ready to cry over NATting!

ready to cry over NATting!

[David T-G]

[-- Attachment #1: Type: text/plain, Size: 6497 bytes --]

Hi, all --

I've found and read more HOWTOs and have tried my hand at some iptables
scripts, including the incredibly simple, but still am not getting
anywhere.

I started out with SuSEfirewall2 settings.  As far as I can tell, I ended
up with a wide-open firewall that didn't NAT.  Phooey.  So I gave up on
that and tried iptables commands directly.

Lifting directly from the "Made Simple" HOWTO, I tried

  modprobe ipt_MASQUERADE # If this fails, try continuing anyway
  iptables -F; iptables -t nat -F; iptables -t mangle -F
  iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to my.ip.add.ress
  echo 1 > /proc/sys/net/ipv4/ip_forward
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
  iptables -P INPUT DROP   #only if the first two are succesful
  iptables -A FORWARD -i eth1 -o eth1 -j REJECT

to no avail.  Just doing the first 4 commands left me with a server that
wouldn't talk.  Adding the INPUT chains in the next two commands let me
talk again but didn't change anything else.  Adding

  iptables -P INPUT ACCEPT

still changed nothing.  Adding

  iptables -A FORWARD -i eth1 -o eth1 -j ACCEPT
  iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

(the former out of desperation and the latter figuring that incoming on
the LAN and outgoing on the WAN would be a Good Thing) also changed
nothing.

Somewhere in here I was at least able to see packets counting up when
checking

  iptables -t nat -vL

as a client on the inside was pinging an outside address.

So I went to Rusty's NAT HOWTO and built up some commands from it:

  # load module
  modprobe ipt_MASQUERADE # If this fails, try continuing anyway

  # flush everything
  iptables -F; iptables -t nat -F; iptables -t mangle -F

  # turn on NATting & forwarding
  #iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 65.69.195.178
  iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
  echo 1 > /proc/sys/net/ipv4/ip_forward

  # accept returning ext packets
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  # accept anything originating inside ("not ext")
  iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT

  # allow ssh & telnet
  iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT
  iptables -A INPUT --protocol tcp --dport 23 -j ACCEPT

  # talk to web server
  iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT
  iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT

  # talk to mysql server
  iptables -A input --protocol tcp --dport 3306 -j ACCEPT

  # drop everything else
  ## iptables -P INPUT DROP   #only if the first two are succesful

  # reject anything bound for a MASQed client
  ## iptables -A FORWARD -i eth1 -o eth0 -j REJECT

  # what do we have?
  echo "---"
  iptables -L
  echo "---"
  iptables -t nat -L
  echo "---"

[I also tried the 'abbreviated version', going only as far as the "echo"
line, but that was a bust.]  Running this script as

  linux:/tmp # nohup ./script

gave me

  + modprobe ipt_MASQUERADE
  + iptables -F
  + iptables -t nat -F
  + iptables -t mangle -F
  + iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
  + echo 1
  + iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  + iptables -A INPUT -m state --state NEW -i '!' eth1 -j ACCEPT
  + iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT
  + iptables -A INPUT --protocol tcp --dport 23 -j ACCEPT
  + iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT
  + iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT
  + iptables -A input --protocol tcp --dport 3306 -j ACCEPT
  iptables: No chain/target/match by that name
  + echo ---
  ---
  + iptables -L
  Chain INPUT (policy DROP)
  target     prot opt source               destination         
  ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED 
  ACCEPT     all  --  anywhere             anywhere           state NEW 
  ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh 
  ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:telnet 
  ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http 
  ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:https 
  
  Chain FORWARD (policy DROP)
  target     prot opt source               destination         
  
  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination         
  
  Chain input_ext (0 references)
  target     prot opt source               destination         
  
  Chain reject_func (0 references)
  target     prot opt source               destination         
  + echo ---
  ---
  + iptables -t nat -L
  Chain PREROUTING (policy ACCEPT)
  target     prot opt source               destination         
  
  Chain POSTROUTING (policy ACCEPT)
  target     prot opt source               destination         
  MASQUERADE  all  --  anywhere             anywhere           
  
  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination         
  + echo ---
  ---

[yes, I now see the typo on the mysql protocol line].  I figured I would
get a wide-open firewall -- which nonetheless also accepted ssh, telnet,
web, mysql -- which did NATting for me, but it didn't.  As I look at the
-L output I realize that I don't see any rules for anything except INPUT
and POSTROUTING, so I probably need more pieces, no?

