Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RH7.1 and ip-masquerading



Many thanks to B0Ti, Tobias and Scott for 
their advice. Happily, I am ip-masquerading 
away now. 

I decided to uninstall ipchains and work with 
iptables, which is said to be superior. 

I found a couple of scripts for this, two of 
which I will include here for others who might 
eventually search for an answer. 

The first one works for me, the second 
one doesn't...
One can put them in a file called /etc/rc.d/rc.firewall 
and then have that invoked somehow (not sure how); I put 
them directly in /etc/rc.d/rc.local , instead. 

For those people using Redhat 7.1: 
ipchains is set to run by default. You have to 
put rmmod ipchains somewhere in the script and 
otherwise defuse ipchains (maybe using ntsysv) or 
(as I did) uninstall it. 



both from /etc/rc.d/rc.local
----------------------------------

script one (works)

#adding iptables stuff - T.L. 2001.6.12
insmod ip_conntrack
insmod ip_conntrack_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward   
   iptables --flush                  
   iptables --table nat --flush
   iptables --delete-chain          
   iptables --table nat --delete-chain
# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface ppp0 -j
MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT  
## end of iptables script


-----------------------------------------

script two (doesn't work) 

#adding iptables stuff - T.L. 2001.6.12
## Insert connection-tracking modules (not needed if built into kernel).
insmod ip_conntrack
insmod ip_conntrack_ftp

## Create chain which blocks new connections, except if coming from
inside.
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP

## Adding some stuff to put a "1" in these proc files. -T.L. 
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block
## end of iptables script







Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links