[gentoo-dev] NAT iptables info

[Donny Davies <woodchip@gentoo.org>]

Please search freshmeat for iptables scripts. Please understand that they're
mostly just that-- scripts. Mostly they work top-down, with a few variables
you can edit applicable to your setup. Its easy enough to understand. There
are a zillion things you can do with the netfilter framework, its very robust.
To provide some kind of gentoo firewall is, hmm, well silly. Its %100
configuration. This is not the domain of a 'package', 'rpm' or ebuild. It is the
domain of a system administrator. If you are operating a Linux box then you
are automatically a system administrator. Cool huh!? :-)

This list is not the place for this type of stuff IHMO. This is not a howto-list.
I mean no disrespect. Please dont take any offense.

What gentoo provides is a nice framework for inserting your firewall script
into the init system. At least on rc5 there was an initfile specifically for that
purpose. Actually we neednt provide any more than just that! Ie: provide
a slot for a firewall script to run. I think the rc5 one ran after all non-local
interfaces were brought up, its been so long since I changed my firewall
box that I cant remember anymore :) The nice thing about that approach
is that you could always just source it, and run the function it was enclosed
in if you needed to run it again. Simple, slick, sufficient.

Please read up on packet filtering. Microsoft Internet Connection sharing
is not a simple hack. Its a lot of work to provide a simple, robust interface
to newbies who want to share an internet connection. I would remind you
that they basically *didnt* even write it. They bought out the company that
*did* write it. It used to be a product called NAT1000 for Windows NT,
and sure enough, it started to sell like hotcakes. Naturally, Micro$loth
being the anti-competitive juggernaut that it is, swallowed them up, and
started tossing it in with Windows 98 Second Edition.

There is simply sooo many different variants of these 'firewall scripts' on
freshmeat that it would be silly to try to come up with a 'here, this does it
for everybody'. It is the obligation of the system administrator. Again, like
I said, it is %100 configuration, with many peices in the *kernel*. This is
not the domain of a 'package'. If it helps you, Im personally using a
modified version of something I grabbed from freshmeat. Good Luck.

Of course Id be willing to send you a copy if you wish.

Cheers
--
Donny