This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: redhat-list@listman.redhat.com From: Ted Gervais <ve1drg@av.eastlink.ca> Subject: iptables - examples Date: Mon, 17 Feb 2003 11:28:57 -0400 I am wondering about whether there are any good examples of various configurations for iptables. In particular the use of NAT and port forwarding etc. Actually any good examples of general useage of iptables would be helpful. I am changing over (again) from ipchains and while there are good tutorials out there, a few good examples now and then sure makes things a lot clearer.. === To: redhat-list@listman.redhat.com From: gabriel <the.angel.gabriel@rogers.com> Subject: Re: iptables - examples Date: Mon, 17 Feb 2003 10:45:54 -0500 On February 17, 2003 10:28 am, Ted Gervais wrote: > I am wondering about whether there are any good examples of various > configurations for iptables. > In particular the use of NAT and port forwarding etc. i'm always keen on helping a fellow Canadain ;-) my best suggestion for you would be to pick up a good book like "linux firewalls" (new riders): http://www.amazon.ca/exec/obidos/ASIN/0735710996/qid=1045496600/sr=1-4/ref=sr_1_3_4/702-3288480-0611248 unfortunately, halfpricecomputerbooks.ca doesn't appear to have it in stock. i read that book from chapter 1 through to chapter 6 and i think i did a pretty good job on my custom script. === To: redhat-list@listman.redhat.com From: Gary Stainburn <gary.stainburn@ringways.co.uk> Subject: Re: iptables - examples Date: Mon, 17 Feb 2003 16:57:14 +0000 On Monday 17 Feb 2003 3:28 pm, Ted Gervais wrote: > I am wondering about whether there are any good examples of various > configurations for iptables. > In particular the use of NAT and port forwarding etc. > > Actually any good examples of general useage of iptables would be > helpful. I am changing over (again) from ipchains and while there are good > tutorials out there, a few good examples now and then sure makes things a > lot clearer.. > > Thanks.. Hi Ted, this is a VERY basic iptables file. It allows outbound masqueraded connections, plus has a single port forward to make a remote host appear to be on my local network. It also stops (most) inbound connections by dropping the SYN packet coming in on the public interface. The file itself was generated by iptables-save which basically dumps the current iptables settings created by the iptables command. I then saved the file as /etc/sysconfig/iptables so it gets read in automatically at bootup. The file can also be read in using the iptables-restore command. To play with the file, you can simply take a line from the file and prepend the iptables command to it, e.g. iptables -A PREROUTING -d 10.1.0.34 -j DNAT --to-destination 192.168.1.2 will add the port forward rule directly. HTH Gary # Generated by iptables-save v1.2.5 on Fri Jan 17 14:50:07 2003 # comments added by G.Stainburn *nat :PREROUTING ACCEPT [1490:290942] :POSTROUTING ACCEPT [33:2048] :OUTPUT ACCEPT [22:1452] # Make 192.168.1.2 appear as 10.1.0.34 -A PREROUTING -d 10.1.0.34 -j DNAT --to-destination 192.168.1.2 # allow outbound connections -A POSTROUTING -s 10.1.0.0/255.255.0.0 -j MASQUERADE -A POSTROUTING -s 10.2.0.0/255.255.0.0 -j MASQUERADE -A POSTROUTING -s 10.3.0.0/255.255.0.0 -j MASQUERADE -A POSTROUTING -s 10.4.0.0/255.255.0.0 -j MASQUERADE -A POSTROUTING -s 10.5.0.0/255.255.0.0 -j MASQUERADE COMMIT # Completed on Fri Jan 17 14:50:07 2003 # Generated by iptables-save v1.2.5 on Fri Jan 17 14:50:07 2003 *filter :INPUT ACCEPT [2001:354022] :FORWARD ACCEPT [879:116086] :OUTPUT ACCEPT [460:57383] # disable inbound connections by ignoring SYN packets -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP COMMIT # Completed on Fri Jan 17 14:50:07 2003 === To: redhat-list@listman.redhat.com From: Lawrence Houston <houston@greenfield.dyndns.org> Subject: Re: iptables - examples Date: Mon, 17 Feb 2003 12:46:04 -0500 (EST) On Mon, 17 Feb 2003, Ted Gervais wrote: > I am wondering about whether there are any good examples of various > configurations for iptables. > In particular the use of NAT and port forwarding etc. http://www.linuxguruz.org/iptables/ === To: redhat-list@listman.redhat.com From: "Jack Byers" <byersj@hotmail.com> Subject: Re: iptables - examples Date: Mon, 17 Feb 2003 18:55:38 +0000 Ted Gervais wrote: >I am wondering about whether there are any good examples of various >configurations for iptables. >In particular the use of NAT and port forwarding etc. http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/examples/ complete scripts with comments so you can follow what the iptables cmds are doing there is both rc.firewall-2.4 rc.firewall-2.4-strong (as well as earlier versions) I am presently using the strong version very little editing needed, mainly just the obvious IP nums etc === To: redhat-list@listman.redhat.com From: "Rodolfo J. Paiz" <rpaiz@simpaticus.com> Subject: Re: iptables - examples Date: 17 Feb 2003 16:25:13 -0600 On Mon, 2003-02-17 at 11:46, Lawrence Houston wrote: > On Mon, 17 Feb 2003, Ted Gervais wrote: > > > I am wondering about whether there are any good examples of various > > configurations for iptables. > > In particular the use of NAT and port forwarding etc. > > http://www.linuxguruz.org/iptables/ I fully endorse the idea that you should learn something about iptables, and any other subject with which you must work. However, after you have some understanding about it and how it works, I suggest you try a tool which will