[plug] NAT on a linux box

Brad Campbell brad at seme.com.au
Tue Feb 18 13:55:44 WST 2003 

Daniel Pearson wrote:
> Ok, this is what I want to ultimately achieve: a NAT/Firewall script that
> can be controlled through /etc/init.d/ (debian)
> No services other than ppp, ssh, postfix, qpopper, mutt, fethcmail
> Very simple dial out get the mail and distribute it to mailboxes and to
> allow workstations to browse the internet
> 
> Note: IPTables, not IPChains
> 
> Any ideas at all?

Set up a pair of box*ES*, grab one of Rustys unreliable guides to 
iptables and experiment until you get the desired result.
I wanted a firewall for the office, asked the list, got some great 
advice, BUT found I had learned nothing about how iptables actually 
worked and really did not understand what I was typing in.
SO I grabbed the abovementioned document and went at it. A couple of 
hours later I emerged knowing slightly more than enough to be dangerous 
and actually understanding how it all worked.

Now I can make it do what I want whenever I change some network 
infrastructure here and I'm pretty confident that it works the way I 
want it to.
An external host and nmap helps a lot here. At a pinch the scanner at 
www.grc.com will give you a very brief rundown.

In this case, the *fine* manual is begging to be read and will help you 
far more than any of us can over such a limiting medium.

Here is where I'd normally post my firewall script, but without me 
explaining the various vpn's and redirects to you, it would make no 
sense and probably confuse you further.

Start with a basic set of rules. Do something like a ping and watch the 
counters with an watch -n 1 iptables -L -v.
Then you can actually see where the packets go in real time.
Even set up individual rules for things that are implicity allowed, and 
you can count the packets to see what is going on and how the firewall 
works.
I ended up with a stack of rules that are redundant as they match the 
default rule anyway, but my default rule packet counters stay at zero 
and I can acconut for every single packet crossing the network. If the 
default counters are > 0 then there is something going on I don't know 
about and I need to figure out what it is.


Brad

More information about the plug mailing list