Re: Iptables and NAT


Subject: Re: Iptables and NAT
From: Jim Courtney (courtney@ieee.org)
Date: Mon Feb 04 2002 - 12:07:29 AKST


Here's an example of a basic setup, with two ethernet ports and PPPoE. Everything on either ethernet interface, and from localhost, is accepted immediately.
All other packets (in this case arriving from the WAN via PPPoE on interface ppp0, ppp1, etc) must be part of a connection originally established by the machine, or they're dropped.
I have a line in there, commented out, which lists common ports you can open for new connections from the outside, for SSH, HTTP, etc.
JC

#!/bin/bash
##########################################################################
# $IPTABLES
##########################################################################
IPTABLES="/usr/sbin/iptables"

LOCALHOST="127.0.0.1"

PPPOE_ETH="eth0"
LAN_INTERFACE="eth1"

# Flush the Table rules
$IPTABLES -F FORWARD
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -t nat -F POSTROUTING

$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT

#ACCEPT ALL PACKETS FROM ETHERNET INTERFACES
$IPTABLES -A INPUT -i $LAN_INTERFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_INTERFACE -j ACCEPT
$IPTABLES -A INPUT -i $PPPOE_ETH -j ACCEPT
$IPTABLES -A FORWARD -i $PPPOE_ETH -j ACCEPT

#ACCEPT ALL LOCALHOST PACKETS
$IPTABLES -A INPUT -s $LOCALHOST -j ACCEPT

#Accept packets for established connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Accept new connections to SSH,smtp,dns,www,pop3,SSL
#$IPTABLES -A INPUT -p tcp -m multiport --destination-port 22,25,53,80,110,443 -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -p icmp -j ACCEPT

#Forward packets for established connections
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -j MASQUERADE
#

# DEFAULT and LOGGING
# All remaining datagrams fall through to the default
# rule and are dropped. They will be logged if you've
# configured the LOGGING variable above.
#

$IPTABLES -A FORWARD -m tcp -p tcp -j LOG --log-level info --log-prefix 'TCP Forward:'
$IPTABLES -A FORWARD -m udp -p udp -j LOG --log-level info --log-prefix 'UDP Forward:'

$IPTABLES -A INPUT -m tcp -p tcp -j LOG --log-level info --log-prefix 'TCP Input:'
$IPTABLES -A INPUT -m udp -p udp -j LOG --log-level info --log-prefix 'UDP Input:'

On Monday 04 February 2002 11:34 am, Mike Barsalou wrote:
> There is so much info here that it struck me that people who aren't
> familiar with the intricacies of TCP packets, might get lost.
>
> I was looking for something like: Here is a simple firewall that will
> allow DNS, HTTP, etc. Then maybe another example about how to add say, ssh
> to the mix.
>
> I realize there are so many different machine setups that this could be
> outrageous, but it seems to me that must people either have a machine
> sitting on the net directly or are using it as a firewall for their home
> lan.
>
>
> The tutorial I read (which I liked)was here:
>
> http://www.linuxvoodoo.com/howto/iptables/iptables-tutorial.html
>
>
>
> I did run across this, which helped:
>
> Differences Between iptables and ipchains
>
> Firstly, the names of the built-in chains have changed from lower case to
> UPPER case, because the INPUT and OUTPUT chains now only get
> locally-destined and locally-generated packets. They used to see all
> incoming and all outgoing packets respectively.
>
> The `-i' flag now means the incoming interface, and only works in the INPUT
> and FORWARD chains. Rules in the FORWARD or OUTPUT chains that used `-i'
> should be changed to `-o'.
>
> TCP and UDP ports now need to be spelled out with the --source-port or
> --sport (or --destination-port/--dport) options, and must be placed after
> the `-p tcp' or `-p udp' options, as this loads the TCP or UDP extensions
> respectively (you may need to insert the ipt_tcp and ipt_udp modules
> manually).
>
> The TCP -y flag is now --syn, and must be after `-p tcp'.
>
> The DENY target is now DROP, finally.
>
> Zeroing single chains while listing them works.
>
> Zeroing built-in chains also clears policy counters.
>
> Listing chains gives you the counters as an atomic snapshot.
>
> REJECT and LOG are now extended targets, meaning they are separate kernel
> modules.
>
> Chain names can be up to 16 characters.
>
> MASQ and REDIRECT are no longer targets; iptables doesn't do packet
> mangling. There is a separate NAT subsystem for this: see the ipnatctl
> HOWTO.
>
> Probably heaps of other things I forgot.
>
> -----Original Message-----
> From: Larry Collier [mailto:larry@medease.com]
> Sent: Monday, February 04, 2002 12:29 PM
> To: Mike Barsalou; aklug@aklug.org
> Subject: RE: Iptables and NAT
>
>
> Mike,
>
> what tutorial did you read? I haven't found one that even leaves me
> "slightly confused".
>
> Larry
>
> > -----Original Message-----
> > From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org]On Behalf Of
> > Mike Barsalou
> > Sent: Monday, February 04, 2002 8:30 AM
> > To: 'aklug@aklug.org'
> > Subject: Iptables and NAT
> >
> >
> >
> > I'd like to start a discussion about iptables and NAT (SNAT,
> > DNAT, etc.) I
> > just went through an IPTABLES tutorial and I am left slightly
> > confused.... Here is what I think so far:
> >
> > There are three "tables" that are used:
> >
> > NAT
> > MANGLE
> > FILTER
> >
> > >From what I can tell the filter table behaves much the way you
> >
> > would expect
> > to use ipchains setup, only it goes specifically in the FILTER table.
> >
> > There are new default chains in each of these tables.
> >
> > It seems like IPTABLES has made firewalling a little more complicated.
> > Although now, all the forwarding to local hosts is included, you wouldn't
> > have to compile it separately.
> >
> > Anyone care to share their experience? Good places for scripts or
> > administration tools that make it easier for us folks who just
> > want to point
> > and click?
> >
> > Mike



This archive was generated by hypermail 2a23 : Mon Feb 04 2002 - 12:07:35 AKST