *less* secure.
> # 
> -----------------------------------------------------------------------------
> LOOSE_UDP_PATCH=0
>  
> # Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by 
> default,
> # as some routers are still not compatible with this.
> # 
> -----------------------------------------------------------------------------
> ECN=0
>  
> 
> RP_FILTER=1
>  
> 
> SOURCE_ROUTE_PROTECTION=1
>  
> 
> LOCAL_PORT_RANGE="32768 61000"
>  
> 
> DEFAULT_TTL=64
>  
> # In most cases pmtu discovery is ok, but in some rare cases (when having
> # problems) you might want to disable it.
> # 
> -----------------------------------------------------------------------------
> NO_PMTU_DISCOVERY=0
>  
> 
> ###############################################################################
> # (Transparent) proxy settings (EXPERT 
> SETTINGS!)                             #
> ###############################################################################
> #HTTP_PROXY_PORT="3128"
> HTTPS_PROXY_PORT=""
> FTP_PROXY_PORT=""
> SMTP_PROXY_PORT=""
> POP3_PROXY_PORT=""
>  
> 
> ###############################################################################
> # Firewall policies for the LAN (EXPERT 
> SETTINGS!)                            #
> ###############################################################################
>  
> ###############################################################################
> # LAN_xxx = LAN->localhost(this machine) input access 
> rules                   #
> #                                                                             
> #
> # Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, 
> the      #
> # default policy for this chain is accept (unless denied 
> through              #
> # LAN_DENY_xxx and/or 
> LAN_HOST_DENY_xxx)!                                     #
> ###############################################################################
>  
> # Enable this to allow for ICMP-requests(ping) from your LAN
> # 
> -----------------------------------------------------------------------------
> LAN_OPEN_ICMP=1
>  
> # Put in the following variables the TCP/UDP ports or IP protocols TO
> # (remote end-point) which the LAN hosts are permitted to connect to.
> # 
> -----------------------------------------------------------------------------
> LAN_OPEN_TCP=""
> LAN_OPEN_UDP=""
> LAN_OPEN_IP=""
>  
> # Put in the following variables the TCP/UDP ports or IP protocols TO 
> (remote
> # end-point) which LAN hosts are NOT permitted to connect to.
> # 
> -----------------------------------------------------------------------------
> LAN_DENY_TCP=""
> LAN_DENY_UDP=""
> LAN_DENY_IP=""
>  
> 
> LAN_HOST_OPEN_TCP=""
> LAN_HOST_OPEN_UDP=""
> LAN_HOST_OPEN_IP=""
>  
> 
> LAN_HOST_DENY_TCP=""
> LAN_HOST_DENY_UDP=""
> LAN_HOST_DENY_IP=""
>  
> 
> ###############################################################################
> # LAN_INET_xxx = LAN->internet access rules 
> (forward)                         #
> #                                                                             
> #
> # Note that when both LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx are 
> NOT      #
> # used, the default policy for this chain is accept (unless 
> denied            #
> # through LAN_INET_DENY_xxx and/or 
> LAN_INET_HOST_DENY_xxx)!                   #
> ###############################################################################
>  
> # Enable this to allow for ICMP-requests(ping) for LAN->INET
> # 
> -----------------------------------------------------------------------------
> LAN_INET_OPEN_ICMP=1
>  
> 
> LAN_INET_OPEN_TCP=""
> LAN_INET_OPEN_UDP=""
> LAN_INET_OPEN_IP=""
>  
> 
> LAN_INET_DENY_TCP=""
> LAN_INET_DENY_UDP=""
> LAN_INET_DENY_IP=""
>  
> # Put in the following variables which LAN hosts you want to allow to 
> certain
> # hosts/services on the internet. By default all services are allowed.
> 
> LAN_INET_HOST_OPEN_TCP=""
> LAN_INET_HOST_OPEN_UDP=""
> LAN_INET_HOST_OPEN_IP=""
>  
> # Put in the following variables which DMZ hosts you want to deny to certain
> # hosts/services on the internet.
> 
> LAN_INET_HOST_DENY_TCP=""
> LAN_INET_HOST_DENY_UDP=""
> LAN_INET_HOST_DENY_IP=""
>  
> 
> ###############################################################################
> # Firewall policies for the DMZ (EXPERT 
> SETTINGS!)                            #
> ###############################################################################
>  
> ###############################################################################
> # DMZ_xxx      = DMZ->localhost(this machine) input access 
> rules              #
> ###############################################################################
>  
> # Enable this to allow ICMP-requests(ping) from the DMZ
> # 
> -----------------------------------------------------------------------------
> DMZ_OPEN_ICMP=1
>  
> 
> DMZ_OPEN_TCP=""
> DMZ_OPEN_UDP=""
> DMZ_OPEN_IP=""
>  
> 
> DMZ_HOST_OPEN_TCP=""
> DMZ_HOST_OPEN_UDP=""
> DMZ_HOST_OPEN_IP=""
>  
> 
> ###############################################################################
> # INET_DMZ_xxx = Internet->DMZ access rules 
> (forward)                         #
> #                                                                             
> #
> # Note that when both INET_DMZ_OPEN_xxx & INET_DMZ_HOST_OPEN_xxx are 
> NOT      #
> # used, the default policy for this chain is accept (unless 
> denied            #
> # through INET_DMZ_DENY_xxx and/or 
> INET_DMZ_HOST_DENY_xxx)!                   #
> ###############################################################################
>  
> # Enable this to make the default policy allow for ICMP(ping) for INET->DMZ
> # 
> -----------------------------------------------------------------------------
> INET_DMZ_OPEN_ICMP=0
>  
> # Put in the following variables which INET hosts are permitted to 
> connect to
> # certain the TCP/UDP ports or IP protocols in the DMZ.