I'm trying to get a good foundation in the terms and ideas, but I confess
that I still don't really know what is a table or how does a chain work.
I don't know what or how to debug because I'm still coming up to speed,
but it seems that I can't even find a working example that I can then
flesh out!  I would think that

  Goal 1: NAT from eth1 (LAN) to and through eth0 (WAN) for client

  Goal 2: Allow various connections and confirm that they work

  Goal 3: Disallow Bad Stuff from WAN

  Goal 4: Disallow Bad Stuff from LAN

is a good step-by-step approach but I can't even get past #1 :-(


TIA again & HAND

:-D
-- 
David T-G                      * There is too much animal courage in 
(play) davidtg@justpickone.org * society and not sufficient moral courage.
(work) davidtgwork@justpickone.org  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/      Shpx gur Pbzzhavpngvbaf Qrprapl Npg!


[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]

Re: ready to cry over NATting!

[Ralf Spenneberg]

Am Die, 2003-05-20 um 12.29 schrieb David T-G:
> Hi, all --
Dear David,

> Lifting directly from the "Made Simple" HOWTO, I tried
> 
>   modprobe ipt_MASQUERADE # If this fails, try continuing anyway
>   iptables -F; iptables -t nat -F; iptables -t mangle -F
>   iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to my.ip.add.ress
>   echo 1 > /proc/sys/net/ipv4/ip_forward
>   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>   iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
>   iptables -P INPUT DROP   #only if the first two are succesful
>   iptables -A FORWARD -i eth1 -o eth1 -j REJECT
What are you trying to achieve?
These rules do not allow any traffic through your firewall (Forward
REJECT).

> So I went to Rusty's NAT HOWTO and built up some commands from it:
> 
>   Goal 1: NAT from eth1 (LAN) to and through eth0 (WAN) for client
> 
Ok. lets see. You have got 3 tables: filter, nat, and mangle.
NAT is quite easy to setup:

# Flush all
iptables -F
iptables -t nat -F
iptables -t mangle -F
# configure NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Turn on routing
echo 1 > /proc/sys/net/ipv4/ip_forward

You should be able to ping now from a internal client to an external IP
address. Note, that dns resolution might not work yet.
>   Goal 2: Allow various connections and confirm that they work
Now you are trying to filter. The filter table has three chains. Each
chain with a specific task:
INPUT only filters packets with the local machine as destination
OUTPUT only filters packets originating on the local machine
FORWARD only sees those packets not covered by INPUT and OUTPUT being
forwarded by the firewall.
If you want to allow new connections from the inside you need the
following rules:
# Deny everything through the machine
iptables -P FORWARD DROP
# Allow new connections from the inside
iptables -A FORWARD -i eth1 -o eth0 -m match --match NEW -j ACCEPT
# Allow established connections
iptables -A FORWARD -m match --match RELATED,ESTABLISHED -j ACCEPT

Your firewall is still accessable, because when the firewall takes part
in the communication only INPUT and OUTPUT are used.
> 
>   Goal 3: Disallow Bad Stuff from WAN
> 
>   Goal 4: Disallow Bad Stuff from LAN
> 
> is a good step-by-step approach but I can't even get past #1 :-(
Tell me if you know what I am talking about and if it helps you to get
past #1.
Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                    
http://honeynet.spenneberg.org

Re: ready to cry over NATting!

