Re: ip masq with 2.3.x kernels?

To: Joseph de los Santos <jhou@info.com.ph>
Cc: debian-user@lists.debian.org
Subject: Re: ip masq with 2.3.x kernels?
From: Phil Brutsche <pbrutsch@tux.creighton.edu>
Date: Fri, 4 Aug 2000 21:34:04 -0500 (CDT)
Message-id: <Pine.LNX.4.21.0008042122320.32508-100000@tux.creighton.edu>
In-reply-to: <200008041544.PAA01088@127.0.0.1>

A long time ago, in a galaxy far, far way, someone said...

> Hello,
> 
>    I am looking for some documentation on how to compile kernels 2.3.x
> with ip masq support. The current HOWTO doesn't cover those kernels
> yet.

http://netfilter.kernelnotes.org/unreliable-guides/index.html

I also have these rules that I use on my firewall.  $IPT is the iptables
executable (/usr/local/bin/iptables).  $PUBIP is my public IP number;
$OUTSIDE_IFACE is the interface $PUBIP is assigned to (eth1).

This is the definition in /etc/networks:

localnet 192.168.0.0

Here are the rules.  Note the third stanza: this is how I got squid
working as a transparent proxy (along with some http_accel_* lines in
squid.conf).  The second and fourth stanzas redirect Microsoft's
accursed DirectPlay technology to work behind the firewall.

$IPT -P INPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t nat -A POSTROUTING -o $OUTSIDE_IFACE -j MASQUERADE
$IPT -P FORWARD ACCEPT
$IPT -A INPUT -s localnet/16 -j ACCEPT

# allowed incoming ports
# for some games
$IPT -A INPUT -p tcp --dport 47624 -j ACCEPT
$IPT -A INPUT -p tcp --dport 2300:2400 -j ACCEPT
$IPT -A INPUT -p udp --dport 47624 -j ACCEPT
$IPT -A INPUT -p udp --dport 2300:2400 -j ACCEPT
$IPT -A INPUT -p tcp --dport 9110 -j ACCEPT
$IPT -A INPUT -p tcp --dport 9113 -j ACCEPT
# for incoming ssh
$IPT -A INPUT -p tcp --dport ssh -j ACCEPT
# for web going to giedi
$IPT -A INPUT -p tcp -d $PUBIP --dport www -j ACCEPT
$IPT -t nat -A PREROUTING -d $PUBIP -p tcp --dport www \
	-j DNAT --to-destination 192.168.0.2

# for the squid web cache
$IPT -A INPUT -p tcp -d 127.0.0.1 --dport www -j ACCEPT
$IPT -A INPUT -p tcp -d 192.168.0.3 --dport www -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp --dport www \
	-j DNAT --to-destination 192.168.0.3:3128

# directplay stuff
$IPT -t nat -A PREROUTING -p tcp -d $PUBIP --dport 47624 \
	-j DNAT --to-destination 192.168.0.103
$IPT -t nat -A PREROUTING -p tcp -d $PUBIP --dport 2300:2400 \
	-j DNAT --to-destination 192.168.0.103
$IPT -t nat -A PREROUTING -p udp -d $PUBIP --dport 47624 \
	-j DNAT --to-destination 192.168.0.103
$IPT -t nat -A PREROUTING -p udp -d $PUBIP --dport 2300:2400 \
	-j DNAT --to-destination 192.168.0.103
$IPT -t nat -A PREROUTING -p tcp -d $PUBIP --dport 9110 \
	-j DNAT --to-destination 192.168.0.103
$IPT -t nat -A PREROUTING -p tcp -d $PUBIP --dport 9113 \
	-j DNAT --to-destination 192.168.0.103

$IPT -A INPUT -s localhost -j ACCEPT
$IPT -P INPUT DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

This last stanza is particularly interesting: the new netfilter
firewalling code implements what's known as a statefull firewall.  What
effectively happens is all new incoming connections are dropped, but
established connections (as well as new connections related to another,
like for www to work) are allowed.

It all works like a charm; I'm using kernel 2.4.0-test2-ac2.

-- 
----------------------------------------------------------------------
Phil Brutsche				    pbrutsch@tux.creighton.edu

"There are two things that are infinite; Human stupidity and the
universe. And I'm not sure about the universe." - Albert Einstien

Reply to:

References:
- ip masq with 2.3.x kernels?
  - From: Joseph de los Santos <jhou@info.com.ph>

Prev by Date: System locked and now complains at startup about modules
Next by Date: Re: Buggered up my router somehow.
Previous by thread: ip masq with 2.3.x kernels?
Next by thread: Re: ip masq with 2.3.x kernels?
Index(es):
- Date
- Thread