[ale] 2.4 Masq script?

Stephen Pellicer spellicer at 8thlayer.net
Sun Oct 15 10:58:03 EDT 2000


On Sun, Oct 15, 2000 at 08:46:56AM -0600, Robert L. Harris wrote:
> If anyone is running a 2.4 firewall that is masqing some boxes, blocking
> ports and the whole deal, can I get a copy?  I found some examples, but
> when I do a "ipchains -L" it's not showing my rules so something is
> definitely wrong.

I do mine in a pretty weird way, but it might still be helpful. Keep
in mind that iptables does things differently. 2.4 is only emulating
ipchains, and I'm running native iptables, so I don't know if it will
be helpful to you. iptables is _significantly_ different from
ipchains. It's a lot more modular and a lot more functional. You'll
see I'm using the optional REJECT and LOG targets. Plus I'm using the
stateful modules to understand ESTABLISHED, RELATED, and NEW states.
Finally, I use nat and the MASQUERADE target at the very end. Lemme
know if you have questions

################# iptables sample ############################
# first chain is for allowing established and related connections 
/usr/bin/iptables -N first
/usr/bin/iptables -A first -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# this is a rule to let all my local traffic through 
/usr/bin/iptables -N local
/usr/bin/iptables -A local -m state --state NEW -i ! ppp0 -j ACCEPT

# I'm using logging and reject with my cleanup rule, these are both
# optional modules
/usr/bin/iptables -N cleanup
/usr/bin/iptables -A cleanup -j LOG --log-prefix "Firewall " \
--log-level debug
/usr/bin/iptables -A cleanup -j REJECT

# INPUT chain only allows ssh and local traffic
/usr/bin/iptables -A INPUT -j first
/usr/bin/iptables -A INPUT --proto tcp --destination-port 22 -m state \
--state NEW -j ACCEPT
/usr/bin/iptables -A INPUT -j local
/usr/bin/iptables -A INPUT -j cleanup
/usr/bin/iptables -P INPUT DROP

# FORWARD chain only allows local traffic
/usr/bin/iptables -A FORWARD -j first
/usr/bin/iptables -A FORWARD -j local
/usr/bin/iptables -A FORWARD -j cleanup
/usr/bin/iptables -P FORWARD DROP

# This is my nat rule for masquerading. notice the new table -t nat
/usr/bin/iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE

##################### Done with iptables ###################
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list