>>>>> "rlc" == Robert L Cochran <Robert> writes:
rlc> Now let's change the subject to the iptables rules. Can you post the
rlc> forwarding and NAT rules you added to your iptables?
Here are excerpts from my iptables setup.
I only added the FORWARD rules that are listed under "Various
precautions" and I removed the comments that prevented ICMP packets from
being dropped.
Many thanks to Tim Morizot and his Easy Firewall Generator.
--- Vladimir
------------------------------------------------------------------------
Vladimir G. Ivanovic http://leonora.org/~vladimir
2770 Cowper St. vladimir@xxxxxxx
Palo Alto, CA 94306-2447 +1 650 678 8014
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth0"
INET_ADDRESS="64.166.134.117"
# Local Interface 2 Information
LOCAL2_IFACE="eth01" # matches eth0:1
LOCAL2_IP="192.168.10.1"
LOCAL2_NET="192.168.10.0/24"
LOCAL2_BCAST="192.168.10.255"
# Echo - uncomment to allow your system to be pinged.
$IPT -A icmp_pkts -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# Time Exceeded
$IPT -A icmp_pkts -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A icmp_pkts -p ICMP -j DROP
###############################################################################
#
# FORWARD Chain
#
echo "Process FORWARD chain ..."
# Used if forwarding for a private network
# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_pkts
# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL0_IFACE -j tcp_out
$IPT -A FORWARD -p tcp -i $LOCAL1_IFACE -j tcp_out
$IPT -A FORWARD -p tcp -i $LOCAL2_IFACE -j tcp_out
# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL0_IFACE -j udp_out
$IPT -A FORWARD -p udp -i $LOCAL1_IFACE -j udp_out
$IPT -A FORWARD -p udp -i $LOCAL2_IFACE -j udp_out
# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL0_IFACE -j ACCEPT
$IPT -A FORWARD -p ALL -i $LOCAL1_IFACE -j ACCEPT
$IPT -A FORWARD -p ALL -i $LOCAL2_IFACE -j ACCEPT
# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
# Various precautions
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit \
--limit 1/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit \
--limit 1/s -j ACCEPT
# Log packets that still don't match
$IPT -A FORWARD -m limit --limit 3/minute -j LOG \
--log-tcp-options --log-ip-options --log-prefix "FORWARD packet died: "
###############################################################################
#
# nat table
#
###############################################################################
# The nat table is where network address translation occurs if there
# is a private network. If the gateway is connected to the Internet
# with a static IP, snat is used. If the gateway has a dynamic address,
# masquerade must be used instead. There is more overhead associated
# with masquerade, so snat is better when it can be used.
# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
# Another, POSTROUTING, handles snat and masquerade.
echo "Load rules for nat table ..."
# Turn on IP forwarding
###############################################################################
#
# PREROUTING chain
#
###############################################################################
#
# POSTROUTING chain
#
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS
--
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list
