On Friday 09 January 2004 12:33, Dotan Mazor wrote: > Hello there, > You can try and look into my rc.firewall file, that works on 012.net at > AZTV. Bear in mind, that this is a constant connection, due to my (and the > supporters) lack of success to connect through VPN: > lack of success connecting through VPN? i'll just say that i succeeded to connect to Netvision through pptp and even with l2tp. > ## start of rc.firewall > ## define IPTABLES for late use > IPTABLES="/sbin/iptables" > ## > ## define the network card used for exit > EXTIF=eth0 > ## > #INTIF=eth0 > ## loading modules needed for handling iptables and security > /sbin/insmod ip_tables > /sbin/insmod ip_conntrack > /sbin/insmod ip_conntrack_ftp > /sbin/insmod ip_conntrack_irc > /sbin/insmod iptable_nat > /sbin/insmod ip_nat_ftp > /sbin/insmod ipt_mark > /sbin/insmod ipt_tcpmss > /sbin/insmod ipt_limit > /sbin/insmod ipt_multiport > /sbin/insmod ipt_state > /sbin/insmod ipt_unclean > /sbin/insmod iptable_filter > /sbin/insmod iptable_mangle > ## > ##sets the forwarding option 'on' > echo "1">/proc/sys/net/ipv4/ip_forward$IPTABLES -t nat -A POSTROUTING -o > eth2 -j MASQUERADE > ## > ## security definitions, removed by someone who knows more than me... > #$IPTABLES -P INPUT ACCEPT > #$IPTABLES -F INPUT > #$IPTABLES -P OUTPUT ACCEPT > #$IPTABLES -F OUTPUT > #$IPTABLES -P FORWARD DROP > #$IPTABLES -f FORWARD > #$IPTABLES -t nat -F > #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state > ESTABLISHED,RELATED -j ACCEPT > #$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > #$IPTABLES -A FORWARD -j LOG# > ## > ## telling IPTABLES to route all incoming traffic to EXTIF (eth2 in my > case). > ## it doesn't matter to this niffty script where the traffic comes from. > ## cool, ain't it? > ## I would have given you the name of the one who gave it to me, but if it > ## won't work, i'd prefer to take the blame myself... > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > ## > ## the "server" has 3 NIC's: eth0 to the cable modem, and eth1+2 to 2 PC's, > ## that can't communicate with each other (except ping), without this line: > ##$IPTABLES -t nat -A POSTROUTING -o eth2 -j MASQUERADE > ## > ## oh, for me it worked on RH8 and Debian Sarge, so it shoud work just as > well on MDK. > ## > ## Good luck! > ## [EMAIL PROTECTED] > ## end of rc.firewall > > On Fri, 9 Jan 2004 04:38:17 +0200, Elad Almadoi - Xtream Internet Services > > <[EMAIL PROTECTED]> wrote: > > Hey, > > Your default getway sholud be your ISP's gateway, not the modem or > > something > > like this. > > When the machine try to send a packet thru that gateway, it moving the > > packet to the modem and it allow packets going to the gateway. > > I used to have cables with Motorola Surfboard 4100 and it was greet as > > long > > as it held..But if I may give you an advice, you may wish ask your ISP to > > connect you thry AZTV's NAT, so THERE's router will dial-up and you'll > > get > > the real ip (like, 212.143.x.x or something) thru eth0 and won't have to > > dial and dont need ppp0. > > Hopefully I helpd, > > Elad > > > >> Hi folks. I have a couple of questions regarding the use of IPTables > >> alongside with the Israeli way of cables connection (PPTP on top of > >> DHCP). Now, I`m using Firehol (http://firehol.sourceforge.net) to make > >> IPTables configuration easier, however, adjusting the resulting script > >> isn't a problem. > >> > >> My confusion stems mainly from the fact that when establishing the > >> connection, two interfaces related to the connection are created. eth0 > >> is created when entering AZTV's local loop after getting an IP from the > >> DHCP server, and afterwards, ppp0 is created after connecting to the > >> ISP's server inside the local loop. What I wanted to know, when > >> configuring ppp0, should I tell the firewall to route the packets > >> through eth0? This is according to the routing configuration, since > >> packets sent to the ISP's gateway are indeed routed through the local > >> loop gateway. I tried setting this up ignoring the routing options, > >> however, communication with the outside world promptly failed upon this. > >> I am guessing that the packets weren't being routed correctly. > >> youre firewall need not tell packets how to be routed, the kernel routing table will decide how to route them. youre default gatway, not surprisingly would be the remote side of your ppp0 connectiong. about securing more the connection, i usually dont unconfigure my eth0 every time i reconnect to the internet, so what you must do in order to prevent from people on your lan to access your computer, is add some rules targetted to eth0. in my case, connecting to netvision, these 3 lines are more than enough : iptables -A INPUT -i eth0 -s 212.143.205.250 -j ACCEPT iptables -A INPUT -i eth0 -s 212.143.205.251 -j ACCEPT iptables -A INPUT -i eth0 -s 212.143.205.253 -j ACCEPT assuming ofcourse that these are your 3 tunnel servers (this are the tunnels of netvision) and that eth0 is your cable interface... it's not the best, and somewhat naive, but i somewhat trust that the malicious packets wont come from my isp...
posted somewhere else, but i'd still want to comment about connecting using DHCP - ISPs in israel wont let customers connect anymore without a tunnel, except for Bezeq Int. All in all, connection through l2tp is much faster than pptp, i hope soon enough i'll have enough time to share my insights of l2tp and israeli isps. > >> Is anyone here using IPTables with a cables connection? I'd love to see > >> how. If you really insist, contact me and i'll drop you my firewalling script, not a biggie. > >> > >> -- > >> Regards, Itamar Ravid. > >> > >> ================================================================= > >> To unsubscribe, send mail to [EMAIL PROTECTED] with > >> the word "unsubscribe" in the message body, e.g., run the command > >> echo unsubscribe | mail [EMAIL PROTECTED] > > > > ================================================================= > > To unsubscribe, send mail to [EMAIL PROTECTED] with > > the word "unsubscribe" in the message body, e.g., run the command > > echo unsubscribe | mail [EMAIL PROTECTED] -- Dan Fruehauf. ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
