[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OT: Network setup - NAT



On Mon, 2009-03-30 at 10:52 +0400, Hiisi wrote:
> Here's what I have now:
> I assigned F10 eth1 an address 192.168.2.1/24
> and done some additional iptables commands on F10:
> iptables -A FORWARD -i eth1 -j ACCEPT
> iptables -A FORWARD -o eth1 -j ACCEPT
> iptables -t nat -A POSTROUTING
> Also enabled stack forwarding with this command
> on F10:
> echo 1 > /proc/sys/net/ipv4/ip_forward
> Assigned for F9 laptop IP 192.168.2.2
> Setted  laptop' route table so it's default gateway is 192.168.2.1
>
> IT ALL DOESN'T WORK.

Back when I used dial-up, and had one PC sharing the internet to the
rest, I used a script to set up my networking.  The following script was
run any time I changed firewall rules (they were written into it).
Nothing was done to the clients, other than see that they had an IP
address and netmask applicable to the LAN, DNS server address, and the
gateway IP.  Either via manual configuration per PC, or letting DHCP set
up each client.

I always used the long form of the commands, I could never remember what
half the abbreviations stood for.  Either method works, though I can
always understand what this script does by reading it.  I don't have to
refer back to the manuals.

#!/bin/bash

## Turn off IP forwarding while altering configuration:
##
## (Educated guess:  To stop things sneaking through, while your
##  firewall isn't operating.)

echo 0 > /proc/sys/net/ipv4/ip_forward


## Flush any pre-existing rules:

iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD

iptables --flush
iptables --table nat --flush

iptables --delete-chain
iptables --table nat --delete-chain


## Set default (policy) rules:

iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

## Custom firewall rules went here:
##
## (For allowing outside connections, appropriately, into local services.  No
## special rules were needed to allow LAN PCs to reach the outside world.)

# e.g. iptables --append INPUT --jump ACCEPT --in-interface ppp+ --protocol tcp --destination-port 80

##  Guard against IP spoofing:
##
## (Refuse outside connections pretending to have inside addresses, and refuse
## inside connections with outside addresses.)

iptables --append INPUT --jump DROP --in-interface eth+ \! --source 192.168.0.0/16
iptables --append INPUT --jump DROP \! --in-interface eth+ --source 192.168.0.0/16
iptables --append INPUT --jump DROP --in-interface \! lo --source 127.0.0.1/255.0.0.0


## Set up masquerading to allow internal machines access to outside network:
##
## (sharing the ppp connection, change to suit your outside interface)

iptables --table nat --append POSTROUTING --out-interface ppp+ --jump MASQUERADE


## Turn on IP forwarding, now:

echo 1 > /proc/sys/net/ipv4/ip_forward


## Save iptables rules to the default iptables rules file (used at boot-up):
##
## (Red Hat's own /etc/init.d/iptables script looks here.  Rules you set, above
## will be automatically applied when booting normally, you don't need to change
## how your system boots.)

iptables-save > /etc/sysconfig/iptables

-- 
[tim localhost ~]$ uname -r
2.6.27.19-78.2.30.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]