Re: iptables line?

To: Rohan Deshpande <rohan@myeastern.com>, debian-user@lists.debian.org
Subject: Re: iptables line?
From: Dave Price <davep@kinaole.org>
Date: Mon, 1 Jul 2002 11:26:43 -0600
Message-id: <[🔎] 20020701112643.E26735@kinaole.org>
In-reply-to: <20020630134330.30bfc20a.rohan@myeastern.com>; from rohan@myeastern.com on Sun, Jun 30, 2002 at 01:43:30PM -0400
References: <20020630134330.30bfc20a.rohan@myeastern.com>

On Sun, Jun 30, 2002 at 01:43:30PM -0400, Rohan Deshpande wrote:
> Hey Dave,
> 
> Sorry to bother you again, but could you possibly show me your IP Tables line for IP Masq?  The ones I am using contain interfaces in them and don't masquerade by IP, and I'm a newbie in this area.
> 
I stand corrected, my iptables system _does_ use eth0, eth1 notations,
not addresses.  I have useed aliasing with ipchains (still do) but my
iptables 'practice system actually has two NICs.  Here is the script;
since eth1 is the output, and eth0 the input, just substitute eth0:1 for
eth1 if eth0:1 is your 'public' interface (or vice-versa).

Should work, but untested.

aloha,
dave


####
# default table :

    # setup the default policies -- DROP everything
    iptables -P OUTPUT  ACCEPT
    iptables -P INPUT   ACCEPT
    iptables -P FORWARD ACCEPT


    # flush out all the old chains and delete user chains
    iptables -F
    iptables -X

   ####
    # INPUT chain -- what can come into the system

        # allow loopback
        iptables -A INPUT -i lo -j ACCEPT
        #iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT

        # allow replies
        iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
        iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT

        # take all input from the LAN (assumes addresses are correct)
        iptables -A INPUT -i eth0 -j ACCEPT

        # allow ping
        iptables -A INPUT -p icmp -j ACCEPT

    ####
    # OUTPUT chain -- what is allowed to get out

        # allow loopback
        iptables -A OUTPUT -o lo -j ACCEPT
      # stop all samba stuff going out the DSL line, but tell the host
(me)
        iptables -A OUTPUT -o eth1 -p tcp --dport 137:139 -j REJECT

        iptables -A OUTPUT -o eth0 -j ACCEPT
        iptables -A OUTPUT -o eth1 -j ACCEPT


####
# nat table -- how we translate (masq) stuff

    # flush out all the old chains
    iptables -t nat -F


    ####
    # POSTROUTING chain

        # allow loopback
        iptables -A OUTPUT -o lo -j ACCEPT

        # masquerade stuff from the LAN to the WAN
        iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

        # enable forwarding in the kernel
    echo "1" > /proc/sys/net/ipv4/ip_forward


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Prev by Date: Re: Linux IPmasq - OneNIC?
Next by Date: Re: Comments on the new gnome-terminal.
Previous by thread: Re: Linux IPmasq - OneNIC?
Next by thread: Re: Comments on the new gnome-terminal.
Index(es):
- Date
- Thread