Ranjeet Walunj wrote:
> Rony wrote:
>   
>> Finally I was able to code the firewall exactly as it is intended to 
>> operate. It was tough and I even tried to cheat by using Firestarter on 
>> a live session and copy the resulting codes, but they turned out to be 
>> even more complex than what I wanted. Even tried Shorewall but it did 
>> not suit my purpose. I was almost giving up but finally got the wall up. 
>> Now I have understood the main concepts and what goes to which table/chain.
>>   
>>     
> Congratulations rony :-)
>
> If you can, please put up detailed instructions/guidelines for other 
> people.
> May be you can provide them with just your example.
>   
For iptables there are many factors and combinations to consider so 
explaining it won't be easy. There are many websites explaining it much 
better and in detail. However there is one thing I want to share with 
those who have always wondered how internet connection sharing is done 
in Linux. In doze, we simply right click on the internet interface and 
enable sharing. Then it asks which interface will be connected to the 
local network. In Linux too it is the same thing but in command line in 
3 simple steps.

We assume 2 devices eth0 connected to the internet router and eth1 
connected to the local LAN. The local LAN interface forwards all packets 
to the internet interface and the internet interface masquerades them to 
NAT them to the internet.

1.) The interface connected to the internet device is given instructions 
to masquerade all outgoing local ip address requests going out to the 
internet, in order to enable NAT. This is done because packets from 
private IP addresses cannot be directly routed to Public IP addresses. 
The command to do this is

iptables -t NAT -A POSTROUTING -o eth0 -j MASQUERADE

Here iptables is told to add/append a rule in the POSTROUTING chain of 
the nat table to MASQUERADE all outgoing requests from the interface 
connected to the net (eth0). The same as right clicking on the interface 
in doze to enable sharing.

2.) The interface connected to the local LAN is now instructed to 
forward all packets it receives from the LAN, via input device eth1. The 
same as doze asking which is the interface connected to the LAN.

iptables -A FORWARD -i eth1 -j ACCEPT

That's it, except that there is a local 'havaldaar' between the 2 
interfaces, who will not allow forwarding without a permit. To get this 
permit, one has to enable ip_forwarding in the system. This is done by 
editing the /etc/sysctl.conf file to enable ( un-comment ) the relevant 
entry in the script.

According to your distro, save your iptables rules and enable them to 
start every time the system boots.
>> In this setup, there are 15 machines in a LAN and except 4 senior users, 
>> no one had internet access. However the company decided to get a remote 
>> office setup at their website and everyone would pass on memos, to-dos, 
>> jobs etc through it. Therefore net access had to be enabled but only to 
>> that website. The 4 main users would still have to be allowed to go 
>> anywhere on the net.
>>   
>>     
>
> Just a thought: If that was the only requirement could it have been 
> solved by proxy (e.g. squid) ?
>
>   
Proxy servers only work on web surfing. I wanted pop3, smtp and other 
such services too. I went through write ups on squid etc but they did 
not have proper pop3, smtp support. BTY, those who want to setup a 
transparent proxy where the LAN machines do not use any special proxy 
settings, have to simply use port forwarding in iptables to forward 
requests from the regular ports in the LAN to the proxy ports in the 
server. Squid is happy and clients are happy too.

-- 
Regards,

Rony.

GNU/Linux !
No Viruses
No Spyware
Only Freedom.

-- 
http://mm.glug-bom.org/mailman/listinfo/linuxers

Reply via email to