[vox-tech] iptables

Jan W vox-tech@lists.lugod.org
Fri, 4 Oct 2002 12:39:05 -0700 (PDT) 

I haven't heard about any of those tools...

I just use the vanilla iptables scripting.

Here is a link to the best HOWTO that I have found:

http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

Most of what I talked about was from that tutorial.

There are plenty of other good tutorials, thought.  If you want to post your
scripts (with IP addys and ranges xxxx'ed out), or email them to me, I can see
what I can see with them.

But mostly one line should get the basic NAT and forwarding working.  There is
lots and lots you _can_ do, but it is limited mostly by your desire and time. 
Here are some sample lines that could help you get started:

Basic forwarding and address translation:

iptables -t nat -A POSTROUTING -s [internal IP range] -d 0.0.0.0 -j SNAT
--to-source [external ip address]

-or-

iptables -t nat -A POSTROUTING -i eth1 -d 0.0.0.0 -j SNAT --to-source [external
ip addy]

to forward based on a port:

iptables -t nat -A PREROUTING -d [external ip] -dport 25 -j DNAT --to-source
[internal smtp server]

to log a connection:

iptables -A INPUT -dport 515 -j log --log-prefix "NETFILTER: "

As mentioned before, if you want I can take a look.  It's been awhile since I
played with it, but I'll be happy to help any way I can.

HTHO,

jan

--- Joel Baumert <kender@geeksource.net> wrote:
> 
> Heh... That was one of the few meetings that I missed in 2001, 
> right after Isaac was born.  I didn't see the notes on the
> website.  Am I looking in the wrong place?
> 
> I'll take a look at Shorewall as a short term solution.  I
> would really like to understand what is going on under the
> hood because I'm thinking of a couple of tricky filtering 
> and logging ideas for the future.
> 
> I found a list of iptables configuration tools, but haven't
> had a change to wade through them yet.  Does anyone have
> experience these or any other tools?
> 
> MonMotha's Firewall
> Firewallscript
> Ferm
> AGT
> Knetfilter
> gShield
> 
> I found them in this article, but I'll have to do more 
> searching when I get home from work.
> 
> http://online.securityfocus.com/infocus/1410
> 
> Joel
> 
> On Fri, Oct 04, 2002 at 09:17:15AM -0700, Jeff Newmiller wrote:
> > On Fri, 4 Oct 2002, Joel Baumert wrote:
> > 
> > > Are there any iptables experts out there???
> > 
> > Probably.  Jan Wynholds gave a talk on it that I missed.
> > 
> > I just use Shorewall, so I really don't know the underlying iptables all
> > that well. It came with a basic configuration for masquerading that was
> > pretty easy to modify.  My only complaint is that the rule startup is
> > relativelyu slow, but that only happens during configuration and bootup.
> > 
> > ---------------------------------------------------------------------------
> > Jeff Newmiller                        The     .....       .....  Go Live...
> > DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
> >                                       Live:   OO#.. Dead: OO#..  Playing
> > Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
> > /Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
> > ---------------------------------------------------------------------------
> > 
> > _______________________________________________
> > vox-tech mailing list
> > vox-tech@lists.lugod.org
> > http://lists.lugod.org/mailman/listinfo/vox-tech
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech


=====
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
PATRIOTISM, n.  Combustible rubbish read to the torch of any one
ambitious to illuminate his name.
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com