Re: [vox-tech] Linux as gateway

Mon, 27 Aug 2001 15:31:02 -0700 

Hi:

If you just set all your rules to the default, then I don't think iptables will
masquerade correctly.  BUT THIS SCRIPT HAS NOT BEEN TESTED FOR SECURITY.  If
you choose to use it, use at your own risk.  I was just trying to get the
basics working.  But there was one problem, I couldn't get the (local) loopback
interface on the masquerade machine to masquerade correctly.  But all other
boxes on the subnet worked fine. HTHO

jan

Here is my <snipped> version of my iptables script:

<<BEGIN SCRIPT>>
#!/bin/bash
#
#Point this to your copy of ip_tables
IPT="/usr/local/sbin/iptables"
#Load the module.
modprobe ip_tables

#Flush old rules, delete the firewall chain if it exists
$IPT -F
$IPT -F -t nat
$IPT -X firewall

#Setup Masquerading
$IPT -A POSTROUTING -t nat -s your.int.net.0/24 -j SNAT --to-source
your.ext.ip.addr
$IPT -A POSTROUTING -t nat -s 0/0 -j DROP
$IPT -P FORWARD ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

#Set up the firewall chain
$IPT -N firewall
$IPT -A firewall -j LOG --log-level info --log-prefix "Firewall:"
$IPT -A firewall -j DROP
#Accept DNS, 'cause it's warm and friendly
$IPT -A INPUT -p udp --source-port 53 -j ACCEPT
$IPT -A INPUT -p tcp --source-port 113 -j ACCEPT
$IPT -A INPUT -p tcp --destination-port 113 -j ACCEPT

#Send everything else to the firewall.
$IPT -A INPUT -p icmp -j firewall
$IPT -A INPUT -p tcp --syn -j firewall
$IPT -A INPUT -p udp -j firewall

<<END SCRIPT>>

> I'm trying to let a Redhat 7.1 act as a gateway, following steps are
> what I did on the gateway machine:
> 1. echo 1 > /proc/sys/net/ipv4/ip_forward
> 2. ensure iptables's all default policies to be ACCEPT, such as FORWARD,
> INPUT, OUTPUT, POSTROUTING...
> 
> Then in the internal machines, I set the default gateway to be the
> internal ip address of the gateway.
> 
> From the internal machines, I can ping the internal ip address of the
> gateway, and the external ip address of the gateway. But when I tried
> to ping some other external ip address, it always failed without any
> response.
> 
> Anybody can figure out if I did something wrong? Thanks a lot!
> 
> Jimmy


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Reply via email to