[David T-G]

[-- Attachment #1: Type: text/plain, Size: 4984 bytes --]

Ralf, et al --

...and then Ralf Spenneberg said...
% 
% Am Die, 2003-05-20 um 12.29 schrieb David T-G:
...
% > Lifting directly from the "Made Simple" HOWTO, I tried
% > 
% >   modprobe ipt_MASQUERADE # If this fails, try continuing anyway
% >   iptables -F; iptables -t nat -F; iptables -t mangle -F
% >   iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to my.ip.add.ress
% >   echo 1 > /proc/sys/net/ipv4/ip_forward
% >   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
% >   iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
% >   iptables -P INPUT DROP   #only if the first two are succesful
% >   iptables -A FORWARD -i eth1 -o eth1 -j REJECT
% What are you trying to achieve?
% These rules do not allow any traffic through your firewall (Forward
% REJECT).

As I said, I was lifting from the HOWTO :-)  I thought that that rule
rejected anything coming in on eth1 (external interface) that was due to
go back out on eth1.

The interesting thing is that traffic *did* go through the firewall,
since network is the only way I can access it.  I ran that script and was
not locked out.

Again I don't understand!


% 
% > So I went to Rusty's NAT HOWTO and built up some commands from it:
% > 
% >   Goal 1: NAT from eth1 (LAN) to and through eth0 (WAN) for client
% > 
% Ok. lets see. You have got 3 tables: filter, nat, and mangle.
% NAT is quite easy to setup:
% 
% # Flush all
% iptables -F
% iptables -t nat -F
% iptables -t mangle -F
% # configure NAT
% iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
% # Turn on routing
% echo 1 > /proc/sys/net/ipv4/ip_forward

I tried that, too, and couldn't get in from the outside any more.
Perhaps at that point I didn't need to, though.

I can follow the flushes easily enough.

I'm not sure why I want to do postrouting going out the LAN interface; I
thought that NAT was for internal machines trying to get out.  I *think*
that what I want is SNAT == source translation, and the NAT HOWTO doesn't
talk about DNAT == destination translation so I don't know that it's
needed -- but, of course, also don't really know about what I'm speaking.

[Oh, phooey -- I just realized that I had a typo, and you're obviously
going from what I wrote!  eth0 is the LAN and eth1 is the WAN; sorry!]


% 
% You should be able to ping now from a internal client to an external IP
% address. Note, that dns resolution might not work yet.

This is one test case that I didn't try since the firewall was otherwise
locked up.


% >   Goal 2: Allow various connections and confirm that they work
% Now you are trying to filter. The filter table has three chains. Each
% chain with a specific task:
% INPUT only filters packets with the local machine as destination

Oh, INPUT from any interface; OK.


% OUTPUT only filters packets originating on the local machine
% FORWARD only sees those packets not covered by INPUT and OUTPUT being
% forwarded by the firewall.

OK.  But this FORWARD is different from the NAT forward, right?


% If you want to allow new connections from the inside you need the
% following rules:
% # Deny everything through the machine
% iptables -P FORWARD DROP
% # Allow new connections from the inside
% iptables -A FORWARD -i eth1 -o eth0 -m match --match NEW -j ACCEPT
% # Allow established connections
% iptables -A FORWARD -m match --match RELATED,ESTABLISHED -j ACCEPT
% 
% Your firewall is still accessable, because when the firewall takes part
% in the communication only INPUT and OUTPUT are used.

Ahhh...  OK.


% > 
% >   Goal 3: Disallow Bad Stuff from WAN
% > 
% >   Goal 4: Disallow Bad Stuff from LAN
% > 
% > is a good step-by-step approach but I can't even get past #1 :-(
% Tell me if you know what I am talking about and if it helps you to get
% past #1.

I'm close, I think.  I'd start with

  # flush everything
  iptables -t filter -F ; iptables -t mangle -F ; iptables -t nat -F
  # allow masquerading
  iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

to just forward packets from inside clients and then perhaps add

  # outbound connections through
  iptables -t filter -A FORWARD -i eth0 -o eth1 -m match --match NEW -j ACCEPT
  # returning connections through
  iptables -t filter -A FORWARD -m match --match RELATED,ESTABLISHED -j ACCEPT

to allow things like pings to go out and in.  Then I'd need

  # incoming to
  iptables -t filter -A INPUT ACCEPT

to just let everything going to the box -- like my ssh -- get there.  Not
yet secure, but a start, right?


