[ale] ipchains in 2.4.13

Stuffed Crust pizza at shaftnet.org
Fri Jan 25 18:44:17 EST 2002


On Fri, Jan 25, 2002 at 06:19:38PM -0500, Chris Fowler wrote:
> I've mead the chaing to iptabels.  Can some be so kind and tell me how to
> convert this to iptabes?
> 
> /sbin/ipchains  -N user_msq
> /sbin/ipchains  -A user_msq -s 0/0 -d 0/0 -j MASQ
> 
> #forward packets
> /sbin/ipchains  -A forward -s 192.168.1.0/24 -d 0/0 -i eth1 -j user_msq

Here's what you need for iptables masquerading:

modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth_external -j MASQUERADE
echo 1 > /proc/sys/net/ipv4_ip_forward

And that's it.  Of course, you may want to firewall off your router, but
that's another matter entirely:

iptables -A INPUT -j REJECT --reject-with icmp-host-unreachable
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth_internal -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

iptables -A FORWARD -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -i eth_internal -j ACCEPT

This rejects all incoming connections except for ssh.  You'll also need
to poke in a hole for your external name server, or more holes if you
want to run a nameserver locally.

And then onto the packet forwarding.  It allows all established
connections to be forwarded, and anything coming from your internal
network.  It rejects everything else.

 - Pizza
-- 
Solomon Peachy                                    pizzaATfucktheusers.org
I ain't broke, but I'm badly bent.                           ICQ# 1318344
Patience comes to those who wait.
    ...It's not "Beanbag Love", it's a "Transanimate Relationship"...

 PGP signature




More information about the Ale mailing list