[vox-tech] iptables

Michael Wenk vox-tech@lists.lugod.org
Fri, 4 Oct 2002 15:08:40 -0700 

Here's the quick and dirty script I use:

#!/bin/sh
# Netfilter script to initiate nat
modprobe iptable_nat
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/16 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

This script is from debian on a 2.4.19 kernel.  I just installed it either
last week, or the week before.

For the port allows, I wish I had kept my old script, because it firewalled,
everything cept, HTTP, SSH, and whatever port NWN uses(Cant remember off the
top of my head.)  You know there is an IPCHAINS compatibility module:
CONFIG_IP_NF_COMPAT_IPCHAINS=m

Just set it in make menuconfig, or make xconfig, and do a modules
compile/install.  Now that's only if you make your own kernel, however it
very well could be in whatever default redhat has.

Once I retighten down my config, Ill post the relevant iptables script.

Mike
----- Original Message -----
From: "Joel Baumert" <kender@geeksource.net>
To: <vox-tech@lists.lugod.org>
Sent: Friday, October 04, 2002 9:07 AM
Subject: [vox-tech] iptables


> Are there any iptables experts out there??? I have been
> using ipchains in the past and it does not look like an
> easy option with RH8.0.  I was hoping there was a tool
> for this configuration, but I couldn't find it...
>
> I tried a couple of examples on the web, but I couldn't
> get anything working.  It could be that I was missing
> something simple in the sample configurations because
> it was 3 in the morning :-).  I don't think that my
> setup is too complicated, and I would appreciate some
> help getting this up and running.
>
> I have eth0 on the Internet side with an external IP
> address and eth1 on my internal net.  I want to NAT
> the internal network and accept connections for SMTP,
> SSH, and HTTP on the outside.  On the inside I want
> to accept SMTP, SSH, HTTP, samba, and telnet.  I need
> to have FTP on the outside, but only to a specific
> range of addresses.  I would prefer to handle that in
> tables, but I don't mind doing that with tcp wrappers.
>
> I think that the only UDP packets that I need to have
> to NAT are DNS queries/responses.
>
> On the external ports that are not configured, I would
> like to just drop or in some cases log access to ports
> out of those ranges.
>
> It would also be nice to reject and log connections
> from localhost or from the trusted side coming from
> or going to common irc ports.
>
> I would hack at it until I got it working, but I am
> hosting a website for someone and long periods of
> downtime are not really an option on this box.
>
> If worse comes to worse, I'll set up an HTTP proxy,
> so my wife and I can browse the network while I figure
> out iptables.
>
> Joel
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>