Re: diald and ip masquerading
Andrew M Lindley said:
> However I'm unsure which package to use for IP masquerading (ipmasq
> broke the link), and where I find the dynamic IP setting than was an
> environment variable in a setup file with SuSE.
>
Assuming you have iptables compiled into the kernel, the littel script
I've attached should enable ip masquarading.
#!/bin/sh
# PATH and modules
PATH=/sbin:$PATH; export PATH
# Necessary modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
hostname=enterprise
any="0.0.0.0/0.0.0.0"
#Flush things
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
# Default policies for packets addressed to or from this firewall
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
## Create chain which blocks new connections, except if coming from inside.
iptables -N block
iptables -N DLOG
# anti-spoofing rule
iptables -A block -m state --state INVALID -j DLOG
#Continuations
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow services on lo in entirety
iptables -A block -s 127.0.0.1/32 -i lo -j ACCEPT
#Allow LAN on eth0 in entirety
iptables -A block -s 192.168.0.0/16 -i eth0 -j ACCEPT
#Open ssh port
iptables -A block -p tcp --destination-port 22 -j ACCEPT
#Open httpd port
iptables -A block -p tcp --destination-port 80 -j ACCEPT
#Open imapd port
iptables -A block -p tcp --destination-port 143 -j ACCEPT
#Open dhis port
iptables -A block -p udp --destination-port 58800 -j ACCEPT
#Catch-all
iptables -A block -j DLOG
#The DLOG (drop+log) chain
iptables -A DLOG -j LOG --log-prefix="catch-all " --log-tcp-options \
--log-ip-options
iptables -A DLOG -j DROP
## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block
## set up masquerading as well
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
## Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Reply to: