From: Derek Trotter > Recently I got dsl and decided to have my linux box pass on traffic to > my windows box rather than buying a firewall. [snip] > iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 40998 -j DNAT --to > 192.168.0.2:40998 > # packets on port 40998 forwarded to internal windows machine That's what the above iptables rule is actually doing. No real problems, just that you'll have to use a different port if you're using bittorrent on the Linux box. > iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED > -j ACCEPT > # Allows me to surf the web from windows box [snip similar rules for port 53 tcp/udp] You'll probably want a similar rule for port 443, unless you never use HTTPS from the windows box. > iptables -A INPUT -i eth0 -j DROP Putting a default DROP like that at the end of INPUT is OK, you just have to make sure you allow all the things you'll need to access from outside. Like ssh, or a VPN, or other stuff like apache/postfix. It's annoying to iptables yourself out of your home box from outside. There are other things that often get done to INPUT, like blocking incoming from 10.0.0.0, 192.168.0.0, 127.0.0.0, and multicast, but having a default DROP sort of covers all of those.... -- Matt G / Dances With Crows The Crow202 Blog: http://crow202.org/wordpress/ There is no Darkness in Eternity/But only Light too dim for us to see --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss