l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
April 21: Google Glass
Next Installfest:
TBD
Latest News:
Mar. 18: Google Glass at LUGOD's April meeting
Page last updated:
2002 Oct 05 09:52

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] iptables
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] iptables



Here's the quick and dirty script I use:

#!/bin/sh
# Netfilter script to initiate nat
modprobe iptable_nat
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/16 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

This script is from debian on a 2.4.19 kernel.  I just installed it either
last week, or the week before.

For the port allows, I wish I had kept my old script, because it firewalled,
everything cept, HTTP, SSH, and whatever port NWN uses(Cant remember off the
top of my head.)  You know there is an IPCHAINS compatibility module:
CONFIG_IP_NF_COMPAT_IPCHAINS=m

Just set it in make menuconfig, or make xconfig, and do a modules
compile/install.  Now that's only if you make your own kernel, however it
very well could be in whatever default redhat has.

Once I retighten down my config, Ill post the relevant iptables script.

Mike
----- Original Message -----
From: "Joel Baumert" <kender@geeksource.net>
To: <vox-tech@lists.lugod.org>
Sent: Friday, October 04, 2002 9:07 AM
Subject: [vox-tech] iptables


> Are there any iptables experts out there??? I have been
> using ipchains in the past and it does not look like an
> easy option with RH8.0.  I was hoping there was a tool
> for this configuration, but I couldn't find it...
>
> I tried a couple of examples on the web, but I couldn't
> get anything working.  It could be that I was missing
> something simple in the sample configurations because
> it was 3 in the morning :-).  I don't think that my
> setup is too complicated, and I would appreciate some
> help getting this up and running.
>
> I have eth0 on the Internet side with an external IP
> address and eth1 on my internal net.  I want to NAT
> the internal network and accept connections for SMTP,
> SSH, and HTTP on the outside.  On the inside I want
> to accept SMTP, SSH, HTTP, samba, and telnet.  I need
> to have FTP on the outside, but only to a specific
> range of addresses.  I would prefer to handle that in
> tables, but I don't mind doing that with tcp wrappers.
>
> I think that the only UDP packets that I need to have
> to NAT are DNS queries/responses.
>
> On the external ports that are not configured, I would
> like to just drop or in some cases log access to ports
> out of those ranges.
>
> It would also be nice to reject and log connections
> from localhost or from the trusted side coming from
> or going to common irc ports.
>
> I would hack at it until I got it working, but I am
> hosting a website for someone and long periods of
> downtime are not really an option on this box.
>
> If worse comes to worse, I'll set up an HTTP proxy,
> so my wife and I can browse the network while I figure
> out iptables.
>
> Joel
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.