Re: [gentoo-user] iptables error

Fri, 06 Jun 2003 20:04:42 -0700 

> One last question for today:
>
> How can I make the comands:
> echo "1" >/proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> permanent, meaning executed at boot time?

Copy one of the /etc/init.d scripts and make it your own.  For example (here's 
a quick example):
=====================================================
#!/sbin/runscript

INTERNAL = eth0
EXTERNAL = ppp0

start() {
        ebegin "Starting simple firewall"
# This line I think only needs to be done once
# in the entire life of the system, well, until a "0"
# has been echoed (which we'll do to stop)
        echo "1" > /proc/sys/net/ipv4/ip_forward
# Firewall code
# Clear all previous rules
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -F INPUT
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -F OUTPUT
        $IPTABLES -P FORWARD DROP
        $IPTABLES -F FORWARD
        $IPTABLES -t nat -F
# Allow only masq'ing on the IN and RELATED and
# ESTABLISHED from the OUT
        iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state 
ESTABLISHED,RELATED -j ACCEPT
        iptables -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT
        iptables -A FORWARD -j LOG
# Enable MASQ'ing
        $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
# Done firewall code
        eend $? "Failed to start simple firewall"
}

stop() {
        ebegin "Stopping simple firewall"
# Just a "0" to forwarding should do it, but we'll go a step further and go
# just to default rules
        echo "0" > /proc/sys/net/ipv4/ip_forward
# Clear all previous rules
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -F INPUT
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -F OUTPUT
        $IPTABLES -P FORWARD DROP
        $IPTABLES -F FORWARD
        $IPTABLES -t nat -F
        eend $? "Failed to stop simple firewall"
}
=====================================================
a couple things about this script:
1) Save it in /etc/init.d/ and chmod +x it.  Then use rc-update to add it to 
the default runlevel (or whichever runlevel you want to run it in)
2) I'm unsure about variables in Gentoo script, so I don't know if this will 
work without some hacking of INTERNAL and EXTERNAL.
3) This is the firewall I'm currently using.  It looks alright, though I may 
want to change the default of the internet to DROP ... how do I do that?

MIKE
-- 
Beware the JabberOrk

--
[EMAIL PROTECTED] mailing list

Reply via email to