# iptables setup # deny MS broadcast crap beyond the LAN iptables -A INPUT -d ! 192.168.0.0/24 -p tcp --dport 139 -j REJECT # allow localhost iptables -A INPUT -s 127.0.0.1 -j ACCEPT # allow LAN iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # allow www iptables -A INPUT -p tcp --dport 80 -j ACCEPT # allow SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT # allow inbound DCC iptables -A INPUT -s ! 192.168.0.0/24 -p tcp --dport 6789 -j ACCEPT iptables -I INPUT 1 -s ! 192.168.0.0/24 -p tcp --dport 6790 -j ACCEPT iptables -I INPUT 1 -s ! 192.168.0.0/24 -p tcp --dport 6881:6889 -j ACCEPT # reject everything else iptables -A INPUT -p tcp --syn -j DROP # enable NAT iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE iptables -t nat -A PREROUTING -p tcp --dport 6789 -j DNAT --to-destination 192.168.0.2:6789 iptables -t nat -A PREROUTING -p tcp --dport 6790 -j DNAT --to-destination 192.168.0.7:6790(I don't use this any more as I use the router for everything) check your IP addresses as I used 192.168.0.0/24 here and ignore any of the 'allow' stuff you don't want to get battered by from the internet. I also set forwarding on (dunno whether this actually does anything but I'm superstitious like that and always set it on):
guy@focusrite:~$ cat /etc/network/options ip_forward=no <--- I had this set to 'yes' spoofprotect=yes syncookies=nothen set everything else on the LAN to use the Dialup machine's LAN IP as the gateway. Worked for me with a modem for ages, I assume it'd work with a DSLmodem too. Of course... you could always get a cheap router from broadbandbuyer.co.uk for about £25 quid and then just point the whole LAN at that for DHCP and everything which'd solve any Windows accessibility probs for inbound rogue traffic. (That's my understanding and I'm sticking to it!). Works for me on a £50 quid D-Link router and the mother-in-law on her cheapo £25 jobbie!
On Tue, 2005-10-25 at 18:55 +0100, Ted.Harding@nessie.mcc.ac.uk wrote: <snip>Here the situation is that, if I put a second NIC in any of the machines as eth1, give it IP address 192.168.1.3 (since this is the first in line of IP addresses which the modem gives out) and also manually install a default route to the net 192.168.1.0 via eth1, then from that machine I can also readily access the outside world. However, I have not managed to configure the machines so as to route through the ADSL machine via its eth1 in a similar way to ppp0. Say machine C has the ADSL modem on eth1, and machines A, B and C are linked over a network on eth0 for each. The C can see the Net, while A and B can not.<snip> Have you done anything on machine C with iptables to MASQUERADE on the ADSL eth1 interface? Something like: echo "1">/proc/sys/net/ipv4/ip_forward iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE It may be that kppp does this automatically for ppp0 on-demand, or this has been configured manually before.
_______________________________________________ main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!