[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Forwarding Packets.
>>>>> "ross" == ross h <ross> writes:
ross> On Tuesday 17 July 2001 17:06, you wrote:
>> Anyone know how to forward packets with IPtables ? With
>> IPchains it's .....
>>
>> /sbin/ipchains -A forward -s xxx.xxx.x.x/xx -j MASQ
>>
ross> iptables -A FORWARD -s xx.xxx.x.x/xx -j MASQ
>> echo 1 > /proc/sys/net/ipv4/ip_forward
ross> you still need this to activate the forwarding
ross> i'm no expert but i recon that should work.... where's
ross> barrie when you need him? :-)
Hi All,
Just back to catching up with emails and the like after a 2 week
holiday up in Scotland.
IPTables is a bit different from IPChains, since the basic
chains are now:
INPUT (locally destined packets)
FORWARD (packets traversing the box) and
OUTPUT (locally generated packets).
So you can have totally seperate rules for the firewall box and the
machines behind it without much hassle.
Uselessly simple "firewall":
# Flush and delete rules
iptables -F
iptables -X
# Allow loopback interface traffic
iptables -I INPUT -i lo -j ACCEPT
# Set default policies for packets for this box
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
# Set default policy for packets going through the firewall.
iptables -P FORWARD DROP
# http in.
iptables -A FORWARD -s 0.0.0.0/0 -p TCP --sport 80 -j ACCEPT
# Activate the forwarding!
echo 1 > /proc/sys/net/ipv4/ip_forward
This would allow all http traffic through the firewall, all traffic
out, and nothing into the firewall box.
Nothing is masquaraded with that lot.
The syntax is fairly close to IPChains, and it's all in man iptables.
Actually masquarading things (in this case with a dynamic IP address),
which is more useful for most of us is achieved using the built in
"nat" table, IIRC.
This is the bare bones of my own firewall. It should sort of work, but
since it's late, I might have missed something essential - check it
first! :-)
I've also got the firewall to accept established connections from the
modem, and allow new connections to be initiated from the internal
network on eth0.
#!/bin/bash
# NATting firewall
# by Barrie Bremner (public [at] barriebremner.com)
#
# Loosely based on model firewall
# by Jay Beale (jay [at] bastille-linux.org)
# for Security Portal article
# Clean any rules that already exist
iptables -F
iptables -X
# Set default policies for packets going through this firewall box
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -P FORWARD DROP
# Set default policies for packet entering this box
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
# Set the dynamic address flag.
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# Allow loopback interface traffic
iptables -I INPUT -i lo -j ACCEPT
# Allow established/related connections only in/through from ppp0
# but new connections as well as established/related through from eth0 (internal interface)
iptables -A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# Allow ESTABLISTED and RELATED connections on ppp0
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# SNAT is only for static IPs. MASQUERADE to ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Make sure it's possible to access the box from workstation!
iptables -I INPUT 1 -i eth0 -s 192.168.0.1/24 -j ACCEPT
# Activate the forwarding!
echo 1 > /proc/sys/net/ipv4/ip_forward
There are docs on masquarading at netfilter.samba.org.
Hope this lot helps.
Baz.
--
Barrie J. Bremner OpenPGP public key ID: 5164F553
baz [at] barriebremner.com http://barriebremner.com/
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.