On Sat, May 07, 2005 at 11:09:02AM +0500, varun_saa@xxxxxxxx wrote:
> Hello,
> My server is om Mandrake 10.1
> eth0 is WAN with static IP connected to 512K DSL.
> eth1 is LAN - 192.168.0.0/24 , 192.168.21.0/24
>
> I and doing a nat on eth0 as follows :
>
> # Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
> *nat
> :OUTPUT ACCEPT [0:0]
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o eth0 -j MASQUERADE
>
> What are the first rules that one would
> write.I mean how and where to start.
>
> What are the first rules that one would write.
> Do you start by blocking all ? Or allow all ?
> I am asking this just from the point of view
> of understanding the basic strategy.
>
> Basically clients will surf the net,
> send/recieve mails and MSN/yahoo chat.
> I would be using squid proxy.
opie's 3-line guide to emulating a cisco PIX default config:
#!/bin/sh
INSIDE_IF="eth1"
OUTSIDE_IF="eth0"
OUTSIDE_IP=`ip -4 -o addr sh $OUTSIDE_IF | awk '{print $4}' | cut -d"/" -f1`
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $INSIDE_IF -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INSIDE_IF -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o $OUTSIDE_IF \
-j SNAT --to-source $OUTSIDE_IP
sysctl -w net.ipv4.ip_forward=1
that's where i'd start--it's pretty wide-open, but it's probably better
than nothing.
i also recommend reading:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
-j
--
"Stewie: Baby needs to suck ash. Baby needs to suck ash. Not ass,
you pervert. Save it for the interns."
--Family Guy
