On Fri, Jun 28, 2002 at 03:05:21PM -0700, curtis wrote: > No, that don't work. > > Below is a previous post of mine. In response to this, one person said > to use iptables since I was using 2.4.xx kernel.
Yes, it will work and should not be too difficult. In 2.0 and earlear we had ipfwadm ... 2.2 brought us ipchains 2.4 _strongly_suggests_ iptables The idea of each method, for purposes of connecting a LAN to the internet through a 'server' or firewall are the same. We want to do (at the very least) NAT (Network Address Translation) or IP-Masqurerading. Two term for the same thing: All the traffic coming from our LAN 'looks like' it came from our firewall or NAT box address. The NAT box keeps track of which device on the LAN gets the replies (connection tracking in iptables terminology) To get iptables to work, you need to enable iptables in your kernel _and_ enable compiling of each of the modules that iptables relies upon and build those too. (make modules; make modules_install). Your error massage earlier indicates that iptables wants to run for you, but can't find the modules to load for you. I have seen it recomended that you turn on (building of) ALL the modules, since building ones that you do not use will not hurt anything. That done, keep your old kernel around (you always do that just in case right; leave it available in lilo or grub) and boot your new one. Try running this very simple script as root to flip on a basic ipmasq configuration for iptables... -- #!/bin/bash # iptables - test script #### # default table : # setup the default policies -- DROP everything iptables -P OUTPUT ACCEPT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT # flush out all the old chains and delete user chains iptables -F iptables -X #### # INPUT chain -- what can come into the system # allow loopback iptables -A INPUT -i lo -j ACCEPT #iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT # allow replies iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT # take all input from the LAN (assumes addresses are correct) iptables -A INPUT -i eth0 -j ACCEPT # allow ping iptables -A INPUT -p icmp -j ACCEPT #### # OUTPUT chain -- what is allowed to get out # allow loopback iptables -A OUTPUT -o lo -j ACCEPT # stop all samba stuff going out the DSL line, but tell the host (me) iptables -A OUTPUT -o eth1 -p tcp --dport 137:139 -j REJECT iptables -A OUTPUT -o eth0 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT #### # nat table -- how we translate (masq) stuff # flush out all the old chains iptables -t nat -F #### # POSTROUTING chain # allow loopback iptables -A OUTPUT -o lo -j ACCEPT # masquerade stuff from the LAN to the WAN iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # enable forwarding in the kernel echo "1" > /proc/sys/net/ipv4/ip_forward ## end -- Once run, your lsmod (modules loaded in RAM) might look a bit like this: [EMAIL PROTECTED]:~$ su -c "lsmod" Password: Module Size Used by Not tainted ipt_MASQUERADE 1216 1 (autoclean) iptable_nat 13236 1 (autoclean) [ipt_MASQUERADE] ipt_REJECT 2816 1 (autoclean) ipt_state 608 2 (autoclean) ip_conntrack 13228 2 (autoclean) [ipt_MASQUERADE iptable_nat ipt_state] iptable_filter 1760 1 (autoclean) ip_tables 10592 7 [ipt_MASQUERADE iptable_nat ipt_REJECT ipt_state iptable_filter] serial_cs 4480 0 (unused) xirc2ps_cs 11652 1 pcnet_cs 10404 1 8390 5984 0 [pcnet_cs] af_packet 8296 1 -- As you can see, most of the modules are iptables related ... you have to have compiled and installed all of them to get this to work... Here are the modules on this system: [EMAIL PROTECTED]:~$ ls /lib/modules/2.4.18/kernel/net/ipv4/netfilter/ ip_conntrack.o ipfwadm.o ipt_ULOG.o ipt_state.o ip_conntrack_ftp.o ipt_LOG.o ipt_ah.o ipt_tcpmss.o ip_conntrack_irc.o ipt_MARK.o ipt_esp.o ipt_tos.o ip_nat_ftp.o ipt_MASQUERADE.o ipt_length.o ipt_ttl.o ip_nat_irc.o ipt_MIRROR.o ipt_limit.o ipt_unclean.o ip_nat_snmp_basic.o ipt_REDIRECT.o ipt_mac.o iptable_filter.o ip_queue.o ipt_REJECT.o ipt_mark.o iptable_mangle.o ip_tables.o ipt_TCPMSS.o ipt_multiport.o iptable_nat.o ipchains.o ipt_TOS.o ipt_owner.o Now, I am might get feedback about this being less than perfect. It is, but it will work. (Note the last line about putting a '1' into the proc filesystem to turn on forwarding? All routers need at least that much happening) ipchains (and ipfwadm) were _much_ simpler to 'get the basics' out of, but iptables allow 'stateful' packet filterring and are much more flexible and powerful ... That said, here is how you would do it with ipchains (just basic NAT) -- (This is /etc/init.d/iptables on a debian potato system of mine) #! /bin/sh # Script to control packet filtering. # by dap ... from ipchains-HOWTO 12/2000 ... # note: to create /etc/ipchains.rules, # run "ipchains-save > /etc/ipchains.rules" # If no rules, do nothing. [ -f /etc/ipchains.rules ] || exit 0 case "$1" in start) echo -n "Turning on packet filtering:" /sbin/ipchains-restore < /etc/ipchains.rules || exit 1 echo 1 > /proc/sys/net/ipv4/ip_forward echo "." ;; stop) echo -n "Turning off packet filtering:" echo 0 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F /sbin/ipchains -X /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward ACCEPT echo "." ;; *) echo "Usage: /etc/init.d/packetfilter {start|stop}" exit 1 ;; esac exit 0 # Make sure this is run early in the bootup procedure. # In my case (Debian 2.1), I make a symbolic # link called `S39packetfilter' in the `/etc/rcS.d' # directory (this will be run before S40network). -- (You need a /etc/ipchains.rules for this one to work tho... -- dbx:/home/davep# cat /etc/ipchains.rules :input ACCEPT :forward DENY :output ACCEPT -I input -s 63.225.175.59 -j DENY -l -I input -s 63.225.165.246 -j DENY -l -I input -s 63.225.190.28 -j DENY -l -I input -s 63.225.18.129 -j DENY -l -I input -s 63.231.54.72 -j DENY -l -A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ (all those -I input -s .... DENY lines are just idiot hosts with nimwitda virus who keep trying to probe my apache web server like it was an IIS box, they just get their packets quietly dropped on the doormat. The real work are the first three, and the last line. Now, this config _is_ incredibly open and most sane people would tell you that I am insane to connect such a firewall to the internet. They are right, except that: 1> it works for my purposes 2> the hosts it protects are pretty well hardened in there own right. I just want this box to NAT for me ... I really hope this helps. I should also point to the docs at samba.org which are maintained by the author of the iptables code (rusty). Hard reading, but well worth the effort, especially after you get a basic config running and want to understand how it works. aloha, dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]