[gentoo-user] iptables script tips for ppp0

[gentoo-user] iptables script tips for ppp0

[Mick]

Hi All,

Thanks to Daniel Robbins and his articles I've got the following basic
script working on one of my boxes:
========================
#(connection to the Internet)

UPLINK="eth0"

#if you're a router (and thus should forward IP packets between interfaces),
#you want ROUTER="yes"; otherwise, ROUTER="no"

ROUTER="no"

#change this next line to the static IP of your uplink interface for static
SNAT, or
#"dynamic" if you have a dynamic IP.  If you don't need any NAT, set NAT to
"" to
#disable it.

NAT=""
#change this next line so it lists all your network interfaces, including lo

INTERFACES="lo eth0 ppp0"

if [ "$1" = "start" ]
then
        echo "Starting firewall..."
        iptables -P INPUT DROP
        iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -p tcp -i ${UPLINK} -j DROP
#for testing use:       REJECT --reject-with tcp-reset
        iptables -A INPUT -p udp -i ${UPLINK} -j DROP
#for testing use:       REJECT --reject-with icmp-port-unreachable

#       #explicitly disable ECN
#       if [ -e /proc/sys/net/ipv4/tcp_ecn ]
#       then
#               echo 0 > /proc/sys/net/ipv4/tcp_ecn
#       fi   

#       #disable spoofing on all interfaces
#       for x in ${INTERFACES} 
#       do      
#               echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter     
#       done

        if [ "$ROUTER" = "yes" ]
        then
                #we're a router of some kind, enable IP forwarding
                echo 1 > /proc/sys/net/ipv4/ip_forward
                if [ "$NAT" = "dynamic" ]
                then
                        #dynamic IP address, use masquerading   
                        echo "Enabling masquerading (dynamic ip)..."
                        iptables -t nat -A POSTROUTING -o ${UPLINK} -j
MASQUERADE
                elif [ "$NAT" != "" ]
                then
                        #static IP, use SNAT
                        echo "Enabling SNAT (static ip)..."
                        iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT
--to ${UPIP}
                fi
        fi


elif [ "$1" = "stop" ]
then
        echo "Stopping firewall..."
        iptables -F INPUT
        iptables -P INPUT ACCEPT
        #turn off NAT/masquerading, if any
        iptables -t nat -F POSTROUTING
fi 
========================

nmap shows me that it works okay, but of course that's only on eth0, which
is the only NIC on this box and connects to an ADSL hardware router.

No matter what I tried I have not managed to make the script work for the
ppp0 interface.  Am I supposed to duplicate all the iptables lines and
define ppp0 instead of eth0?  Is there a clever modification I could used
on the above script to get the same result?

On a different but broadly relevant topic - are there any specific sysctl
and iptables settings I need to get google talk/gaim/kopete working?
-- 
Regards,
Mick

-- 
gentoo-user@gentoo.org mailing list