make your life easier, save you time, and reduce the probability of mistakes and misconfigurations. One such tool is Firestarter, of which I have heard good reviews. Another, and the one I use on all my systems, is Shorewall. I suggest you go look at both (Shorewall is www.shorewall.net) and use one or the other to set your actual working configurations. It is one thing to learn, but on a production server I want everything to work as smoothly as possible with the minimum probability of error. === To: redhat-list@listman.redhat.com From: Gerry Doris <gerry@dorfam.ca> Subject: Re: Wanted: good iptables script Date: Mon, 24 Feb 2003 00:40:13 -0500 (EST) Matthew Simpson wrote: > Has anyone come across a good iptables script with MASQ ? Do a google search for Monmotha. He has an excellent script. === To: redhat-list@listman.redhat.com From: "Rodolfo J. Paiz" <rpaiz@simpaticus.com> Subject: Re: Wanted: good iptables script Date: 23 Feb 2003 23:51:52 -0600 On Wed, 1969-12-31 at 19:10, Matthew Simpson wrote: > Has anyone come across a good iptables script with MASQ ? Make your own instead. Several good tools exist to help you. Personally, I use Shorewall (http://www.shorewall.net) which has proven to be excellent, problem-free (AFAICT and IMHO, so YMMV), and remarkably easy to use. Making your own will be a far better solution in the long term. === To: redhat-list@listman.redhat.com From: "Ramesh .T.S" <rameshts@rediff.co.in> Subject: Re: Wanted: good iptables script Date: Mon, 24 Feb 2003 12:29:04 +0530 use shorewall === To: redhat-list@listman.redhat.com From: "J. Nyhuis" <cabal@u.washington.edu> Subject: Re: Wanted: good iptables script Date: Mon, 24 Feb 2003 10:07:55 -0800 (PST) On Mon, 24 Feb 2003, Ramesh .T.S wrote: > use shorewall Agreed, Shorewall is the best. === To: redhat-list@listman.redhat.com From: tc lewis <tcl@bunzy.net> Subject: Re: Wanted: good iptables script Date: Mon, 24 Feb 2003 01:40:38 -0500 (EST) Matthew Simpson wrote: > Has anyone come across a good iptables script with MASQ ? there's a plethora of howtos and suggestions on http://www.netfilter.org/ here's a stripped-down version of a script i wrote for my own home use, minus a bunch of special forwardings and stuff: actually, let me explain this a little perhaps. i flush/zero/remove the 3 default tables (filter, nat, and mangle), then remove any loaded related kernel modules (total overkill / not necessary). then i start setting rules from a clean slate. first in the filter table, which i use to grant or revoke access, basically. eth0 (192.168.22.0/24) is my internal home network. ppp0 and a dynamically-assigned ip is my connection to the outside world. i set the default policies to DROP for extra security, then allow only what i need -- the loopback device, the internal network to/from the masquerading machine, forwarding from my internal net to the outside, and forwarding from the outside to my internal net only if it's not a new connection. i also log any attempts to connect to port 113 (identd), but then reject them anyway (reject is different than drop, see the netfilter site). next comes the nat table, where i do nothing (in this example, anyway) but allow masquerading from my internal net to the outside world. i let my default policies be ACCEPT as the filter table controls access already. i don't add to the mangle table at all as i have no use for it in this example. finally, i explicitly load a couple kernel modules that may make using ftp slightly more convenient sometimes. and that's it. after running this, i can: service iptables save chkconfig ipchains off chkconfig iptables on and redhat will handle adding all these rules (except those 2 module loadings) on each restart on its own. this is probably even much more complex than you may need, and i didn't explain everything in detail, but hey, you caught me in a talkative mood for 10 minutes, so enjoy. and whether this helps or not, please PLEASE visit http://www.netfilter.org/ for the true lowdown on how all this stuff works. if you have a different network device setup, or if you have a static ip, or if you have any number of other needs, you'll want to look over the howtos on there and adjust your rules accordingly, so you're best off taking a glance anyway. good luck. -tcl. #!/bin/sh for i_tbl in filter nat mangle; do iptables -t ${i_tbl} -F; iptables -t ${i_tbl} -Z; iptables -t ${i_tbl} -X; done; lsmod | awk '{ print $1; }' | egrep -i '^ip' | xargs rmmod iptables -t filter -F iptables -t filter -Z iptables -t filter -X iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A INPUT -i eth0 -s 192.168.22.0/24 -d 192.168.22.1 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp -m tcp --destination-port 113 --syn -m state --state NEW -j LOG --log-prefix "tcl-ipt-filt-in-auth/ident: " iptables -t filter -A INPUT -i ppp0 -p tcp -m tcp --destination-port 113 --syn -m state --state NEW -j REJECT iptables -t filter -A FORWARD -i eth0 -o ppp0 -s 192.168.22.0/24 -j ACCEPT iptables -t filter -A FORWARD -i ppp0 -o eth0 -d 192.168.22.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT iptables -t filter -A OUTPUT -o eth0 -s 192.168.22.1 -d 192.168.22.0/24 -j ACCEPT iptables -t filter -A OUTPUT -o ppp0 -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT iptables -t nat -F iptables -t nat -Z iptables -t nat -X iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.22.0/24 -j MASQUERADE sync /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp sync ===