% Cheers,
% 
% Ralf


Thanks *so* much! & HAND

:-D
-- 
David T-G                      * There is too much animal courage in 
(play) davidtg@justpickone.org * society and not sufficient moral courage.
(work) davidtgwork@justpickone.org  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/      Shpx gur Pbzzhavpngvbaf Qrprapl Npg!


[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]

Re: ready to cry over NATting!

[Ralf Spenneberg]

Dear David,

> % >   iptables -A FORWARD -i eth1 -o eth1 -j REJECT
> % What are you trying to achieve?
> % These rules do not allow any traffic through your firewall (Forward
> % REJECT).
> 
> As I said, I was lifting from the HOWTO :-)  I thought that that rule
> rejected anything coming in on eth1 (external interface) that was due to
> go back out on eth1.
Sorry my mistake. You are right. I apparently assumed you meant -i eth1
-o eth0.

> I'm not sure why I want to do postrouting going out the LAN interface; I
> thought that NAT was for internal machines trying to get out.  I *think*
> that what I want is SNAT == source translation, and the NAT HOWTO doesn't
> talk about DNAT == destination translation so I don't know that it's
> needed -- but, of course, also don't really know about what I'm speaking.

> 
> [Oh, phooey -- I just realized that I had a typo, and you're obviously
> going from what I wrote!  eth0 is the LAN and eth1 is the WAN; sorry!]
Ok. lets get this straight. You are protecting internal clients which
want to access the internet. You need Source NAT and the NAT rules are
applied in the Postrouting chain on the external interface:

EXTIF=eth1
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

> This is one test case that I didn't try since the firewall was otherwise
> locked up.
What do you mean be locked up?
> 
> 
> % >   Goal 2: Allow various connections and confirm that they work
> % Now you are trying to filter. The filter table has three chains. Each
> % chain with a specific task:
> % INPUT only filters packets with the local machine as destination
> 
> Oh, INPUT from any interface; OK.
> 
> 
> % OUTPUT only filters packets originating on the local machine
> % FORWARD only sees those packets not covered by INPUT and OUTPUT being
> % forwarded by the firewall.
> 
> OK.  But this FORWARD is different from the NAT forward, right?
There is no nat FORWARD chain. The nat table only has: PREROUTING and
OUTPUT for Destination NAT and  POSTROUTING for Source NAT. 
Defining a rule in POSTROUTING only defines the NAT not the filterrules
> 
> I'm close, I think.  I'd start with
> 
>   # flush everything
>   iptables -t filter -F ; iptables -t mangle -F ; iptables -t nat -F
>   # allow masquerading
>   iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> 
> to just forward packets from inside clients and then perhaps add
> 
>   # outbound connections through
>   iptables -t filter -A FORWARD -i eth0 -o eth1 -m match --match NEW -j ACCEPT
>   # returning connections through
>   iptables -t filter -A FORWARD -m match --match RELATED,ESTABLISHED -j ACCEPT
Do not forget to turn routing on:
echo 1 > ...
> 
> to allow things like pings to go out and in.  Then I'd need
> 
>   # incoming to
>   iptables -t filter -A INPUT ACCEPT
> 
> to just let everything going to the box -- like my ssh -- get there.  Not
> yet secure, but a start, right?
Yes. But if you just want to allow ssh and web do the following:
# Allow ssh and web access to the firewall box
iptables -t filter -A INPUT -i $EXTIF -m match NEW,RELATED,ESTABLISHED
-j ACCEPT
# Allow the firewallbox to answer
iptables -t filter -A OUTPUT -o $EXTIF -m match RELATED,ESTABLISHED -j
ACCEPT

# Block everything else
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP


Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                    
http://honeynet.spenneberg.org

Re: ready to cry over NATting!

