[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Forwarding Packets.



>>>>> "ross" == ross h <ross> writes:

    ross> On Tuesday 17 July 2001 17:06, you wrote:
    >> Anyone know how to forward packets with IPtables ?  With
    >> IPchains it's .....
    >> 
    >> /sbin/ipchains -A forward -s xxx.xxx.x.x/xx -j MASQ
    >> 

    ross> iptables -A FORWARD -s xx.xxx.x.x/xx -j MASQ

    >>  echo 1 > /proc/sys/net/ipv4/ip_forward

    ross> you still need this to activate the forwarding

    ross> i'm no expert but i recon that should work.... where's
    ross> barrie when you need him? :-)

Hi All,

Just back to catching up with emails and the like after a 2 week
holiday up in Scotland.

IPTables is a bit different from IPChains, since the basic
chains are now:

 INPUT (locally destined packets)
 FORWARD (packets traversing the box) and
 OUTPUT (locally generated packets).

So you can have totally seperate rules for the firewall box and the
machines behind it without much hassle.

Uselessly simple "firewall":

# Flush and delete rules

    iptables -F
    iptables -X

# Allow loopback interface traffic
    iptables -I INPUT -i lo -j ACCEPT

# Set default policies for packets for this box

    iptables -P OUTPUT ACCEPT
    iptables -P INPUT DROP

# Set default policy for packets going through the firewall.

    iptables -P FORWARD DROP

# http in.

    iptables -A FORWARD -s 0.0.0.0/0 -p TCP --sport 80 -j ACCEPT

# Activate the forwarding!
    echo 1 > /proc/sys/net/ipv4/ip_forward

This would allow all http traffic through the firewall, all traffic
out, and nothing into the firewall box.
Nothing is masquaraded with that lot.

The syntax is fairly close to IPChains, and it's all in man iptables.

Actually masquarading things (in this case with a dynamic IP address),
which is more useful for most of us is achieved using the built in
"nat" table, IIRC.

This is the bare bones of my own firewall. It should sort of work, but
since it's late, I might have missed something essential - check it
first! :-)

I've also got the firewall to accept established connections from the
modem, and allow new connections to be initiated from the internal
network on eth0.

#!/bin/bash

# NATting firewall 
# by Barrie Bremner (public [at] barriebremner.com)
#
# Loosely based on model firewall 
# by Jay Beale (jay [at] bastille-linux.org)
# for Security Portal article

# Clean any rules that already exist
    iptables -F
    iptables -X

# Set default policies for packets going through this firewall box

    iptables -t nat -P PREROUTING ACCEPT
    iptables -t nat -P POSTROUTING ACCEPT
    iptables -P FORWARD DROP

# Set default policies for packet entering this box

    iptables -P OUTPUT ACCEPT
    iptables -P INPUT DROP

# Set the dynamic address flag.
    echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Allow loopback interface traffic
    iptables -I INPUT -i lo -j ACCEPT

# Allow established/related connections only in/through from ppp0
# but new connections as well as established/related through from eth0 (internal interface)

     iptables -A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
     iptables -A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# Allow ESTABLISTED and RELATED connections on ppp0
    iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# SNAT is only for static IPs. MASQUERADE to ppp0
    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Make sure it's possible to access the box from workstation!
    iptables -I INPUT 1 -i eth0 -s 192.168.0.1/24 -j ACCEPT

# Activate the forwarding!
    echo 1 > /proc/sys/net/ipv4/ip_forward

There are docs on masquarading at netfilter.samba.org.

Hope this lot helps. 

Baz.

-- 
Barrie J. Bremner		OpenPGP public key ID: 5164F553
baz [at] barriebremner.com	http://barriebremner.com/


---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.