When I was writing my script I decided to look at lots of examples. I would highly recommend http://monmotha.mplug.org/firewall/index.php.; It's very complete, and is always getting better. It protects against floods, bad packets, and has configuration options for just about everything IPTables offers. The only thing that you may have to do (I see that you used ip_forward already) is load certain features automatically so you don't have to re-run the script after each boot.
In my /etc/rc.d/rc.local I added: /etc/sysconfig/firewall_scripts/./rc.firewall echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo "1" > /proc/sys/net/ipv4/conf/eth0/accept_source_route echo "1" > /proc/sys/net/ipv4/conf/eth1/accept_source_route /sbin/depmod -a /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp Once you are happy with the script, remember to: /etc/rc.d/init.d/iptables save - - - Greg Horne > -----Original Message----- > From: Lee Leahu [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 27, 2002 9:41 AM > To: [EMAIL PROTECTED] > Subject: RE: Linux hardware firewall question > > Hi. > > I have at home a small network of 4 computers hooked up to an 8 port > netgear 10/100 switch, > which then feeds into my Linux router / firewall which feeds into my 3com > cable modem which > feeds into at&t's cable modem network. > > My linux firewall/router is basically a Pentium 233 MMX with 64 Megs of > ram and 8Gb hard drive. > > I wrote a script called 'firewall' and chmod +x 'd it. > > <snip> > # allow packet forwarding > echo 1 > /proc/sys/net/ipv4/ip_forward > > # flush tables > iptables -F INPUT > iptables -F FORWARD > iptables -F OUTPUT > iptables -t nat -F PREROUTING > iptables -t nat -F POSTROUTING > iptables -t nat -F OUTPUT > > # allow packes from my work > iptables -A INPUT -i eth0 -s 64.244.234.0/23 -j ACCEPT > > # log and drop everything else connecting TO my firewalll > iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j LOG --log-prefix > " input-drop " > iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP > > # allow certan packets through to interanll computers > iptables -A FORWARD -i eth0 -p tcp --dport 4000 -j ACCEPT > iptables -A FORWARD -i eth0 -p tcp --sport 5190 -j ACCEPT > iptables -A FORWARD -i eth0 -p tcp --dport 1214 -j ACCEPT > > # log and drop everything else > iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j LOG --log- > prefix " forward-drop " > iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP > > # setup masquerading for outgoing traffic > iptables -t nat -A POSTROUTING -j MASQUERADE > </snip> > > This setup has basically worked fine so far. If anyone has any suggestions > on my setup, > I am open to suggestions. > > At 02:53 2002-02-26, you wrote: > >I operate a small network of about 5 computers and am considering setting > up > >a pc to operate as a firewall/router for the network. The network does no > >recieve much traffic at all and trying to figure out hardware wise what I > need > >the topology I have decided to go with is that each box on the network > will have > >its own nic on the pc. Additionally, if anyone can suggest documentation > on how > >to set this up software wise I would appreciate it. > > > >I have some experience with iptables, but an unsure exactly how I would > set this > >up? Again any help would be appreciated. > > > >Thank you. > > > >J. Ferguson > > Lee > [EMAIL PROTECTED]
