On Fri, Apr 19, 2013 at 04:30:44PM +0100, Mark Rogers wrote:
On 12 April 2013 15:51, Jim Rippon jim@rippon.me.uk wrote:
The NAT rule is correct, I wouldn't alter that.
What I would do, is add a rule to the FORWARD chain in the filter table to allow this traffic, but drop anything else:
iptables -I FORWARD -i ppp0 -j ACCEPT iptables -P FORWARD DROP
Just to let you know: Adding these lines broke forwarding. Specifically the second line (which makes sense).
I have checked and the VPN interface is ppp0. We're running without those two lines quite happily.
Any suggestion what went wrong?
You only allowed forwarding stuff coming into ppp0, not out of it. You probably want:
# Allow anything new out of ppp0 iptables -I FORWARD -o ppp0 -j ACCEPT # Let anything into ppp0 that's already established iptables -I FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED \ -j ACCEPT # Drop anything else iptables -P FORWARD DROP
J.