I tend to agree, I also tried to get a setup similar to what you have
or want up and running. I got bout 3/4 of the way there and no further
:( I havent had a chance to setup my firewall since than but shorewall
is definately going to be my choice when I get round to it :P Its
interface is a lot easier to use and to understand. Especially when it
comes to forwarding and such.

Cheers
Rav

On 5/30/05, Ow Mun Heng <[EMAIL PROTECTED]> wrote:
> On Sun, 2005-05-29 at 20:03 -0500, Travis Osterman wrote:
> > I've spent the weekend attempting to mold an old p3 400mHz machine
> > into a firewall/router so I can replace my current linksys box.
> > Basically, I read the howtos at netfilter.org and the
> > gentoo-home-router-howto and put together the following script for
> > loading my rules.
> 
> Frankly, I've stopped trying to grok iptables but rather I use a
> frontend like shorewall. It's much simpler than doing it all by
> yourself.
> 
> Perhaps you can take a look , perhaps you will like it?
> 
> > This meets the functionality I need at this point in the project (ssh
> > access from inside and outside, port forwarding, and masquerading),
> > but I'm not well versed on security concerns so I'm hoping a few
> > experienced users could point out redundancies and potential security
> > issues.
> >
> > Thanks in advance for taking the time to help.
> >
> > #!/bin/bash
> > IPT=/sbin/iptables
> > WAN_IFACE=eth0
> > LAN_IFACE=eth1
> > LAN_ADDY=192.168.0.0/24
> >
> > # flush and reset rules
> > $IPT -F
> > $IPT -t nat -F
> > $IPT -t mangle -F
> > $IPT -X
> > $IPT -t nat -X
> > $IPT -t mangle -X
> > $IPT -P INPUT ACCEPT
> > $IPT -P FORWARD ACCEPT
> > $IPT -P OUTPUT ACCEPT
> > $IPT -t nat -P PREROUTING ACCEPT
> > $IPT -t nat -P POSTROUTING ACCEPT
> > $IPT -t nat -P OUTPUT ACCEPT
> > $IPT -t mangle -P PREROUTING ACCEPT
> > $IPT -t mangle -P OUTPUT ACCEPT
> >
> > # begin rules
> > $IPT -I INPUT 1 -i $LAN_IFACE -j ACCEPT
> > $IPT -I INPUT 1 -i lo -j ACCEPT
> > $IPT -A INPUT -p UDP --dport bootps -i ! $LAN_IFACE -j REJECT
> > $IPT -A INPUT -p UDP --dport domain -i ! $LAN_IFACE -j REJECT
> > $IPT -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
> > $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPT -A INPUT --protocol tcp --dport 22 -i $WAN_IFACE -j ACCEPT
> > $IPT -P INPUT DROP
> > $IPT -A INPUT -i ! $LAN_IFACE -j DROP
> >
> > $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 80 \
> >                        -j DNAT --to 192.168.0.20
> > $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 1022 \
> >                        -j DNAT --to 192.168.0.20:22
> >
> > $IPT -I FORWARD -i $LAN_IFACE -d $LAN_ADDY -j DROP
> > $IPT -A FORWARD -i $LAN_IFACE -s $LAN_ADDY -j ACCEPT
> > $IPT -A FORWARD -i $WAN_IFACE -d $LAN_ADDY -j ACCEPT
> > $IPT -P FORWARD DROP
> >
> > $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
> >
> > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> >     echo 1 > $f
> > done
> > /etc/init.d/iptables save
> >
> > -- Travis Osterman
> >
> 
> --
> Ow Mun Heng
> Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM
> 98% Microsoft(tm) Free!!
> Neuromancer 17:18:11 up 2 days, 9:03, 8 users, load average: 0.95, 0.78,
> 1.10
> 
> 
> --
> gentoo-user@gentoo.org mailing list
> 
>

-- 
gentoo-user@gentoo.org mailing list

Reply via email to