| View previous topic :: View next topic |
| Author |
Message |
opentaka
l33t
Joined: 18 Feb 2005
Posts: 840
Location: Japan
|
 Posted: Wed Mar 23, 2005 3:06 pm Post subject: Too Simple FIrewall + NAT sharing |
 |
|
ok, what you want to do is "just have firewall and protect me!!" something like that.
1st,
emerge iptables
that installs iptables in to ur box.
then, as a root, create somefile. lets say iptables.sh
then copy
| Code: |
#!/bin/sh
IPTABLES=/sbin/iptables
#change eth0 to something you are connected to the internet
#allowing outgoing ICMP
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
#allowing outgoing tcp/udp connections
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
#Dropping request, instead of rejecting them.
$IPTABLES -A INPUT -i ! lo -j DROP
#this will log if dropped data has 15entries within 10secs
$IPTABLES -A INPUT -m limit --limit 10/second --limit-burst 15 -i ! lo -j LOG
#just returning something so when you putinto /etc/conf.d/local.start boot process wont freeze
echo "firewall started"
|
there you go. chmod +x iptables.sh and run it.
this is BASIC firewall. by default iptable blocks everything unless you manually set them to "ACCEPT"
then, lets add something more fun.
NAT routing
add
#!/bin/sh
| Code: |
#clean any existing nat setting
$IPTABLES -F -t nat
#turn on NAT routing. change eth0 to where ur device is connected to the net
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
#Turn on IP_forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#returning something for something :P
echo "now set your client's DNS to;"
cat /etc/resolv.conf
|
done. it should work perfect.
PORTFORWARDING
looks like this
| Code: |
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 123 -j DNAT --to 192.168.0.2:123
|
change -
eth0 - to ur internet surface
--dport 123 - your box's port
192.168.0.2:123 - your client's IP:port
oki thats all...
this can be more improved with several options but i just leave it to "simple" state with just few lines.
_________________
"Being defeated is often a temporary condition. Giving up is what makes it permanent" - Marilyn vos Savant
|
|
| Back to top |
|
 |
niolou
n00b
Joined: 06 Jul 2004
Posts: 42
Location: Clermont Fd (63) - Choisy le Roi (94) / France
|
| Posted: Thu Mar 24, 2005 9:56 pm Post subject: Re: Too Simple FIrewall + NAT sharing |
|
|
| antiwmac wrote: | ok, what you want to do is "just have firewall and protect me!!" something like that.
1st,
emerge iptables
that installs iptables in to ur box.
then, as a root, create somefile. lets say iptables.sh
then copy
| Code: |
#!/bin/sh
IPTABLES=/sbin/iptables
#change eth0 to something you are connected to the internet
#allowing outgoing ICMP
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
#allowing outgoing tcp/udp connections
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
#Dropping request, instead of rejecting them.
$IPTABLES -A INPUT -i ! lo -j DROP
#this will log if dropped data has 15entries within 10secs
$IPTABLES -A INPUT -m limit --limit 10/second --limit-burst 15 -i ! lo -j LOG
#just returning something so when you putinto /etc/conf.d/local.start boot process wont freeze
echo "firewall started"
|
there you go. chmod +x iptables.sh and run it.
this is BASIC firewall. by default iptable blocks everything unless you manually set them to "ACCEPT"
then, lets add something more fun.
NAT routing
add
#!/bin/sh
| Code: |
#clean any existing nat setting
$IPTABLES -F -t nat
#turn on NAT routing. change eth0 to where ur device is connected to the net
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
#Turn on IP_forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#returning something for something :P
echo "now set your client's DNS to;"
cat /etc/resolv.conf
|
done. it should work perfect.
PORTFORWARDING
looks like this
| Code: |
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 123 -j DNAT --to 192.168.0.2:123
|
change -
eth0 - to ur internet surface
--dport 123 - your box's port
192.168.0.2:123 - your client's IP:port
oki thats all...
this can be more improved with several options but i just leave it to "simple" state with just few lines. |
I'm not sure it's the good code :
| Code: |
#allowing outgoing ICMP
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
#allowing outgoing tcp/udp connections
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
|
Because like that you accept everything incoming ...
You should replace input by output if you want to allow outgoing connection.Or may your comments are wrong.
i'm not sure, waiting for answer. |
|
| Back to top |
|
|
opentaka
l33t
Joined: 18 Feb 2005
Posts: 840
Location: Japan
|
| Posted: Fri Mar 25, 2005 8:12 am Post subject: |
|
|
>niolou
ya ur right. thx for the info. I currently writing another iptables shell script. which will be handy to modify etc
#any one is welcome to introduce your shell script cause I not expert at iptables.
>teamraster.co.nr
Hai teamraster.co.nr 
check out https://forums.gentoo.org/search.php?search_author=teamraster.co.nr
Bye teamraster.co.nr
mod edit: split off the spam post by teamraster.
amne
_________________
"Being defeated is often a temporary condition. Giving up is what makes it permanent" - Marilyn vos Savant
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
