This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: redhat-list@listman.redhat.com
From: Ted Gervais <ve1drg@av.eastlink.ca>
Subject: iptables - examples
Date: Mon, 17 Feb 2003 11:28:57 -0400
I am wondering about whether there are any good examples of various
configurations for iptables.
In particular the use of NAT and port forwarding etc.
Actually any good examples of general useage of iptables would be
helpful. I am changing over (again) from ipchains and while there are good
tutorials out there, a few good examples now and then sure makes things a
lot clearer..
===
To: redhat-list@listman.redhat.com
From: gabriel <the.angel.gabriel@rogers.com>
Subject: Re: iptables - examples
Date: Mon, 17 Feb 2003 10:45:54 -0500
On February 17, 2003 10:28 am, Ted Gervais wrote:
> I am wondering about whether there are any good examples of various
> configurations for iptables.
> In particular the use of NAT and port forwarding etc.
i'm always keen on helping a fellow Canadain ;-) my best suggestion for you
would be to pick up a good book like "linux firewalls" (new riders):
http://www.amazon.ca/exec/obidos/ASIN/0735710996/qid=1045496600/sr=1-4/ref=sr_1_3_4/702-3288480-0611248
unfortunately, halfpricecomputerbooks.ca doesn't appear to have it in stock.
i read that book from chapter 1 through to chapter 6 and i think i did a
pretty good job on my custom script.
===
To: redhat-list@listman.redhat.com
From: Gary Stainburn <gary.stainburn@ringways.co.uk>
Subject: Re: iptables - examples
Date: Mon, 17 Feb 2003 16:57:14 +0000
On Monday 17 Feb 2003 3:28 pm, Ted Gervais wrote:
> I am wondering about whether there are any good examples of various
> configurations for iptables.
> In particular the use of NAT and port forwarding etc.
>
> Actually any good examples of general useage of iptables would be
> helpful. I am changing over (again) from ipchains and while there are good
> tutorials out there, a few good examples now and then sure makes things a
> lot clearer..
>
> Thanks..
Hi Ted,
this is a VERY basic iptables file. It allows outbound masqueraded
connections, plus has a single port forward to make a remote host appear to
be on my local network.
It also stops (most) inbound connections by dropping the SYN packet coming in
on the public interface.
The file itself was generated by iptables-save which basically dumps the
current iptables settings created by the iptables command. I then saved the
file as /etc/sysconfig/iptables so it gets read in automatically at bootup.
The file can also be read in using the iptables-restore command.
To play with the file, you can simply take a line from the file and prepend
the iptables command to it, e.g.
iptables -A PREROUTING -d 10.1.0.34 -j DNAT --to-destination 192.168.1.2
will add the port forward rule directly.
HTH
Gary
# Generated by iptables-save v1.2.5 on Fri Jan 17 14:50:07 2003
# comments added by G.Stainburn
*nat
:PREROUTING ACCEPT [1490:290942]
:POSTROUTING ACCEPT [33:2048]
:OUTPUT ACCEPT [22:1452]
# Make 192.168.1.2 appear as 10.1.0.34
-A PREROUTING -d 10.1.0.34 -j DNAT --to-destination 192.168.1.2
# allow outbound connections
-A POSTROUTING -s 10.1.0.0/255.255.0.0 -j MASQUERADE
-A POSTROUTING -s 10.2.0.0/255.255.0.0 -j MASQUERADE
-A POSTROUTING -s 10.3.0.0/255.255.0.0 -j MASQUERADE
-A POSTROUTING -s 10.4.0.0/255.255.0.0 -j MASQUERADE
-A POSTROUTING -s 10.5.0.0/255.255.0.0 -j MASQUERADE
COMMIT
# Completed on Fri Jan 17 14:50:07 2003
# Generated by iptables-save v1.2.5 on Fri Jan 17 14:50:07 2003
*filter
:INPUT ACCEPT [2001:354022]
:FORWARD ACCEPT [879:116086]
:OUTPUT ACCEPT [460:57383]
# disable inbound connections by ignoring SYN packets
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
COMMIT
# Completed on Fri Jan 17 14:50:07 2003
===
To: redhat-list@listman.redhat.com
From: Lawrence Houston <houston@greenfield.dyndns.org>
Subject: Re: iptables - examples
Date: Mon, 17 Feb 2003 12:46:04 -0500 (EST)
On Mon, 17 Feb 2003, Ted Gervais wrote:
> I am wondering about whether there are any good examples of various
> configurations for iptables.
> In particular the use of NAT and port forwarding etc.
http://www.linuxguruz.org/iptables/
===
To: redhat-list@listman.redhat.com
From: "Jack Byers" <byersj@hotmail.com>
Subject: Re: iptables - examples
Date: Mon, 17 Feb 2003 18:55:38 +0000
Ted Gervais wrote:
>I am wondering about whether there are any good examples of various
>configurations for iptables.
>In particular the use of NAT and port forwarding etc.
http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/examples/
complete scripts with comments
so you can follow what the iptables cmds are doing
there is both
rc.firewall-2.4
rc.firewall-2.4-strong
(as well as earlier versions)
I am presently using the strong version
very little editing needed, mainly just the obvious IP nums etc
===
To: redhat-list@listman.redhat.com
From: "Rodolfo J. Paiz" <rpaiz@simpaticus.com>
Subject: Re: iptables - examples
Date: 17 Feb 2003 16:25:13 -0600
On Mon, 2003-02-17 at 11:46, Lawrence Houston wrote:
> On Mon, 17 Feb 2003, Ted Gervais wrote:
>
> > I am wondering about whether there are any good examples of various
> > configurations for iptables.
