Hi All,
Thanks to Daniel Robbins and his articles I've got the following basic
script working on one of my boxes:
========================
#(connection to the Internet)
UPLINK="eth0"
#if you're a router (and thus should forward IP packets between interfaces),
#you want ROUTER="yes"; otherwise, ROUTER="no"
ROUTER="no"
#change this next line to the static IP of your uplink interface for static
SNAT, or
#"dynamic" if you have a dynamic IP. If you don't need any NAT, set NAT to
"" to
#disable it.
NAT=""
#change this next line so it lists all your network interfaces, including lo
INTERFACES="lo eth0 ppp0"
if [ "$1" = "start" ]
then
echo "Starting firewall..."
iptables -P INPUT DROP
iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i ${UPLINK} -j DROP
#for testing use: REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${UPLINK} -j DROP
#for testing use: REJECT --reject-with icmp-port-unreachable
# #explicitly disable ECN
# if [ -e /proc/sys/net/ipv4/tcp_ecn ]
# then
# echo 0 > /proc/sys/net/ipv4/tcp_ecn
# fi
# #disable spoofing on all interfaces
# for x in ${INTERFACES}
# do
# echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
# done
if [ "$ROUTER" = "yes" ]
then
#we're a router of some kind, enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ "$NAT" = "dynamic" ]
then
#dynamic IP address, use masquerading
echo "Enabling masquerading (dynamic ip)..."
iptables -t nat -A POSTROUTING -o ${UPLINK} -j
MASQUERADE
elif [ "$NAT" != "" ]
then
#static IP, use SNAT
echo "Enabling SNAT (static ip)..."
iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT
--to ${UPIP}
fi
fi
elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
iptables -F INPUT
iptables -P INPUT ACCEPT
#turn off NAT/masquerading, if any
iptables -t nat -F POSTROUTING
fi
========================
nmap shows me that it works okay, but of course that's only on eth0, which
is the only NIC on this box and connects to an ADSL hardware router.
No matter what I tried I have not managed to make the script work for the
ppp0 interface. Am I supposed to duplicate all the iptables lines and
define ppp0 instead of eth0? Is there a clever modification I could used
on the above script to get the same result?
On a different but broadly relevant topic - are there any specific sysctl
and iptables settings I need to get google talk/gaim/kopete working?
--
Regards,
Mick
--
gentoo-user@gentoo.org mailing list
