RE: Iptables and NAT


Subject: RE: Iptables and NAT
From: Mike Barsalou (mbarsalou@aidea.org)
Date: Mon Feb 04 2002 - 11:34:12 AKST


There is so much info here that it struck me that people who aren't familiar
with the intricacies of TCP packets, might get lost.

I was looking for something like: Here is a simple firewall that will allow
DNS, HTTP, etc. Then maybe another example about how to add say, ssh to the
mix.

I realize there are so many different machine setups that this could be
outrageous, but it seems to me that must people either have a machine
sitting on the net directly or are using it as a firewall for their home
lan.

The tutorial I read (which I liked)was here:

http://www.linuxvoodoo.com/howto/iptables/iptables-tutorial.html

I did run across this, which helped:

Differences Between iptables and ipchains

Firstly, the names of the built-in chains have changed from lower case to
UPPER case, because the INPUT and OUTPUT chains now only get
locally-destined and locally-generated packets. They used to see all
incoming and all outgoing packets respectively.

The `-i' flag now means the incoming interface, and only works in the INPUT
and FORWARD chains. Rules in the FORWARD or OUTPUT chains that used `-i'
should be changed to `-o'.

TCP and UDP ports now need to be spelled out with the --source-port or
--sport (or --destination-port/--dport) options, and must be placed after
the `-p tcp' or `-p udp' options, as this loads the TCP or UDP extensions
respectively (you may need to insert the ipt_tcp and ipt_udp modules
manually).

The TCP -y flag is now --syn, and must be after `-p tcp'.

The DENY target is now DROP, finally.

Zeroing single chains while listing them works.

Zeroing built-in chains also clears policy counters.

Listing chains gives you the counters as an atomic snapshot.

REJECT and LOG are now extended targets, meaning they are separate kernel
modules.

Chain names can be up to 16 characters.

MASQ and REDIRECT are no longer targets; iptables doesn't do packet
mangling. There is a separate NAT subsystem for this: see the ipnatctl
HOWTO.

Probably heaps of other things I forgot.

-----Original Message-----
From: Larry Collier [mailto:larry@medease.com]
Sent: Monday, February 04, 2002 12:29 PM
To: Mike Barsalou; aklug@aklug.org
Subject: RE: Iptables and NAT

Mike,

what tutorial did you read? I haven't found one that even leaves me
"slightly confused".

Larry

> -----Original Message-----
> From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org]On Behalf Of
> Mike Barsalou
> Sent: Monday, February 04, 2002 8:30 AM
> To: 'aklug@aklug.org'
> Subject: Iptables and NAT
>
>
>
> I'd like to start a discussion about iptables and NAT (SNAT,
> DNAT, etc.) I
> just went through an IPTABLES tutorial and I am left slightly confused....
> Here is what I think so far:
>
> There are three "tables" that are used:
>
> NAT
> MANGLE
> FILTER
>
>
> >From what I can tell the filter table behaves much the way you
> would expect
> to use ipchains setup, only it goes specifically in the FILTER table.
>
> There are new default chains in each of these tables.
>
> It seems like IPTABLES has made firewalling a little more complicated.
> Although now, all the forwarding to local hosts is included, you wouldn't
> have to compile it separately.
>
> Anyone care to share their experience? Good places for scripts or
> administration tools that make it easier for us folks who just
> want to point
> and click?
>
> Mike
>



This archive was generated by hypermail 2a23 : Mon Feb 04 2002 - 11:45:21 AKST