On Sun 23 Nov 2008 07:57:59 NZDT +1300, Jim Cheetham wrote:
> If you want to learn how something works, programming at a low level
> is a great thing to do.
>
> If you want to "be productive", especially in terms of the amount of
> time invested in a project, high-level programming is the way to go.
Yes to both. But if I wanted to learn assembler, I'd look at the output
created by the compiler[1] (apart from of course other programming
examples), and I still would use a compiler to generate the assembler
code, unless I had specific and extremely good reason not to. And I know
Steve doesn't need to learn iptables any more :)
But I just remembered that I was playing once with networks and had to
hook up a box through a spare interface of another box, hence basic
routing was needed. Mind this was for functionality, not to achieve any
security, so the code I saved from that is not firewall-suitable by
itself. One would need to add a third interface, suitable packet paths,
and appropriate rules on each interface for Steve's problem. Keep in
mind that large parts of iptables only work after the appropriate
modules have been loaded. Have fun[2].
Volker
[1] Something I do sometimes to check how good the code is which is
generated by a compiler for an embedded system.
[2]
INTIF="eth0"
EXTIF="eth1"
ifconfig >/dev/null $INTIF # will exit !=0 with set -e
ifconfig >/dev/null $EXTIF
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_tftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_tftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD ACCEPT
iptables -F FORWARD
iptables -t nat -F
iptables -A FORWARD -i $EXTIF -o $INTIF \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
iptables -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
--
Volker Kuhlmann is list0570 with the domain in header
http://volker.dnsalias.net/ Please do not CC list postings to me.