> > In particular the use of NAT and port forwarding etc.
>
> http://www.linuxguruz.org/iptables/
I fully endorse the idea that you should learn something about iptables,
and any other subject with which you must work. However, after you have
some understanding about it and how it works, I suggest you try a tool
which will make your life easier, save you time, and reduce the
probability of mistakes and misconfigurations.
One such tool is Firestarter, of which I have heard good reviews.
Another, and the one I use on all my systems, is Shorewall. I suggest
you go look at both (Shorewall is www.shorewall.net) and use one or the
other to set your actual working configurations.
It is one thing to learn, but on a production server I want everything
to work as smoothly as possible with the minimum probability of error.
===
To: redhat-list@listman.redhat.com
From: Gerry Doris <gerry@dorfam.ca>
Subject: Re: Wanted: good iptables script
Date: Mon, 24 Feb 2003 00:40:13 -0500 (EST)
Matthew Simpson wrote:
> Has anyone come across a good iptables script with MASQ ?
Do a google search for Monmotha. He has an excellent script.
===
To: redhat-list@listman.redhat.com
From: "Rodolfo J. Paiz" <rpaiz@simpaticus.com>
Subject: Re: Wanted: good iptables script
Date: 23 Feb 2003 23:51:52 -0600
On Wed, 1969-12-31 at 19:10, Matthew Simpson wrote:
> Has anyone come across a good iptables script with MASQ ?
Make your own instead. Several good tools exist to help you. Personally,
I use Shorewall (http://www.shorewall.net) which has proven to be
excellent, problem-free (AFAICT and IMHO, so YMMV), and remarkably easy
to use.
Making your own will be a far better solution in the long term.
===
To: redhat-list@listman.redhat.com
From: "Ramesh .T.S" <rameshts@rediff.co.in>
Subject: Re: Wanted: good iptables script
Date: Mon, 24 Feb 2003 12:29:04 +0530
use shorewall
===
To: redhat-list@listman.redhat.com
From: "J. Nyhuis" <cabal@u.washington.edu>
Subject: Re: Wanted: good iptables script
Date: Mon, 24 Feb 2003 10:07:55 -0800 (PST)
On Mon, 24 Feb 2003, Ramesh .T.S wrote:
> use shorewall
Agreed, Shorewall is the best.
===
To: redhat-list@listman.redhat.com
From: tc lewis <tcl@bunzy.net>
Subject: Re: Wanted: good iptables script
Date: Mon, 24 Feb 2003 01:40:38 -0500 (EST)
Matthew Simpson wrote:
> Has anyone come across a good iptables script with MASQ ?
there's a plethora of howtos and suggestions on http://www.netfilter.org/
here's a stripped-down version of a script i wrote for my own home use,
minus a bunch of special forwardings and stuff:
actually, let me explain this a little perhaps. i flush/zero/remove the 3
default tables (filter, nat, and mangle), then remove any loaded related
kernel modules (total overkill / not necessary). then i start setting
rules from a clean slate. first in the filter table, which i use to grant
or revoke access, basically. eth0 (192.168.22.0/24) is my internal home
network. ppp0 and a dynamically-assigned ip is my connection to the
outside world. i set the default policies to DROP for extra security,
then allow only what i need -- the loopback device, the internal network
to/from the masquerading machine, forwarding from my internal net to the
outside, and forwarding from the outside to my internal net only if it's
not a new connection. i also log any attempts to connect to port 113
(identd), but then reject them anyway (reject is different than drop, see
the netfilter site).
next comes the nat table, where i do nothing (in this example, anyway) but
allow masquerading from my internal net to the outside world. i let my
default policies be ACCEPT as the filter table controls access already.
i don't add to the mangle table at all as i have no use for it in this
example.
finally, i explicitly load a couple kernel modules that may make using ftp
slightly more convenient sometimes.
and that's it. after running this, i can:
service iptables save
chkconfig ipchains off
chkconfig iptables on
and redhat will handle adding all these rules (except those 2 module
loadings) on each restart on its own.
this is probably even much more complex than you may need, and i didn't
explain everything in detail, but hey, you caught me in a talkative mood
for 10 minutes, so enjoy.
and whether this helps or not, please PLEASE visit
http://www.netfilter.org/ for the true lowdown on how all this stuff
works. if you have a different network device setup, or if you have a
static ip, or if you have any number of other needs, you'll want to look
over the howtos on there and adjust your rules accordingly, so you're best
off taking a glance anyway.
good luck.
-tcl.
#!/bin/sh
for i_tbl in filter nat mangle; do
iptables -t ${i_tbl} -F;
iptables -t ${i_tbl} -Z;
iptables -t ${i_tbl} -X;
done;
lsmod | awk '{ print $1; }' | egrep -i '^ip' | xargs rmmod
iptables -t filter -F
iptables -t filter -Z
iptables -t filter -X
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i eth0 -s 192.168.22.0/24 -d 192.168.22.1 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp -m tcp --destination-port 113 --syn -m state --state NEW -j LOG --log-prefix "tcl-ipt-filt-in-auth/ident: "
iptables -t filter -A INPUT -i ppp0 -p tcp -m tcp --destination-port 113 --syn -m state --state NEW -j REJECT
iptables -t filter -A FORWARD -i eth0 -o ppp0 -s 192.168.22.0/24 -j ACCEPT
iptables -t filter -A FORWARD -i ppp0 -o eth0 -d 192.168.22.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -s 192.168.22.1 -d 192.168.22.0/24 -j ACCEPT
iptables -t filter -A OUTPUT -o ppp0 -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT
iptables -t nat -F
iptables -t nat -Z
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.22.0/24 -j MASQUERADE
sync
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
sync
===