Re: iptables and kernel 2.4 etc

To: Debian User List <debian-user@lists.debian.org>
Subject: Re: iptables and kernel 2.4 etc
From: Wayne Topa <wtopa@dmcom.net>
Date: Sun, 20 May 2001 01:07:54 -0400
Message-id: <[🔎] 20010520010754.B9813@dmcom.net>
Mail-followup-to: Wayne Topa <wtopa@dmcom.net>, Debian User List <debian-user@lists.debian.org>
Reply-to: wtopa@dmcom.net
In-reply-to: <[🔎] Pine.LNX.4.21.0105191705090.1576-100000@twoflower.net.au>; from dcpurton@chariot.net.au on Sat, May 19, 2001 at 05:15:17PM +0930
References: <[🔎] Pine.LNX.4.21.0105191705090.1576-100000@twoflower.net.au>

	Subject: iptables and kernel 2.4 etc
	Date: Sat, May 19, 2001 at 05:15:17PM +0930

In reply to:David Purton

Quoting David Purton(dcpurton@chariot.net.au):
> 
> Hi,
> 
> 
> I just upgraded to kernel 2.4.4 and I'm now trying to return my computer
> to some state of normality.
> 
> after finding I missed a crucial option for ppp and a second recompile
> :) I'm now up to getting ipmasqing to work.
> 
> 
> I wasn't really sure what options to go for in the kernel - so I checked
> everything as modules.  An ended up with the following:
> 
> ip_conntrack.o      ipt_MASQUERADE.o  ipt_mac.o        ipt_unclean.o
> ip_conntrack_ftp.o  ipt_MIRROR.o      ipt_mark.o       iptable_filter.o
> ip_nat_ftp.o        ipt_REDIRECT.o    ipt_multiport.o  iptable_mangle.o
> ip_queue.o          ipt_REJECT.o      ipt_owner.o      iptable_nat.o
> ip_tables.o         ipt_TCPMSS.o      ipt_state.o
> ipt_LOG.o           ipt_TOS.o         ipt_tcpmss.o

I have them all set as modules.
Don't forget to check off these as well
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
CONFIG_NETLINK=y
CONFIG_RTNETLINK=y
# CONFIG_NETLINK_DEV is not set
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
# CONFIG_FILTER is not set
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y


> 
> 
> of course I don't have a huge idea what most of these are, but I've
> managed to sort of get things working by a modprobe -a \*, then running
> ipmasq (problems with which I'll deal with in a sec). and things sort of
> go.

> 
> So what I want to know is which of the above modules do I need for a
> masqed network and simple firewalling as a minimum?
Set as modules it doesn't matter.  You will only load up the ones you require.
As you get itop iptables a bit more you are sure to add new rules and you
won't have to go back and recompile the kernel to add them
> 
> And where do I tell the kernel which I want loaded at boot time in the
> usual way - and everything will be happy?
> 
In the firewall script.  ie

/sbin/depmod -a
/sbin/modprobe ip_conntrack
/sbin/insmod ipt_REJECT
/sbin/insmod iptable_nat

> Also - when I run ipmasq, it cunningly iserts alsorts of rules into the
> filter table with the net result being that I can't access the net at
> all.  (at least - packets get out - but are denied on the way in again).
> This is not helpful as a default (which it is, since I reinstalled the
> ipmasq package after purging it in the hope that my probs would go away)

IP MASQ is done with one rule in iptables

iptables -t nat -A POSTROUTING -o ppp0 -s $INTERNAL_NET -j MASQUERADE

I don't run ipmasq as that is, IIRC, an ipchains method.  iptables ia a
big step forward from ipchains.

Take a look at http://netfilter.samba.org.  There are a bunch of HOWTO's
available along with links to sample firewall scripts. 

HTH

-- 
Air conditioned environment - Do NOT open Windows!
_______________________________________________________

Reply to:

References:
- iptables and kernel 2.4 etc
  - From: David Purton <dcpurton@chariot.net.au>

Prev by Date: Re: Abiword and ttf
Next by Date: Re: [users] Re: opera
Previous by thread: Re: iptables and kernel 2.4 etc
Next by thread: xterm, bitchx, latin2, rxvt
Index(es):
- Date
- Thread