RE: more network puzzler now with iptables

[Tom Pollerman <tompollerman mail landolls com>]

>From: Chad and Doria Skinner <cws-dls swbell net>
>Subject: RE: more network puzzler now with iptables
>In-reply-to: <m1elgsrczm fsf reader newsguy com>
>
>Try reading this article I found it helpful.
>(http://www.linuxjournal.com/article.php?sid=4815)
>
>> -----Original Message-----
> >From: redhat-list-admin redhat com
> >[mailto:redhat-list-admin redhat com]On Behalf Of Harry Putnam
> >Sent: Friday, May 03, 2002 7:08 PM
> >To: redhat-list redhat com
> >Subject: more network puzzler now with iptables
>>
>>
> >Posters here got me over the first hurdle of setting up this
> >experimental network within a network.  I can now ping all internal
> >machines and ping anything internal/external from M1
>>
> >         INTERNET
> >           |
> >         dsl modem (Static IP)
> >            |
> >          ROUTER (gateway) NETGEAR FR314 192.168.0.1
> >            |
> >            |--eth0 192.168.0.5
> >            |
> >          --M1--Running Redhat 7.1 [two nics] (with all updates)
> >            |
> >            |--eth1 192.168.1.1
> >            |
> >  -----Simple hub (Netgear DS108)--------
> >            |
> >            |--ed0 192.168.1.4
> >          --M2-- (running Freebsd-4.3)
>>
> >There are actually several machines at the end of this chain, just
> >showing one for simplicity.  Now I've arrive at the problem of getting
> >this forwarded/masqueraded with iptables.
>>
> >That is the weakest link in this scenario.  I have never been able to
> >fathom much about iptables.  If your thinking of telling me RTFM,
> >forget it... I will NEVER learn how to setup Iptables from that
> >source.  I have read it, and its and handy for seeing what different
> >flags mean, but I will not learn to use iptables in this lifetime from
> >the man page.
>


   Have you tried a GUI "frontend" for iptables - just to get things secure. I've found them to be useful to "see" what rules are being applied to what. Once you get the hang of it, you can ditch the GUI. 
    Take a look at Firestarter at  http://www.sorceforge.net
   It has a Gnome interface, lets you start and stop the firewall, and shows graphically what traffic is being allowed and denied from where, and keeps track of "hits" on the firewall. It works with either ipchains or iptables. 

---Tom



>> I've tried  couple of sample scripts, neither has worked but I'm not
>>knowledgable enough to really take them appart.
>>
>> Here is a couple of examples I've tried:
>> (These were wrapped for mail.  No (\) in original.
>>   iptables -F
>>
>>  echo "1" > /proc/sys/net/ipv4/ip_forward
>>  echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>>
>>  iptables -A FORWARD -i eth1 -o eth0 -m state --state \
>>    ESTABLISHED,RELATED -j ACCEPT
>>  iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>>  iptables -P FORWARD DROP
>>
>>   iptables -t nat -F
>>   iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>>
>> I tried rearranging eth1 and eth0 as well
>>========================================
>>
>> this one liner fails as well:
>>   IFINET=eth0
>>  ADLOCAL=192.168.1
>>   ADINET=192.168.0.1
>>   (Note for ADLOCAL I've used all of these:
>>   192.168.1, 192.168.1.4 and 192.168.1/16 - the actual address is
>> 192.168.1.4)
>>
>> (also wrapped for mail)
>>    iptables -t nat -A POSTROUTING -o $IFINET -s $ADLOCAL\
>>       -j SNAT --to $ADINET
>>
>> Can someone show me a real basic iptables script that will allow
>> M2 (in the ascii art) to get to the internet? Thru M5 and then the
>> hardware router.