On 09.05, Jan Ciger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> J.A. Magallon wrote:
> |>I guess it depends upon what you're doing. In my case, the default
> |>settings blocked traffic to my gateway, both in and out, and effectively
> |>shut down the network.
> |>
> |
> |
> | I really find more useful a combination of a 5 line iptables
> | script to do plain forwarding and portsentry. I do not know why portsentry
> | was killed from the distro.
> |
> | So you could separate 'security' from 'internet sharing'.
>
> This has nothing to do with internet sharing,
Yes, it has. The problem is that I just wanted to share my internet
connection, but the tool used for that is shorewall. So you have to
configure a full firewall just for sharing a network connection.
Suppose you just have two separate subnets on your work, and just
want to forward things from one to the other. Or the most and famous
case, you have your destop box at home, with two network cards,
one to the cablemodem and one to plug your laptop.
Say, 'I just want my laptop to access the internet.
God damn security. My OSX has its own firewall'. That is done with
a simple /etc/sysconfig/iptables, and starting iptables:
/etc/sysconfig/iptables:
# Generated by iptables-save v1.2.8 on Thu Aug 21 18:43:21 2003
*filter
:INPUT ACCEPT [124:41052]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [43:3397]
[5:420] -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[5:420] -A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT
# Completed on Thu Aug 21 18:43:21 2003
# Generated by iptables-save v1.2.8 on Thu Aug 21 18:43:21 2003
*nat
:PREROUTING ACCEPT [13:1696]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [17:1648]
[22:2068] -A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Aug 21 18:43:21 2003
This could be even shipped with distro and so something like
sed -e 's/XXXXXX/eth2' -e 's/YYYYYY/eth7'.
How did I generate that ? With IPTABLES-HOWTO and a simple script: do a one
time hacking with iptables (see m-on below, m for masquerading), and save
the state with 'service iptables save'. Then 'chkconfig iptables on'.
You can even have m-on and m-off to start/stop IC sharing by hand.
Or save the state and do 'service iptables start/stop'.
m-on:
#!/bin/sh
#
EXTIF="eth0"
INTIF="eth1"
IPTABLES="/sbin/iptables -v"
INSMOD=/sbin/insmod
$INSMOD ip_tables
$INSMOD ip_conntrack
$INSMOD iptable_nat
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "Clearing rules"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "Enabling FORWARD"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT \
-m state --state ESTABLISHED,RELATED
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
echo "Enabling MASQUERADE"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
m-off:
#!/bin/sh
#
IPTABLES=/sbin/iptables
RMMOD=/sbin/rmmod
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "0" > /proc/sys/net/ipv4/ip_dynaddr
$RMMOD ipt_MASQUERADE
$RMMOD ipt_state
$RMMOD iptable_filter
$RMMOD iptable_nat
$RMMOD ip_conntrack
$RMMOD ip_tables
--
J.A. Magallon <[EMAIL PROTECTED]> \ Software is like sex:
werewolf.able.es \ It's better when it's free
Mandrake Linux release 9.2 (Cooker) for i586
Linux 2.4.23-pre2-jam1m (gcc 3.3.1 (Mandrake Linux 9.2 3.3.1-1mdk))
