From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.54)
	id 1FC3km-00028B-RC
	for garchives@archives.gentoo.org; Wed, 22 Feb 2006 23:50:41 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.5/8.13.5) with SMTP id k1MNlgta015189;
	Wed, 22 Feb 2006 23:47:42 GMT
Received: from smtp.gentoo.org (smtp.gentoo.org [134.68.220.30])
	by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id k1MNenmS025396
	for <gentoo-user@lists.gentoo.org>; Wed, 22 Feb 2006 23:40:49 GMT
Received: from main.gmane.org ([80.91.229.2] helo=ciao.gmane.org)
	by smtp.gentoo.org with esmtp (Exim 4.54)
	id 1FC3bE-0006fN-FV
	for gentoo-user@lists.gentoo.org; Wed, 22 Feb 2006 23:40:48 +0000
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1FC3b3-0007oa-6z
	for gentoo-user@gentoo.org; Thu, 23 Feb 2006 00:40:37 +0100
Received: from 213-162-120-196.michae422.adsl.metronet.co.uk ([213.162.120.196])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-user@gentoo.org>; Thu, 23 Feb 2006 00:40:37 +0100
Received: from michaelkintzios by 213-162-120-196.michae422.adsl.metronet.co.uk with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-user@gentoo.org>; Thu, 23 Feb 2006 00:40:37 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: gentoo-user@lists.gentoo.org
From: Mick <michaelkintzios@lycos.co.uk>
Subject: [gentoo-user]  iptables script tips for ppp0
Date:  Wed, 22 Feb 2006 23:40:47 +0000
Message-ID:  <dtisp8$u65$1@sea.gmane.org>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
Mime-Version:  1.0
Content-Type:  text/plain; charset=us-ascii
Content-Transfer-Encoding:  7Bit
X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: 213-162-120-196.michae422.adsl.metronet.co.uk
User-Agent: KNode/0.9.3
Sender: news <news@sea.gmane.org>
X-Archives-Salt: eb987329-ae05-458b-b93b-8a47c9c00774
X-Archives-Hash: 64f5624ce013859164877883397e1c3c

Hi All,

Thanks to Daniel Robbins and his articles I've got the following basic
script working on one of my boxes:
========================
#(connection to the Internet)

UPLINK="eth0"

#if you're a router (and thus should forward IP packets between interfaces),
#you want ROUTER="yes"; otherwise, ROUTER="no"

ROUTER="no"

#change this next line to the static IP of your uplink interface for static
SNAT, or
#"dynamic" if you have a dynamic IP.  If you don't need any NAT, set NAT to
"" to
#disable it.

NAT=""
#change this next line so it lists all your network interfaces, including lo

INTERFACES="lo eth0 ppp0"

if [ "$1" = "start" ]
then
        echo "Starting firewall..."
        iptables -P INPUT DROP
        iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -p tcp -i ${UPLINK} -j DROP
#for testing use:       REJECT --reject-with tcp-reset
        iptables -A INPUT -p udp -i ${UPLINK} -j DROP
#for testing use:       REJECT --reject-with icmp-port-unreachable

#       #explicitly disable ECN
#       if [ -e /proc/sys/net/ipv4/tcp_ecn ]
#       then
#               echo 0 > /proc/sys/net/ipv4/tcp_ecn
#       fi   

#       #disable spoofing on all interfaces
#       for x in ${INTERFACES} 
#       do      
#               echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter     
#       done

        if [ "$ROUTER" = "yes" ]
        then
                #we're a router of some kind, enable IP forwarding
                echo 1 > /proc/sys/net/ipv4/ip_forward
                if [ "$NAT" = "dynamic" ]
                then
                        #dynamic IP address, use masquerading   
                        echo "Enabling masquerading (dynamic ip)..."
                        iptables -t nat -A POSTROUTING -o ${UPLINK} -j
MASQUERADE
                elif [ "$NAT" != "" ]
                then
                        #static IP, use SNAT
                        echo "Enabling SNAT (static ip)..."
                        iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT
--to ${UPIP}
                fi
        fi


elif [ "$1" = "stop" ]
then
        echo "Stopping firewall..."
        iptables -F INPUT
        iptables -P INPUT ACCEPT
        #turn off NAT/masquerading, if any
        iptables -t nat -F POSTROUTING
fi 
========================

nmap shows me that it works okay, but of course that's only on eth0, which
is the only NIC on this box and connects to an ADSL hardware router.

No matter what I tried I have not managed to make the script work for the
ppp0 interface.  Am I supposed to duplicate all the iptables lines and
define ppp0 instead of eth0?  Is there a clever modification I could used
on the above script to get the same result?

On a different but broadly relevant topic - are there any specific sysctl
and iptables settings I need to get google talk/gaim/kopete working?
-- 
Regards,
Mick

-- 
gentoo-user@gentoo.org mailing list