On Thu, 1 Jan 1970, Matthew Simpson wrote: > Has anyone come across a good iptables script with MASQ ? >
there's a plethora of howtos and suggestions on http://www.netfilter.org/ here's a stripped-down version of a script i wrote for my own home use, minus a bunch of special forwardings and stuff: actually, let me explain this a little perhaps. i flush/zero/remove the 3 default tables (filter, nat, and mangle), then remove any loaded related kernel modules (total overkill / not necessary). then i start setting rules from a clean slate. first in the filter table, which i use to grant or revoke access, basically. eth0 (192.168.22.0/24) is my internal home network. ppp0 and a dynamically-assigned ip is my connection to the outside world. i set the default policies to DROP for extra security, then allow only what i need -- the loopback device, the internal network to/from the masquerading machine, forwarding from my internal net to the outside, and forwarding from the outside to my internal net only if it's not a new connection. i also log any attempts to connect to port 113 (identd), but then reject them anyway (reject is different than drop, see the netfilter site). next comes the nat table, where i do nothing (in this example, anyway) but allow masquerading from my internal net to the outside world. i let my default policies be ACCEPT as the filter table controls access already. i don't add to the mangle table at all as i have no use for it in this example. finally, i explicitly load a couple kernel modules that may make using ftp slightly more convenient sometimes. and that's it. after running this, i can: service iptables save chkconfig ipchains off chkconfig iptables on and redhat will handle adding all these rules (except those 2 module loadings) on each restart on its own. this is probably even much more complex than you may need, and i didn't explain everything in detail, but hey, you caught me in a talkative mood for 10 minutes, so enjoy. and whether this helps or not, please PLEASE visit http://www.netfilter.org/ for the true lowdown on how all this stuff works. if you have a different network device setup, or if you have a static ip, or if you have any number of other needs, you'll want to look over the howtos on there and adjust your rules accordingly, so you're best off taking a glance anyway. good luck. -tcl. #!/bin/sh for i_tbl in filter nat mangle; do iptables -t ${i_tbl} -F; iptables -t ${i_tbl} -Z; iptables -t ${i_tbl} -X; done; lsmod | awk '{ print $1; }' | egrep -i '^ip' | xargs rmmod iptables -t filter -F iptables -t filter -Z iptables -t filter -X iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A INPUT -i eth0 -s 192.168.22.0/24 -d 192.168.22.1 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp -m tcp --destination-port 113 --syn -m state --state NEW -j LOG --log-prefix "tcl-ipt-filt-in-auth/ident: " iptables -t filter -A INPUT -i ppp0 -p tcp -m tcp --destination-port 113 --syn -m state --state NEW -j REJECT iptables -t filter -A FORWARD -i eth0 -o ppp0 -s 192.168.22.0/24 -j ACCEPT iptables -t filter -A FORWARD -i ppp0 -o eth0 -d 192.168.22.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT iptables -t filter -A OUTPUT -o eth0 -s 192.168.22.1 -d 192.168.22.0/24 -j ACCEPT iptables -t filter -A OUTPUT -o ppp0 -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT iptables -t nat -F iptables -t nat -Z iptables -t nat -X iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.22.0/24 -j MASQUERADE sync /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp sync -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
