Re: Debian router with iptables problem

To: debian-firewall@lists.debian.org
Subject: Re: Debian router with iptables problem
From: Daniel Pittman <daniel@rimspace.net>
Date: Sat, 18 Sep 2004 18:21:03 +1000
Message-id: <[🔎] 87brg4t2c0.fsf@enki.rimspace.net>
References: <[🔎] 751c63ee040917074727020a65@mail.gmail.com>

On 18 Sep 2004, ISPM wrote:
> Hello all. I've been struggling to put together an alpha 164sx like a
> router to my lab using debian hardened. 

Assuming that there are no significant changes to the standard operation
of Debian and Linux networking in your system/distribution, this advice
should hold.

I don't know much about the 'Debian Hardened', though, and you may get
better results asking on their mailing lists for support.

[...]

> The alpha should work like a firewall and a router. I've been trying
> to assemble by myself using iptables. The alpha cannot have X, so
> programs like firebuilder or firestarter can't be used.

If you are talking about using tools like firebuilder or firestarter
then I get the idea that you don't feel like you are very experienced at
building firewalls you.

You may find that using a package like 'shorewall' or 'firehol' is a
good idea.  Neither of those require you to use a GUI tool to configure
things, but they do provide quite a helping hand in getting a firewall
working.

Personally, I use 'firehol', and I am very satisfied with it.

> The debian is a sarge instalation with the 2.4.26-1-generic kernel
> from the netistaller, with most packages downgraded to stable and
> hardened using harden. 

OK.  To the best of my knowledge there is no package of firehol
available for Debian/stable, but since it is only a Bash shell script it
is trivial to integrate.

Either grab the script from <http://firehol.sf.net/>, or do a trivial
"build" of the source package on your Debian/stable system.

> There is plenty scripts in the internet, but none elucidated two
> things: how to use nat to route internal traffic to external world and
> vice versa, so the internal network can use the net and some services
> (ssh), and how to make the route to the gateway works (this is the
> hardest part for me). 

OK. The NAT is trivial as part of the firewall, at least with either of
those scripts.  Others seem to have pointed you in the direction of raw
iptables support for the same.

The routing is not done with iptables, though, or any firewall tool.

The easiest way is to specify a 'gateway' for the interface that faces
the external gateway.  :)

Once you do that, Debian will install a "default route" via that gateway
-- basically, a rule that says "for anything I don't know how to send
packets to, send them via that machine."

Since your internal network will have a specific route (when the
interface is up) packets for it will go the right way.

Everything else will go to the gateway machine.

Don't forget to allow packets through on the 'FORWARD' chain, though.

      Daniel
-- 
And now it is a angel's song, That makes the heavens be mute.
        -- Coleridge

Reply to:

References:
- Debian router with iptables problem
  - From: ISPM <ispmarin@gmail.com>

Prev by Date: Re: Fw: bridging firewall
Next by Date: simple iptables rules
Previous by thread: Re: Debian router with iptables problem
Next by thread: bridging firewall
Index(es):
- Date
- Thread