> # 
> -----------------------------------------------------------------------------
> INET_DMZ_OPEN_TCP=""
> INET_DMZ_OPEN_UDP=""
> INET_DMZ_OPEN_IP=""
>  
> # Put in the following variables which INET hosts are NOT permitted to 
> connect
> # to certain the TCP/UDP ports or IP protocols in the DMZ.
> # 
> -----------------------------------------------------------------------------
> INET_DMZ_DENY_TCP=""
> INET_DMZ_DENY_UDP=""
> INET_DMZ_DENY_IP=""
>  
> # Put in the following variables which INET hosts you want to allow to 
> certain
> # hosts/services on the DMZ net. By default all services are allowed.
> 
> INET_DMZ_HOST_OPEN_TCP=""
> INET_DMZ_HOST_OPEN_UDP=""
> INET_DMZ_HOST_OPEN_IP=""
>  
> # Put in the following variables which INET hosts you want to deny to 
> certain
> # hosts/services on the DMZ net.
> 
> INET_DMZ_HOST_DENY_TCP=""
> INET_DMZ_HOST_DENY_UDP=""
> INET_DMZ_HOST_DENY_IP=""
>  
> 
> ###############################################################################
> # DMZ_INET_xxx = DMZ->internet access rules 
> (forward)                         #
> #                                                                             
> #
> # Note that when both DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx are 
> NOT      #
> # used, the default policy for this chain is accept (unless 
> denied            #
> # through DMZ_INET_DENY_xxx and/or 
> DMZ_INET_HOST_DENY_xxx)!                   #
> ###############################################################################
>  
> # Enable this to make the default policy allow for ICMP(ping) for DMZ->INET
> # 
> -----------------------------------------------------------------------------
> DMZ_INET_OPEN_ICMP=1
>  
> 
> DMZ_INET_OPEN_TCP=""
> DMZ_INET_OPEN_UDP=""
> DMZ_INET_OPEN_IP=""
>  
> 
> DMZ_INET_DENY_TCP=""
> DMZ_INET_DENY_UDP=""
> DMZ_INET_DENY_IP=""
>  
> # Put in the following variables which DMZ hosts you want to allow to 
> certain
> # hosts/services on the internet. By default all services are allowed.
> #
> 
> DMZ_INET_HOST_OPEN_TCP=""
> DMZ_INET_HOST_OPEN_UDP=""
> DMZ_INET_HOST_OPEN_IP=""
>  
> # Put in the following variables which DMZ hosts you want to deny to certain
> # hosts/services on the internet.
> 
> DMZ_INET_HOST_DENY_TCP=""
> DMZ_INET_HOST_DENY_UDP=""
> DMZ_INET_HOST_DENY_IP=""
>  
> 
> ###############################################################################
> # DMZ_LAN_xxx  = DMZ->LAN access rules 
> (forward)                              #
> ###############################################################################
>  
> # Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN
> # 
> -----------------------------------------------------------------------------
> DMZ_LAN_OPEN_ICMP=0
>  
> # Put in the following variables which DMZ hosts you want to allow to 
> certain
> # hosts/services on the LAN (net).
> 
> DMZ_LAN_HOST_OPEN_TCP=""
> DMZ_LAN_HOST_OPEN_UDP=""
> DMZ_LAN_HOST_OPEN_IP=""
>  
> 
> ###############################################################################
> # Firewall policies for the external (inet) interface (default policy = 
> drop) #
> ###############################################################################
>  
> 
> FULL_ACCESS_HOSTS=""
>  
> # Enable this to make the default policy allow for ICMP(ping) for INET 
> access
> # 
> -----------------------------------------------------------------------------
> OPEN_ICMP=0
>  
> # Put in the following variables which ports or IP protocols you want to 
> leave
> # open to the whole world.
> # 
> -----------------------------------------------------------------------------
> OPEN_TCP=""
> OPEN_UDP=""
> OPEN_IP=""
>  
> 
> DENY_TCP=""
> DENY_UDP=""
>  
> 
> DENY_TCP_NOLOG=""
> DENY_UDP_NOLOG=""
>  
> # Put in the following variables the TCP/UDP ports you want to REJECT 
> (instead
> # of DROP) for everyone (and logged).
> # 
> -----------------------------------------------------------------------------
> REJECT_TCP=""
> REJECT_UDP=""
>  
> # Put in the following variables the TCP/UDP ports you want to REJECT 
> (instead
> # of DROP) for everyone but NOT logged.
> # 
> -----------------------------------------------------------------------------
> REJECT_TCP_NOLOG=""
> REJECT_UDP_NOLOG=""
>  
> # Put in the following variables which hosts you want to allow for certain
> # services.
> 
> HOST_OPEN_TCP=""
> HOST_OPEN_UDP=""
> HOST_OPEN_IP=""
> HOST_OPEN_ICMP=""
>  
> # Put in the following variables which hosts you want to DENY(DROP) for 
> certain
> # services (and logged).
> 
> HOST_DENY_TCP=""
> HOST_DENY_UDP=""
> HOST_DENY_IP=""
> HOST_DENY_ICMP=""
>  
> # Put in the following variables which hosts you want to DENY(DROP) for 
> certain
> # services but NOT logged.
> 
> HOST_DENY_TCP_NOLOG=""
> HOST_DENY_UDP_NOLOG=""
> HOST_DENY_IP_NOLOG=""
> HOST_DENY_ICMP_NOLOG=""
>  
> 
> HOST_REJECT_TCP=""
> HOST_REJECT_UDP=""
>  
> 
> HOST_REJECT_TCP_NOLOG=""
> HOST_REJECT_UDP_NOLOG=""
>  
> 
> DENY_TCP_OUTPUT=""
> DENY_UDP_OUTPUT=""
> DENY_IP_OUTPUT=""
>  
> 
> 
> HOST_DENY_TCP_OUTPUT=""
> HOST_DENY_UDP_OUTPUT=""
> HOST_DENY_IP_OUTPUT=""
>  
> 
> BROADCAST_TCP_NOLOG=""
> 
> BLOCK_HOSTS=""
>  
>  
>  
>  
>  
> Here the result of running this config file:
>  
>  
>  
>  
> Arno's Iptables Firewall Script v1.8.8b
> -------------------------------------------------------------------------------
> Sanity checks passed...OK
> Detected IPTABLES module... Loading additional IPTABLES modules:
> All IPTABLES modules loaded!
> Setting the kernel ring buffer to only log panic messages to the console
> Configuring /proc/.... settings:
>  Enabling anti-spoof with rp_filter
>  Enabling SYN-flood protection via SYN-cookies
>  Disabling the logging of martians
>  Disabling the acception of ICMP-redirect messages
>  Setting the max. amount of simultaneous connections to 16384
>  Enabling protection against source routed packets
>  Setting default conntrack timeouts
>  Enabling reduction of the DoS'ing ability
>  Setting Default TTL=64
>  Disabling ECN (Explicit Congestion Notification)
>  Enabling support for dynamic IP's
>  Flushing route table
> /proc/ setup done...
> Flushing rules in the filter table
> Setting default (secure) policies
> Using loglevel "info" for syslogd
>  
> Setting up firewall rules:
> -------------------------------------------------------------------------------
> Accepting packets from the local loopback device
> Enabling setting the maximum packet size via MSS
> Enabling mangling TOS
> Logging of stealth scans (nmap probes etc.) enabled
> Logging of packets with bad TCP-flags disabled
> Logging of INVALID packets disabled
> Logging of fragmented packets enabled
> Logging of access from reserved addresses enabled
> Setting up anti-spoof rules
> Reading custom IPTABLES rules from /etc/arno-iptables-firewall/custom-rules
> Loading (user) plugins
> Applying rules for (A)DSL modem on interface: eth1
> Setting up INPUT policy for the external net (INET):
> Enabling support for a DHCP assigned IP on external interface(s): ppp+
> Logging of explicitly blocked hosts enabled
> Logging of denied local output connections enabled
> Packets will NOT be checked for private source addresses
> Denying the whole world to send ICMP-requests(ping)
> Logging of dropped ICMP-request(ping) packets enabled
> Logging of dropped other ICMP packets enabled
> Logging of possible stealth scans disabled
> Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
> Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
> Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled
> Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled
> Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts enabled
> Logging of ICMP flooding enabled
> Applying INET policy to external (INET) interface: ppp+ (without an 
> external subnet specified)
> Setting up INPUT policy for internal (LAN) interface(s): eth0
>  Allowing ICMP-requests(ping)
>  Allowing all (other) protocols
> Setting up FORWARD policy for internal (LAN) interface(s): eth0
>  Logging of denied LAN->INET FORWARD connections enabled
>  Setting up LAN->INET policy:
>   Allowing ICMP-requests(ping)
>   Allowing all (other) protocols
> Enabling masquerading(NAT) for internal host(s): 192.168.10.0/24 via ppp+
> Security is ENFORCED for external interface(s) in the FORWARD chain
>  
> Oct 25 11:26:37 All firewall rules applied.
>  
>  
>  
>  
>  
>  
>  
>  
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list