[gentoo-user] Re: Internet Sharing

Thu, 06 Mar 2003 01:32:50 -0800 

Quoting Paulo Jorge de Oliveira Cantante de Matos from Mar 6

> Hi all,
> 
> I'm using latest gentoo kernel sources and I have iptables 1.2.7a. I've
> ran the commands:
> localhost root # iptables -t nat -F
> localhost root # iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> 
> where eth1 is my external interface (to the internet). Anyway, I'm still
> not able to share internet to users attached to network interface eth0.
> This strange because with in an older PC running older kernel and older
> iptables with same network configuration (and same iptables commands)
> running slackware everything was just fine.
> 
> I've sent below my kernel config file. If anyone is able to help me out
> please do since I'm getting desperate. Has anyone experienced the same
> problems?

I post my own masquerading script, this works;
it is , I think, the simplest possible.
I allows everything from the inside, and only ssh from the outside...
adapt it for your needs.


comments on security issues of this welcome!


#!/bin/sh
#
#

INTIF=eth1 # internal (LAN) NIC 
EXTIF=eth0 # externel (Internet) NIC

## these are the service ports available to the OUTSIDE world (Internet)
#TCP_SERVICES="22,80,110"
TCP_SERVICES="22"
## we log connects from outside to these ports:
LOG_PORTS="21,22,23,25,80,8080,3128,137,138,139"

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F POSTROUTING

# Kernel guard against SYN flooding
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# enable ip forwarding (!! crucial for masquerading !!)
echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW -p tcp -m multiport --dport 
$TCP_SERVICES -j ACCEPT
iptables -A INPUT -i $EXTIF -p icmp -j ACCEPT 
iptables -A INPUT -i $INTIF -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A INPUT -j LOG -m multiport -p tcp --dports $LOG_PORTS --log-prefix 
"FW_INPUT " 

iptables -P FORWARD DROP
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "FW_FORWARD  "

iptables -P OUTPUT ACCEPT

## masquerading is so easy it's scary
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

## end of script

-- 
"The Empire never ended."
        Tractates: Cryptica Scriptura, no. 6

--
[EMAIL PROTECTED] mailing list

Reply via email to