[gentoo-dev] NAT iptables info

[gentoo-dev] NAT iptables info

[Donny Davies]

Please search freshmeat for iptables scripts. Please understand that they're
mostly just that-- scripts. Mostly they work top-down, with a few variables
you can edit applicable to your setup. Its easy enough to understand. There
are a zillion things you can do with the netfilter framework, its very robust.
To provide some kind of gentoo firewall is, hmm, well silly. Its %100
configuration. This is not the domain of a 'package', 'rpm' or ebuild. It is the
domain of a system administrator. If you are operating a Linux box then you
are automatically a system administrator. Cool huh!? :-)

This list is not the place for this type of stuff IHMO. This is not a howto-list.
I mean no disrespect. Please dont take any offense.

What gentoo provides is a nice framework for inserting your firewall script
into the init system. At least on rc5 there was an initfile specifically for that
purpose. Actually we neednt provide any more than just that! Ie: provide
a slot for a firewall script to run. I think the rc5 one ran after all non-local
interfaces were brought up, its been so long since I changed my firewall
box that I cant remember anymore :) The nice thing about that approach
is that you could always just source it, and run the function it was enclosed
in if you needed to run it again. Simple, slick, sufficient.

Please read up on packet filtering. Microsoft Internet Connection sharing
is not a simple hack. Its a lot of work to provide a simple, robust interface
to newbies who want to share an internet connection. I would remind you
that they basically *didnt* even write it. They bought out the company that
*did* write it. It used to be a product called NAT1000 for Windows NT,
and sure enough, it started to sell like hotcakes. Naturally, Micro$loth
being the anti-competitive juggernaut that it is, swallowed them up, and
started tossing it in with Windows 98 Second Edition.

There is simply sooo many different variants of these 'firewall scripts' on
freshmeat that it would be silly to try to come up with a 'here, this does it
for everybody'. It is the obligation of the system administrator. Again, like
I said, it is %100 configuration, with many peices in the *kernel*. This is
not the domain of a 'package'. If it helps you, Im personally using a
modified version of something I grabbed from freshmeat. Good Luck.

Of course Id be willing to send you a copy if you wish.

Cheers
--
Donny

AW: [gentoo-dev] NAT iptables info

[Sebastian Werner]

Wow, what's mail. Great stuff - people. I will try the attachment of
Gontran, thanks thanks thanks.

Sebastian

P.S I know that this is not the really right place for this, thanks,
Donny. Sometimes I think it's more than a developer list of one product.
I search for good people in mailingslists. This is a list with some
really cool guys who understand their favourite parts very good. Yes, I
think I needn't know all administration facilities so to ask is
sometimes much faster as to search. ;-))

-----Ursprüngliche Nachricht-----
Von: gentoo-dev-admin@cvs.gentoo.org
[mailto:gentoo-dev-admin@cvs.gentoo.org] Im Auftrag von Donny Davies
Gesendet: Montag, 1. Oktober 2001 22:59
An: gentoo-dev@cvs.gentoo.org
Betreff: [gentoo-dev] NAT iptables info

Please search freshmeat for iptables scripts. Please understand that
they're
mostly just that-- scripts. Mostly they work top-down, with a few
variables
you can edit applicable to your setup. Its easy enough to understand.
There
are a zillion things you can do with the netfilter framework, its very
robust.
To provide some kind of gentoo firewall is, hmm, well silly. Its %100
configuration. This is not the domain of a 'package', 'rpm' or ebuild.
It is the
domain of a system administrator. If you are operating a Linux box then
you
are automatically a system administrator. Cool huh!? :-)

This list is not the place for this type of stuff IHMO. This is not a
howto-list.
I mean no disrespect. Please dont take any offense.

What gentoo provides is a nice framework for inserting your firewall
script
into the init system. At least on rc5 there was an initfile specifically
for that
purpose. Actually we neednt provide any more than just that! Ie: provide
a slot for a firewall script to run. I think the rc5 one ran after all
non-local
interfaces were brought up, its been so long since I changed my firewall
box that I cant remember anymore :) The nice thing about that approach
is that you could always just source it, and run the function it was
enclosed
in if you needed to run it again. Simple, slick, sufficient.

