Re: Setting up masquerading (not sure where the problem is happening)
On Mon, Sep 09, 2002 at 08:51:29AM -0700, Bob Nielsen wrote:
>
> It is quite possible that you will need a crossover cable between the
> firewall and the ADSL modem. I do in my installation (Cisco 678
> modem).
>
If his ISP is anything like US-Worst, who sold me my cisco, an
appropriate cable was almost certainly provided. The link lights on the
ADSL connected ethernet card will confirm that. The linux box/firewall
will be able to use the net independent of iptable/masq working at any
rate; that is step one.
As a side note, I have built 'firewalls' that did masquerading with a
single ethernet card and ip-aliasing (eth0:1, etc) it works fine with
ipfwadmin (kernel 2.0) or ipchains (kernel 2.2); i have never tried it
with iptables, but there is know reason why it would not;
I got a toshiba laptop that came with two ethernet cards at a garage
sale for $50 - that is what my ip tables runs on - rock solid, but it
took 4 hours plus to built a 2.4.18 kernel and modules on it; had i
known, i would have compiled on a different box. But I had a golf date,
and just let it run, I was shocked that it was not finished when I got
home. At that, I had to run the compile on a 300mb pcmcia drive that
came along with the $50 laptop - there is no room for the pcmcia drive
in the machine when the two LAN cards are installed, but it was a good
hack, and debian woody will run in less than 150mb on a 486/66 with 16mb
ram - no X, just a firewall a minimal samba setup and dhcp services for
braindead windoze clients, sound works as does the _built_in_ scsi
that toshiba used to use (adaptec 1520 chipset); out of the box on
debian woody. Also can do wireless; but i don't use that ny more since
I got a netgear access point (which the laptop feed dhcp to) debian
rocks.
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/hda1 236268 148262 75807 67% /
/dev/hda2 47326 24224 20659 54% /home
davep@fw:~$ uname -a
Linux fw 2.4.18 #1 Sun May 26 10:23:53 MDT 2002 i486 unknown
davep@fw:~$ uptime
10:08:54 up 98 days, 13:39, 4 users, load average: 0.13, 0.05, 0.01
Here is /root/iptables script that works fine for this box
#!/bin/bash
####
# default table :
# setup the default policies -- DROP everything
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
# flush out all the old chains and delete user chains
iptables -F
iptables -X
####
# INPUT chain -- what can come into the system
# allow loopback
iptables -A INPUT -i lo -j ACCEPT
#iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
# allow replies
iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT
# take all input from the LAN (assumes addresses are correct)
iptables -A INPUT -i eth0 -j ACCEPT
# allow ping
iptables -A INPUT -p icmp -j ACCEPT
####
# OUTPUT chain -- what is allowed to get out
# allow loopback
iptables -A OUTPUT -o lo -j ACCEPT
# stop all samba stuff going out the DSL line, but tell the host (me)
iptables -A OUTPUT -o eth1 -p tcp --dport 137:139 -j REJECT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
####
# nat table -- how we translate (masq) stuff
# flush out all the old chains
iptables -t nat -F
####
# POSTROUTING chain
# allow loopback
iptables -A OUTPUT -o lo -j ACCEPT
# masquerade stuff from the LAN to the WAN
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# enable forwarding in the kernel
echo "1" > /proc/sys/net/ipv4/ip_forward
Hope this helps - Have a lot of fun!
aloha,
dave
Reply to: