Re: iptables

From: Arthur Corliss <acorliss@nevaeh-linux.org>
Date: Thu Mar 10 2005 - 20:43:31 AKST

On Thu, 10 Mar 2005, damien hull wrote:

> # Generated by iptables-save v1.2.11 on Thu Mar 10 13:08:05 2005
> *mangle
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> COMMIT
> # Completed on Thu Mar 10 13:08:05 2005
> # Generated by iptables-save v1.2.11 on Thu Mar 10 13:08:05 2005
> *filter
> :FORWARD ACCEPT [0:0]

First off, you should set FORWARD's default policy to DROP, and only forward
traffic that's explicitly allowed. Next, you should add the rules to allow
forwarding. Based on below I assume eth1 is your Internet connection
(assuming you're not on a pppoe DSL connection, in which case the interface
should be ppp+). So:

  -A FORWARD -i eth1 -o ! eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A FORWARD -i ! eth1 -o eth1 -j ACCEPT

> :INPUT DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> # accept traffic from all interface but not eth1
> -A INPUT ! -i eth1 -j ACCEPT
> # setup stateful connections on eth1
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

You might want to add a '-i eth1' to this line for clarity.

> COMMIT
> # Completed on Thu Mar 10 13:08:05 2005
> # Generated by iptables-save v1.2.11 on Thu Mar 10 13:08:05 2005
> *nat
> :OUTPUT ACCEPT [0:0]
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o eth1 -j MASQUERADE
> COMMIT

Now, keep in mind that the kernel won't really forward unless you modify an
entry in the /proc tree. Put:

  net.ipv4.ip_forward = 1

in /etc/sysctl.conf and put 'sysctl -p' in your rc.local. Outside of that,
this looks to be a working configuration for basic NAT. I'd post my own
config, but I've got all kinds of crap in it that would just confuse the
issue.

        --Arthur Corliss
          Bolverk's Lair -- http://arthur.corlissfamily.org/
          Digital Mages -- http://www.digitalmages.com/
          "Live Free or Die, the Only Way to Live" -- NH State Motto
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Mar 10 20:43:29 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 10 2005 - 20:43:29 AKST