Please read up on packet filtering. Microsoft Internet Connection
sharing
is not a simple hack. Its a lot of work to provide a simple, robust
interface
to newbies who want to share an internet connection. I would remind you
that they basically *didnt* even write it. They bought out the company
that
*did* write it. It used to be a product called NAT1000 for Windows NT,
and sure enough, it started to sell like hotcakes. Naturally, Micro$loth
being the anti-competitive juggernaut that it is, swallowed them up, and
started tossing it in with Windows 98 Second Edition.

There is simply sooo many different variants of these 'firewall scripts'
on
freshmeat that it would be silly to try to come up with a 'here, this
does it
for everybody'. It is the obligation of the system administrator. Again,
like
I said, it is %100 configuration, with many peices in the *kernel*. This
is
not the domain of a 'package'. If it helps you, Im personally using a
modified version of something I grabbed from freshmeat. Good Luck.

Of course Id be willing to send you a copy if you wish.

Cheers
--
Donny



_______________________________________________
gentoo-dev mailing list
gentoo-dev@cvs.gentoo.org
http://cvs.gentoo.org/mailman/listinfo/gentoo-dev

Re: [gentoo-dev] NAT iptables info

[Chad Huneycutt]

Donny Davies wrote:

>To provide some kind of gentoo firewall is, hmm, well silly. Its %100
>configuration. This is not the domain of a 'package', 'rpm' or ebuild. 
>
I don't completely agree with this.  While questions like "How do I set 
up a firewall?" are not completely germaine to this mailing list, the 
above statement is your opinion and open for discussion here.  I think 
that it is a very good idea to provide several basic scripts for common 
configurations.  If they are already out there, then great!, we should 
include them in an ebuild.  It is a much better policy to have the 
network default to a secure state (such as the Rusty's script that 
allows no incoming connections) than to leave it wide open, and let the 
potentially newbie sysadmin get hacked.

It would be nice to bring up a semi-secure,  masquerading (or whatever 
they are calling it these days)  firewall box with little effort.  From 
there, one can learn about iptables and such things to customize it further.

Just some thoughts from someone who hasn't delved into iptables yet,

   Chad

Re: [gentoo-dev] NAT iptables info

[Djamil ESSAISSI]

I fortunatly know what u mean, so i give you as an example my little farm at home ...:
first you have to know: eth0 is hookedup to the DSLmodem
			eth1 is hookedup to the LAN
			ppp0 is the outside link (can be DSL , DIAL UP or even a VPN!)

adsl-start < the stuff of rp-dsl that comes with gentoo...

#Open tha door

route add -net 0.0.0.0 gw 62.4.19.XXX        < the IP on the PPP connection in my case it is static ;).

#Open sesame !

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE           <  masquerade the bludy LAN thru ppp0
iptables        -A FORWARD     -i eth1 -j ACCEPT		< and do me some forwarding too coming from eth1 [remember eth1 is the LAN side]


#Get me FTP

iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 21 -j DNAT --to 192.168.0.2:21  <<< this is how i use a PIII500/512M as a web 
iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 20 -j DNAT --to 192.168.0.2:20  <<< ftp server behinde a good old p100 .


#Get me HTTP/S

iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 80 -j DNAT --to 192.168.0.2:80   <<<
iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 443 -j DNAT --to 192.168.0.2:443  <<<


#get me ssh

iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 24 -j DNAT --to 192.168.0.2:22 <<< or even use another port to open aonther ssh on the inside machine.


NOTE: there is no firewalling involved here !!! this makes it work only --- it doesnt protect any machine for example: if you got SUB7 on a win98 machine the Lame can get to you machine: but this set up is sweet when i run CS/HL server on an inside machine ...hard to beleive ! it WORKS !

BUT you still can protect it but blocking ports/ips ... good luck and be carefull.
NOTE also that this runs on gentoo so maybe i passed over some steps as they may have been already setup by default ...


grutz.


Djamil-