I tend to agree, I also tried to get a setup similar to what you have or want up and running. I got bout 3/4 of the way there and no further :( I havent had a chance to setup my firewall since than but shorewall is definately going to be my choice when I get round to it :P Its interface is a lot easier to use and to understand. Especially when it comes to forwarding and such.
Cheers Rav On 5/30/05, Ow Mun Heng <[EMAIL PROTECTED]> wrote: > On Sun, 2005-05-29 at 20:03 -0500, Travis Osterman wrote: > > I've spent the weekend attempting to mold an old p3 400mHz machine > > into a firewall/router so I can replace my current linksys box. > > Basically, I read the howtos at netfilter.org and the > > gentoo-home-router-howto and put together the following script for > > loading my rules. > > Frankly, I've stopped trying to grok iptables but rather I use a > frontend like shorewall. It's much simpler than doing it all by > yourself. > > Perhaps you can take a look , perhaps you will like it? > > > This meets the functionality I need at this point in the project (ssh > > access from inside and outside, port forwarding, and masquerading), > > but I'm not well versed on security concerns so I'm hoping a few > > experienced users could point out redundancies and potential security > > issues. > > > > Thanks in advance for taking the time to help. > > > > #!/bin/bash > > IPT=/sbin/iptables > > WAN_IFACE=eth0 > > LAN_IFACE=eth1 > > LAN_ADDY=192.168.0.0/24 > > > > # flush and reset rules > > $IPT -F > > $IPT -t nat -F > > $IPT -t mangle -F > > $IPT -X > > $IPT -t nat -X > > $IPT -t mangle -X > > $IPT -P INPUT ACCEPT > > $IPT -P FORWARD ACCEPT > > $IPT -P OUTPUT ACCEPT > > $IPT -t nat -P PREROUTING ACCEPT > > $IPT -t nat -P POSTROUTING ACCEPT > > $IPT -t nat -P OUTPUT ACCEPT > > $IPT -t mangle -P PREROUTING ACCEPT > > $IPT -t mangle -P OUTPUT ACCEPT > > > > # begin rules > > $IPT -I INPUT 1 -i $LAN_IFACE -j ACCEPT > > $IPT -I INPUT 1 -i lo -j ACCEPT > > $IPT -A INPUT -p UDP --dport bootps -i ! $LAN_IFACE -j REJECT > > $IPT -A INPUT -p UDP --dport domain -i ! $LAN_IFACE -j REJECT > > $IPT -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT > > $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPT -A INPUT --protocol tcp --dport 22 -i $WAN_IFACE -j ACCEPT > > $IPT -P INPUT DROP > > $IPT -A INPUT -i ! $LAN_IFACE -j DROP > > > > $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 80 \ > > -j DNAT --to 192.168.0.20 > > $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 1022 \ > > -j DNAT --to 192.168.0.20:22 > > > > $IPT -I FORWARD -i $LAN_IFACE -d $LAN_ADDY -j DROP > > $IPT -A FORWARD -i $LAN_IFACE -s $LAN_ADDY -j ACCEPT > > $IPT -A FORWARD -i $WAN_IFACE -d $LAN_ADDY -j ACCEPT > > $IPT -P FORWARD DROP > > > > $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE > > > > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do > > echo 1 > $f > > done > > /etc/init.d/iptables save > > > > -- Travis Osterman > > > > -- > Ow Mun Heng > Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM > 98% Microsoft(tm) Free!! > Neuromancer 17:18:11 up 2 days, 9:03, 8 users, load average: 0.95, 0.78, > 1.10 > > > -- > gentoo-user@gentoo.org mailing list > > -- gentoo-user@gentoo.org mailing list
