On Fri, Apr 26, 2002 at 10:41:41PM -0400, Richard Beri wrote: | I would like to set up simple IP Masquerading on my machine for another | machine on my network to connect to the internet via cable modem. In the | past I used a nifty firewall/masquerade setup utility called PM Firewall, but | it only works on 2.2 kernels. Is there any simple setup program for | firewall/masquerade for the kernel 2.4.17? iptables Here are selected portions of one of my iptables scripts. This code resides in /etc/FIREWALL/FIREWALL. (just an sh script, there's others in the directory too) Then I created a symlink /etc/rcS.d/S38FIREWALL -> /etc/FIREWALL/FIREWALL to have the firewall brought up at boot time. This script does a bit more than simply MASQing the connection. (oh, yeah, eth0 is internal eth1 is external) ~~~~~~~~~~~ #!/bin/sh #### # default table : # setup the default policies -- DROP everything iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP # flush out all the old chains and delete user chains iptables -F iptables -X #### # INPUT chain -- what can come into the system # allow loopback iptables -A INPUT -i lo -j ACCEPT #iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT # allow replies iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT # take all input from the LAN (assumes addresses are correct) iptables -A INPUT -i eth0 -j ACCEPT # allow ping iptables -A INPUT -p icmp -j ACCEPT #### # OUTPUT chain -- what is allowed to get out # allow loopback iptables -A OUTPUT -o lo -j ACCEPT # stop all samba stuff going out the DSL line, but tell the host (me) iptables -A OUTPUT -o eth1 -p tcp --dport 137:139 -j REJECT iptables -A OUTPUT -o eth0 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT #### # nat table -- how we translate (masq) stuff # flush out all the old chains iptables -t nat -F #### # POSTROUTING chain # allow loopback iptables -A OUTPUT -o lo -j ACCEPT # masquerade stuff from the LAN to the WAN iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # enable forwarding in the kernel echo "1" > /proc/sys/net/ipv4/ip_forward ~~~~~~~~~~ HTH, -D -- "He is no fool who gives up what he cannot keep to gain what he cannot lose." --Jim Elliot GnuPG key : http://dman.ddts.net/~dman/public_key.gpg
Attachment:
pgp92PFQdmXKl.pgp
Description: PGP signature