[David T-G]

[-- Attachment #1.1: Type: text/plain, Size: 4604 bytes --]

Ralf, et al --

...and then Ralf Spenneberg said...
% 
% Dear David,
% 
% > % >   iptables -A FORWARD -i eth1 -o eth1 -j REJECT
% > % What are you trying to achieve?
% > % These rules do not allow any traffic through your firewall (Forward
% > % REJECT).
% > 
% > As I said, I was lifting from the HOWTO :-)  I thought that that rule
% > rejected anything coming in on eth1 (external interface) that was due to
% > go back out on eth1.
% Sorry my mistake. You are right. I apparently assumed you meant -i eth1
% -o eth0.

Well, either that or you believed what I wrote :-)


% 
% > I'm not sure why I want to do postrouting going out the LAN interface; I
% > thought that NAT was for internal machines trying to get out.  I *think*
% > that what I want is SNAT == source translation, and the NAT HOWTO doesn't
% > talk about DNAT == destination translation so I don't know that it's
% > needed -- but, of course, also don't really know about what I'm speaking.
% 
% > 
% > [Oh, phooey -- I just realized that I had a typo, and you're obviously
% > going from what I wrote!  eth0 is the LAN and eth1 is the WAN; sorry!]
% Ok. lets get this straight. You are protecting internal clients which
% want to access the internet. You need Source NAT and the NAT rules are

Yep.


% applied in the Postrouting chain on the external interface:

OK...


% 
% EXTIF=eth1

Quite helpful :-)


% iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

OK.  So this is stuff going out on the external interface that needs to
be readdressed.  And I turn on forwarding in the kernel, and packets come
to the internal interface bound for something on the external side, and
so the kernel knows to just forward them, right?


% 
% > This is one test case that I didn't try since the firewall was otherwise
% > locked up.
% What do you mean be locked up?

I couldn't connect to it at all.  Upon reflection I realize that that is
a lousy term, since it was probably running happily even if without any
network access.


% > 
% > % OUTPUT only filters packets originating on the local machine
% > % FORWARD only sees those packets not covered by INPUT and OUTPUT being
% > % forwarded by the firewall.
% > 
% > OK.  But this FORWARD is different from the NAT forward, right?
% There is no nat FORWARD chain. The nat table only has: PREROUTING and
% OUTPUT for Destination NAT and  POSTROUTING for Source NAT. 

Ahhh...


% Defining a rule in POSTROUTING only defines the NAT not the filterrules

OK.  So do we need filter table rules to allow packets through, then?
Just turning on NAT isn't enough, right?  Or is the default policy to
accept everything and so it's allowed?


% > 
% > I'm close, I think.  I'd start with
% > 
...
% >   # returning connections through
% >   iptables -t filter -A FORWARD -m match --match RELATED,ESTABLISHED -j ACCEPT
% Do not forget to turn routing on:
% echo 1 > ...

Oops.  Thanks :-)


% > 
% > to allow things like pings to go out and in.  Then I'd need
% > 
% >   # incoming to
% >   iptables -t filter -A INPUT ACCEPT
% > 
% > to just let everything going to the box -- like my ssh -- get there.  Not
% > yet secure, but a start, right?
% Yes. But if you just want to allow ssh and web do the following:

Well, so far it's ssh, telnet, web, mysql, and maybe ftp.  It's a pretty
short list, though.  Hmmm...  Maybe DNS queries out, and ping bouncing
both from the box and through the box.


% # Allow ssh and web access to the firewall box
% iptables -t filter -A INPUT -i $EXTIF -m match NEW,RELATED,ESTABLISHED
% -j ACCEPT
% # Allow the firewallbox to answer
% iptables -t filter -A OUTPUT -o $EXTIF -m match RELATED,ESTABLISHED -j
% ACCEPT

I don't get it...  How does this allow only those few?  It seems as
though the lack of a dport specifier would allow anything inbound (but
not through bound 'cuz that's rule FORWARD) on the external interface...


% 
% # Block everything else
% iptables -t filter -P INPUT DROP
% iptables -t filter -P OUTPUT DROP
% iptables -t filter -P FORWARD DROP

That's the last thing to add :-)

So the current attempt is attached; please take a peek at it.


% 
% 
% Cheers,


Thanks again & HAND

:-D
-- 
David T-G                      * There is too much animal courage in 
(play) davidtg@justpickone.org * society and not sufficient moral courage.
(work) davidtgwork@justpickone.org  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/      Shpx gur Pbzzhavpngvbaf Qrprapl Npg!


[-- Attachment #1.2: script --]
[-- Type: text/plain, Size: 1175 bytes --]

#!/bin/sh

EXTIF=eth1
INTIF=eth0

# load module
modprobe ipt_MASQUERADE

# flush everything
iptables -F; iptables -t nat -F; iptables -t mangle -F

# turn on NATting & forwarding
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

# accept returning ext packets
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# accept anything originating inside ("not ext")
iptables -t filter -A INPUT -m state --state NEW -i ! $EXTIF -j ACCEPT

# allow ssh & telnet
### and web and mysql? and anything?
### EXTIF plus INTIF 'cuz we might connect from inside... so skip the -i/-o?
iptables -t filter -A INPUT -i $EXTIF -m match NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -o $EXTIF -m match RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i $INTIF -m match NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -o $INTIF -m match RELATED,ESTABLISHED -j ACCEPT

# drop everything else
## iptables -t filter -P INPUT DROP
## iptables -t filter -P OUTPUT DROP
## iptables -t filter -P FORWARD DROP

# what do we have?
echo "---"
iptables -L
echo "---"
iptables -t nat -L
echo "---"


[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]

tears of joy! (was "Re: ready to cry over NATting!")

[David T-G]

[-- Attachment #1: Type: text/plain, Size: 1314 bytes --]

Hi, all --

I am thrilled to say that I FINALLY had my first successful test tonight:

  linux:/tmp # iptables -t nat -vL
  Chain PREROUTING (policy ACCEPT 567 packets, 47480 bytes)
   pkts bytes target     prot opt in     out     source           destination  

  Chain POSTROUTING (policy ACCEPT 527 packets, 32365 bytes)
   pkts bytes target     prot opt in     out     source           destination    
     20  1118 MASQUERADE  all  --  any    eth1    anywhere         anywhere    

  Chain OUTPUT (policy ACCEPT 307 packets, 18553 bytes)
   pkts bytes target     prot opt in     out     source           destination  

Woo hoo!  Thanks to the invaluable help of Ralf and Julian and Guillermo,
in particular, as well as the other notes and tips that rolled in.

Now to 1) make it a boot script so that it will run all of the time and 2)
make it a wee bit more secure (though it's not as loose as it could be)
and then post a summary :-)


Thanks again & HAND & stay tuned

:-D
-- 
David T-G                      * There is too much animal courage in 
(play) davidtg@justpickone.org * society and not sufficient moral courage.
(work) davidtgwork@justpickone.org  -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/      Shpx gur Pbzzhavpngvbaf Qrprapl Npg!


[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]

Re: ready to cry over NATting!

[Thorsten Scherf]

> Yes. But if you just want to allow ssh and web do the following:
> # Allow ssh and web access to the firewall box
> iptables -t filter -A INPUT -i $EXTIF -m match NEW,RELATED,ESTABLISHED
> -j ACCEPT
> # Allow the firewallbox to answer
> iptables -t filter -A OUTPUT -o $EXTIF -m match RELATED,ESTABLISHED -j
> ACCEPT

for allowing only ssh and web the incoming rule should be:
iptables -t filter -A INPUT -i $EXTIF -p tcp -m multiport --dport
80,443,22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Greetings,
Thorsten 


-- 
Thorsten Scherf,
RHCE, RHCX

GPG-Key 1024D/FFD73659 
Fingerprint: 6ADE D9C6 CB90 958F BDBE  8D2E EAE8 4FE6 FFD7 3659