Re: IPTABLES and DHCP
Don't use the IP address. In IP tables you can specify the interface and
ignore the IP. Check the sample:
[happy@gw happy]$ cat /etc/rc.d/rc.firewall
# Mandrake-Security : if you remove this comment, remove the next line
too.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward
LAN="192.168.0.0/24"
#iptables -P INPUT DROP
#iptables -A INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
#iptables -A INPUT -i eth0 -j ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -s $LAN -d ! $LAN -j ACCEPT
iptables -A FORWARD -i eth1 -s ! $LAN -d $LAN -j ACCEPT
iptables -A FORWARD -i ppp0 -s ! $LAN -d $LAN -j ACCEPT
iptables -A FORWARD -i ppp0 -s $LAN -d ! $LAN -j ACCEPT
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# StarCraft
iptables -t nat -A PREROUTING -p tcp --dport 6112 -i eth1 -j DNAT --to
192.168.0.187
iptables -t nat -A PREROUTING -p udp --dport 6112 -i eth1 -j DNAT --to
192.168.0.187
# X window forwarding.
iptables -t nat -A PREROUTING -p tcp --dport 6000 -i eth1 -j DNAT --to
192.168.0.1
iptables -t nat -A PREROUTING -p udp --dport 6000 -i eth1 -j DNAT --to
192.168.0.1
# Speed up those connections!
iptables -A PREROUTING -t mangle -p tcp --sport telnet -j TOS --set-tos
Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos
Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos
Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos
Maximize-Throughput
# Transparent SQUID
iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! $LAN --dport 80 -j
REDIRECT --to-port 3128
# Fix up that connection tracking
modprobe ip_nat_ftp
#modprobe ip_conntrack_ftp
#modprobe ip_conntrack
[happy@gw happy]$
Some other config's in this file, but I think you'll get the point,
doc'ed pretty well :).
BK
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 12/7/01, 4:43:08 AM, Sean Quinlan <smq@gmx.co.uk> wrote regarding Re:
IPTABLES and DHCP:
> --- Randolph S. Kahle <RandyKahle@KahleAssociates.com> (2001-12-07 04:45):
> > I am configuring a firewall that will run dhcpcd on eth0 (it is
> > connected to a cable modem).
> >
> > I have a firewall rule set (for IPTABLES) that is working on another
> > machine with a fixed IP for eth0
> >
> > In the rule set I have statements such as
> >
> > IF_INTERNET="eth0"
> > IP_INTERNET="24.27.45.111"
> >
> >
> > I use the $IP_INTERNET value in
> >
> > $IPTABLES -t nat -A POSTROUTING -o $IF_INTERNET -j SNAT --to-source
> > $IP_INTERNET
> >
> > to give me my NAT translation.
> >
> > My question is this --> How do I synchronize the IP address for eth0
> > that dhcpcd secures with the rule in iptables?
> >
> > It seems to me that I need to run some script or take some action each
> > time dhcpcd secures a new IP address.
> I'd suggest using -j MASQUERADE instead of SNAT in this instance. The
> MASQUERADE target is generally used for dynamic ip address connections
> (such as yours), whereas SNAT is for static ip addresses. I too have a
> cable modem which gets its address via dhcp and I've been using
> MASQUERADE for many months now with no problems.
> The line from my iptables script is this:
> ${iptables} -t nat -A POSTROUTING -o ${inet_iface} -j MASQUERADE
> Cheers,
> Sean
> --
> Sean Quinlan (smq@gmx.co.uk)
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: