On 1/31/18 12:28 PM, Jacques Rodary wrote:
Hi
Many things happened since my first message: I first had to get rid of connman
(connection manager), which insisted to preset iptables rules without any
notice. My Debian box is uset as a DNS chrooted server (also I had to modify
bind9.service behaviour), and I use iptables to do NAT, since I have one
routable address for several clients. With Jessie I managed to have all this
working. When upgrading to stretch, because of a stupid error with grub on my
RAID system, and of an insufficient backup, I lost most of my config. Thanks
for your help. When everything will be OK, I surely will have the use for your
answers.
Jacques
Have you looked at shorewall? I use it on all my debian linux installs.
Basically its a front end to the kernel iptables network filters. It sets up
the iptables entries and then goes away so that there is no additional program
running after it does its job. It starts up on boot after you have set up the
rules the way you want. You have to set a parameter in the
/etc/default/shorewall file to have it start since you don't want to loose
connection to your machine if you are logging in through a network port. That
way you can test it before you actually use it. It is driven by several text
config files in /etc/shorewall. For instance NAT is set up easily by this
command in the snat file (my internet connection is on eth1 and local 172 net
is on eth0):
MASQUERADE 172.16.0.1/16 eth1
I redirect all the dns and time requests to my router machine even if the client
has requested these services from an outside address. I use opendns for its
malware filters so bind is set to forward all non local dns querys to opendns
servers. I also use dnscrypt-proxy to get a secure connection to opendns so
that I can be assured that the data coming back from opendns hasn't been
tampered with. These 2 lines in the rules file accomplish the redirection:
REDIRECT Loc 53 tcp,udp 53 -
REDIRECT Loc 123 tcp,udp 123 -
There is plenty of documentation and examples for simple setups available on the
shorewall web site.
--
*...Bob*