On Sat, Sep 27, 2003 at 07:28:23AM -0500, Mojo B. Nichols wrote:
> I'm not sure I know what your problem is, but this may help.
>
> # basic nat on extrenal device.
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I've already got this rule in my firewall
> This should get your nating working. I highly recommend using LOG to
> determine and trouble shoot what is going on in your firewall. If you
> have a rule that you don't know what it is doing copy the rule and
> replace the -J ACCEPT (whatever) with -j LOG --prefix "TESTING RULE
> 3" in the first copy of the rule, or even comment out the old one
> until LOG is LOGING the rule you want.
Logging info regarding the NAT line doesn't show anything in the system
logs?
Cheers
Adam
#!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
FIREWALL=/etc/firewall.rules
opts="${opts} showstatus panic save restore showoptions"
depend() {
need net
}
rules() {
stop
# insert connection tracking modules
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG
modprobe iptable_nat
# allow local-only connections
${IPTABLES} -A INPUT -i lo -j ACCEPT
# free output on any interface to any ip for any service
${IPTABLES} -A OUTPUT -j ACCEPT
# permit answers on already established connections
# and permit new connections related to established ones
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow incomg ssh connections
${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT
# NAT
${IPTABLES} -t nat -A POSTROUTING -o eth0 -j LOG --log-prefix "Nat rule"
# log everything else
#${IPTABLES} -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# everything not accepted > /dev/null
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT DROP
# be verbose on dynamic ip-addresses
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
eend $?
}
start() {
ebegin "Starting firewall"
if [ -e "${FIREWALL}" ]; then
restore
else
einfo "${FIREWALL} does not exists. Using default rules."
rules
fi
eend $?
}
stop() {
ebegin "Stopping firewall"
${IPTABLES} -F
${IPTABLES} -t nat -F
${IPTABLES} -X
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
eend $?
}
showstatus() {
ebegin "Status"
${IPTABLES} -L -n -v --line-numbers
einfo "NAT status"
${IPTABLES} -L -n -v --line-numbers -t nat
eend $?
}
panic() {
ebegin "Setting panic rules"
${IPTABLES} -F
${IPTABLES} -X
${IPTABLES} -t nat -F
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P INPUT DROP
${IPTABLES} -P OUTPUT DROP
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A OUTPUT -o lo -j ACCEPT
eend $?
}
save() {
ebegin "Saving Firewall rules"
${IPTABLESSAVE} > ${FIREWALL}
eend $?
}
restore() {
ebegin "Restoring Firewall rules"
${IPTABLESRESTORE} < ${FIREWALL}
eend $?
}
restart() {
svc_stop; svc_start
}
showoptions() {
echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"
echo "start) will restore setting if exists else force rule settings"
echo "stop) delete all rules and set all to accept"
echo "rules) force settings of new rules"
echo "save) will store settings in ${FIREWALL}"
echo "restore) will restore settings from ${FIREWALL}"
echo "showstatus) Shows the status"
}
--
[EMAIL PROTECTED] mailing list
