Ralf, et al -- ...and then Ralf Spenneberg said... % % Am Die, 2003-05-20 um 12.29 schrieb David T-G: ... % > Lifting directly from the "Made Simple" HOWTO, I tried % > % > modprobe ipt_MASQUERADE # If this fails, try continuing anyway % > iptables -F; iptables -t nat -F; iptables -t mangle -F % > iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to my.ip.add.ress % > echo 1 > /proc/sys/net/ipv4/ip_forward % > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT % > iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT % > iptables -P INPUT DROP #only if the first two are succesful % > iptables -A FORWARD -i eth1 -o eth1 -j REJECT % What are you trying to achieve? % These rules do not allow any traffic through your firewall (Forward % REJECT). As I said, I was lifting from the HOWTO :-) I thought that that rule rejected anything coming in on eth1 (external interface) that was due to go back out on eth1. The interesting thing is that traffic *did* go through the firewall, since network is the only way I can access it. I ran that script and was not locked out. Again I don't understand! % % > So I went to Rusty's NAT HOWTO and built up some commands from it: % > % > Goal 1: NAT from eth1 (LAN) to and through eth0 (WAN) for client % > % Ok. lets see. You have got 3 tables: filter, nat, and mangle. % NAT is quite easy to setup: % % # Flush all % iptables -F % iptables -t nat -F % iptables -t mangle -F % # configure NAT % iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE % # Turn on routing % echo 1 > /proc/sys/net/ipv4/ip_forward I tried that, too, and couldn't get in from the outside any more. Perhaps at that point I didn't need to, though. I can follow the flushes easily enough. I'm not sure why I want to do postrouting going out the LAN interface; I thought that NAT was for internal machines trying to get out. I *think* that what I want is SNAT == source translation, and the NAT HOWTO doesn't talk about DNAT == destination translation so I don't know that it's needed -- but, of course, also don't really know about what I'm speaking. [Oh, phooey -- I just realized that I had a typo, and you're obviously going from what I wrote! eth0 is the LAN and eth1 is the WAN; sorry!] % % You should be able to ping now from a internal client to an external IP % address. Note, that dns resolution might not work yet. This is one test case that I didn't try since the firewall was otherwise locked up. % > Goal 2: Allow various connections and confirm that they work % Now you are trying to filter. The filter table has three chains. Each % chain with a specific task: % INPUT only filters packets with the local machine as destination Oh, INPUT from any interface; OK. % OUTPUT only filters packets originating on the local machine % FORWARD only sees those packets not covered by INPUT and OUTPUT being % forwarded by the firewall. OK. But this FORWARD is different from the NAT forward, right? % If you want to allow new connections from the inside you need the % following rules: % # Deny everything through the machine % iptables -P FORWARD DROP % # Allow new connections from the inside % iptables -A FORWARD -i eth1 -o eth0 -m match --match NEW -j ACCEPT % # Allow established connections % iptables -A FORWARD -m match --match RELATED,ESTABLISHED -j ACCEPT % % Your firewall is still accessable, because when the firewall takes part % in the communication only INPUT and OUTPUT are used. Ahhh... OK. % > % > Goal 3: Disallow Bad Stuff from WAN % > % > Goal 4: Disallow Bad Stuff from LAN % > % > is a good step-by-step approach but I can't even get past #1 :-( % Tell me if you know what I am talking about and if it helps you to get % past #1. I'm close, I think. I'd start with # flush everything iptables -t filter -F ; iptables -t mangle -F ; iptables -t nat -F # allow masquerading iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE to just forward packets from inside clients and then perhaps add # outbound connections through iptables -t filter -A FORWARD -i eth0 -o eth1 -m match --match NEW -j ACCEPT # returning connections through iptables -t filter -A FORWARD -m match --match RELATED,ESTABLISHED -j ACCEPT to allow things like pings to go out and in. Then I'd need # incoming to iptables -t filter -A INPUT ACCEPT to just let everything going to the box -- like my ssh -- get there. Not yet secure, but a start, right? % Cheers, % % Ralf Thanks *so* much! & HAND :-D -- David T-G * There is too much animal courage in (play) davidtg@xxxxxxxxxxxxxxx * society and not sufficient moral courage. (work) davidtgwork@xxxxxxxxxxxxxxx -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
Attachment:
pgp00442.pgp
Description: PGP signature
