[plug] masq difficulties
Cameron Patrick
cameron at patrick.wattle.id.au
Tue Dec 16 13:26:33 WST 2003
On Tue, Dec 16, 2003 at 01:08:08PM +0800, Tony Breeds wrote:
| > I include the script here (I tried with a Word doc and it got stopped ... )
I believe that the PLUG list rejects attachments - and as James said,
a Word document is a generally bad way to insert a simple text file.
What you did there was fine :-)
That script looks like it's mostly comments, and the actual rules down
the bottom look like they should work.
| Try the rather simple script at:
| http://www.plug.linux.org.au/~magni/network_talk3/presentation/mgp00026.txt
|
| Then we'll know exactly what is going on, and pin point if the problem
| is OS related, script related of general network issues.
|
| If I'm jumping in late and contradicting what others have said then let
| me know and I'll shutup
I suggested looking at the slides from your talk earlier...
And here's a slightly modified (and very much shortened!) excerpt of the
firewall script I use:
#! /bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
LAN_NET=10.0.0.0/255.0.0.0
INET_IP="`ip addr show dev ppp0 | grep ' inet ' | awk '{print$2}' | cut -d/ -f1`"
TRUSTED_IFACE="lo eth0"
echo 1 >/proc/sys/net/ipv4/ip_forward
echo 1 >/proc/sys/net/ipv4/ip_dynaddr
# reset everything to the defaults
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
# default to reject incoming and forwarding packets
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Forward traffic for locally-originated connections
for chain in FORWARD INPUT OUTPUT; do
iptables -A ${chain} -m state --state ESTABLISHED,RELATED -j ACCEPT
done
# reject incoming connections from the internet
iptables -A INPUT -p TCP -d $INET_IP -j REJECT --reject-with=tcp-reset
iptables -A INPUT -p ICMP -d $INET_IP -j ACCEPT
iptables -A INPUT -d $INET_IP -j DROP
# forward and accept all traffic for the local network
for iface in $TRUSTED_IFACE; do
iptables -A FORWARD -i $iface -j ACCEPT
iptables -A INPUT -p ALL -i $iface -j ACCEPT
done
# enable IP masquerading
iptables -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j MASQUERADE
# Allow ICMP traffic
iptables -A INPUT -p ICMP -j ACCEPT
###############
Looking at it, that should be used as an example of superfluous use of
grep (and probably cut). Oh well, it works. :)
Cameron.
More information about the plug
mailing list