Re: IP Masquerade

To: debian-user@lists.debian.org
Subject: Re: IP Masquerade
From: dman <dman@dman.ddts.net>
Date: Fri, 26 Apr 2002 22:53:45 -0500
Message-id: <[🔎] 20020427035345.GD358@dman.ddts.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] m171IA2-002SrBC@aci.on.ca>
References: <[🔎] m171IA2-002SrBC@aci.on.ca>

On Fri, Apr 26, 2002 at 10:41:41PM -0400, Richard Beri wrote:
| I would like to set up simple IP Masquerading on my machine for another 
| machine on my network to connect to the internet via cable modem.  In the 
| past I used a nifty firewall/masquerade setup utility called PM Firewall, but 
| it only works on 2.2 kernels.  Is there any simple setup program for 
| firewall/masquerade for the kernel 2.4.17?

iptables

Here are selected portions of one of my iptables scripts.  This code
resides in /etc/FIREWALL/FIREWALL.  (just an sh script, there's others
in the directory too)
Then I created a symlink /etc/rcS.d/S38FIREWALL -> /etc/FIREWALL/FIREWALL
to have the firewall brought up at boot time.  This script does a bit
more than simply MASQing the connection.  (oh, yeah, eth0 is internal
eth1 is external)

~~~~~~~~~~~
#!/bin/sh

####
# default table :

    # setup the default policies -- DROP everything
    iptables -P OUTPUT  DROP
    iptables -P INPUT   DROP
    iptables -P FORWARD DROP


    # flush out all the old chains and delete user chains
    iptables -F 
    iptables -X 


    ####
    # INPUT chain -- what can come into the system

        # allow loopback
        iptables -A INPUT -i lo -j ACCEPT
        #iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT

        # allow replies
        iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
        iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT

        # take all input from the LAN (assumes addresses are correct)
        iptables -A INPUT -i eth0 -j ACCEPT

        # allow ping
        iptables -A INPUT -p icmp -j ACCEPT

    ####
    # OUTPUT chain -- what is allowed to get out

        # allow loopback
        iptables -A OUTPUT -o lo -j ACCEPT

        # stop all samba stuff going out the DSL line, but tell the host (me)
        iptables -A OUTPUT -o eth1 -p tcp --dport 137:139 -j REJECT

        iptables -A OUTPUT -o eth0 -j ACCEPT
        iptables -A OUTPUT -o eth1 -j ACCEPT


####
# nat table -- how we translate (masq) stuff

    # flush out all the old chains
    iptables -t nat -F 


    ####
    # POSTROUTING chain

        # allow loopback
        iptables -A OUTPUT -o lo -j ACCEPT

        # masquerade stuff from the LAN to the WAN
        iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

        # enable forwarding in the kernel
        echo "1" > /proc/sys/net/ipv4/ip_forward
~~~~~~~~~~

HTH,
-D

-- 

"He is no fool who gives up what he cannot keep to gain what he cannot lose."
        --Jim Elliot
 
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg

Attachment: pgp92PFQdmXKl.pgp
Description: PGP signature

Reply to:

References:
- IP Masquerade
  - From: Richard Beri <richberi@aci.on.ca>

Prev by Date: Re: IP Masquerade
Next by Date: Re: how to keep packages in synch across the lab?
Previous by thread: Re: IP Masquerade
Next by thread: Re: IP Masquerade
Index(es):
- Date
- Thread