[ale] ipchains in 2.4.13
Stuffed Crust
pizza at shaftnet.org
Fri Jan 25 18:44:17 EST 2002
On Fri, Jan 25, 2002 at 06:19:38PM -0500, Chris Fowler wrote:
> I've mead the chaing to iptabels. Can some be so kind and tell me how to
> convert this to iptabes?
>
> /sbin/ipchains -N user_msq
> /sbin/ipchains -A user_msq -s 0/0 -d 0/0 -j MASQ
>
> #forward packets
> /sbin/ipchains -A forward -s 192.168.1.0/24 -d 0/0 -i eth1 -j user_msq
Here's what you need for iptables masquerading:
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth_external -j MASQUERADE
echo 1 > /proc/sys/net/ipv4_ip_forward
And that's it. Of course, you may want to firewall off your router, but
that's another matter entirely:
iptables -A INPUT -j REJECT --reject-with icmp-host-unreachable
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth_internal -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -A FORWARD -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth_internal -j ACCEPT
This rejects all incoming connections except for ssh. You'll also need
to poke in a hole for your external name server, or more holes if you
want to run a nameserver locally.
And then onto the packet forwarding. It allows all established
connections to be forwarded, and anything coming from your internal
network. It rejects everything else.
- Pizza
--
Solomon Peachy pizzaATfucktheusers.org
I ain't broke, but I'm badly bent. ICQ# 1318344
Patience comes to those who wait.
...It's not "Beanbag Love", it's a "Transanimate Relationship"...
PGP signature
More information about the Ale
mailing list