Re: packet forwarding

Mon, 29 Jan 2007 16:43:22 -0800 

Andrew Critchlow <[EMAIL PROTECTED]> wrote:        P  {  margin:0px;  
padding:0px  }  body  {  FONT-SIZE: 10pt;  FONT-FAMILY:Tahoma  }    Hello 
everyone,
 
I am trying to set up a debian proxy such as this:
 
USER--------DEBIAN--------INTERNET
 
The debian box will have two network cards.
 
How can I set up the debian box to forward packets between the two networks? Do 
I have to set up packet forwarding by adding:
net.ipv4.ip_forward=1
into /etc/sysctl.conf
?
Many thanks
 
andrew.

  You can use something like be below script to accomplish what you want.  This 
script assumes that you have dhcp3-server installed and configured to give your 
internal systems a private IP address and DNS routing information.  You can 
also configure them manually.  I usually name this script "local" and add it to 
init.d.
   
  #!/bin/sh
  # Setting up IP Fowarding - Firewall Rules - and starting DHCP server.
  #Flush chains
  iptables -F
  #enable masquerade and forwarding
  iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
  iptables --append FORWARD --in-interface eth1 -j ACCEPT
  echo 1 > /proc/sys/net/ipv4/ip_forward
  #for dynamic IP on external interface
  echo 1 > /proc/sys/net/ipv4/ip_dynaddr
  #denial of service protection
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  #turn on source address verification
  echo 1 > proc/sys/net/ipv4/conf/eth0/rp_filter
  #add route for DHCP clients
  /sbin/route add -host 255.255.255.255 dev eth1
  #Firewall Rules
  #allow self access by loopback interface
  iptables -A INPUT -i lo -p all -j ACCEPT
  iptables -A OUTPUT -o lo -p all -j ACCEPT
  #allow internal network
  #iptables -A INPUT -i eth1 -p all -j ACCEPT
  #allow established connections
  iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -i eth0 -p tcp --tcp-option ! 2 -j REJECT --reject-with 
tcp-reset
  #Allow Web
  iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
  iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
  #allow DHCP
  iptables -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i 
eth0 -j ACCEPT
  iptables -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i 
eth1 -j ACCEPT
  #drops all other connections
  #iptables -p INPUT DROP
  #or Firewall Rules
  iptables -A INPUT -i eth0 -p tcp -m tcp --dport 0:1023 --syn -j REJECT
  iptables -A INPUT -i eth0 -p tcp -m tcp --dport 2049 --syn -j REJECT
  iptables -A INPUT -i eth0 -p udp -m udp --dport 0:1023 -j REJECT
  iptables -A INPUT -i eth0 -p udp -m udp --dport 2049 -j REJECT
  iptables -A INPUT -i eth0 -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
  iptables -A INPUT -i eth0 -p tcp -m tcp --dport 7100 --syn -j REJECT
  #turn on DHCP for the internal net
  /usr/sbin/dhcpd3 eth1
  exit 0

Reply via email to