Re: Iptables and NAT

Subject: Re: Iptables and NAT
From: Craig Callender (craigc@corith.com)
Date: Mon Feb 04 2002 - 09:16:19 AKST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Frashii: "Re: your mail"
• Previous message: Leif Sawyer: "RE: MSI SM-6340M v5"
• In reply to: Mike Barsalou: "Iptables and NAT"
• Next in thread: Larry Collier: "RE: Iptables and NAT"
• Reply: Craig Callender: "Re: Iptables and NAT"
• Reply: Craig Callender: "Re: Iptables and NAT"

It's not really that IPTables tried to make everything more complicated,
but rather more unified. They modled it off of BSD's ipfw (it's used to
be someone elses than BSD's, but there were copyright issues, so Berkley
got all the programmers to code a replacement in one weekend. That (free)
man power is f*ck*n awsome if you ask me.)

So, that being said, the three tables are still

INPUT
OUTPUT
FORWARD

just like in IPChains. For anything basic, you are only chainging the
command line really. Take the following example...

ipchains -A input -s 192.168.1.0/24 -d 192.168.1.1 22 -p tcp -j ACCEPT

The above ipchains line allow ssh to the box with IP 192.168.1.1, from the
192.168.1.0/24 network. The same thing written in IPTables looks like
this:

iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.1 --destination-port ssh -p tcp -j ACCEPT

The only difference is the --destination-port rather, than just <IP>
<PORT>, and the fact that I can refer to a service (in placement of a
port, makes readability much easier). My problem with IPChains was I
would ALWAYS get the source port and destination ports switched. It
sucked.

An excellant tutorial is located at:

http://www.linuxnewbie.org/nhf/intel/security/iptables_basics.html

That was were I learned my crude understanding of it (which after reading
it I realized the connectection between iptables and ipfw).

On Mon, 4 Feb 2002, Mike Barsalou wrote:

Date: Mon, 4 Feb 2002 08:30:04 -0900
From: Mike Barsalou <mbarsalou@aidea.org>
To: "'aklug@aklug.org'" <aklug@aklug.org>
Subject: Iptables and NAT

I'd like to start a discussion about iptables and NAT (SNAT, DNAT, etc.) I
just went through an IPTABLES tutorial and I am left slightly confused....
Here is what I think so far:

There are three "tables" that are used:

NAT
MANGLE
FILTER

>From what I can tell the filter table behaves much the way you would expect
to use ipchains setup, only it goes specifically in the FILTER table.

There are new default chains in each of these tables.

It seems like IPTABLES has made firewalling a little more complicated.
Although now, all the forwarding to local hosts is included, you wouldn't
have to compile it separately.

Anyone care to share their experience? Good places for scripts or
administration tools that make it easier for us folks who just want to point
and click?

Mike

        In the beginning there was data. The data was without form and
null, and darkness was upon the face of the console; and the Spirit of
IBM was moving over the face of the market. And DEC said, "Let there
be registers"; and there were registers. And DEC saw that they
carried; and DEC separated the data from the instructions. DEC called
the data Stack, and the instructions they called Code. And there was
evening and there was morning, one interrupt.
                -- Rico Tudor, "The Story of Creation or, The Myth of Urk"

• Next message: Frashii: "Re: your mail"
• Previous message: Leif Sawyer: "RE: MSI SM-6340M v5"
• In reply to: Mike Barsalou: "Iptables and NAT"
• Next in thread: Larry Collier: "RE: Iptables and NAT"
• Reply: Craig Callender: "Re: Iptables and NAT"
• Reply: Craig Callender: "Re: Iptables and NAT"

This archive was generated by hypermail 2a23 : Mon Feb 04 2002 - 09:16:29 AKST