Network newbie queston

Chris Lingard chris at
Mon Oct 1 01:55:14 PDT 2001

Björn Lindberg wrote:

Hello Bjorn,

Set up you fire wall running a scripts like:

bash-2.05$ cat /etc/init.d/masquerade

# activate IP-Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# be verbose on dynamic ip-adresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable ExplicitCongestionNotification - too many routers are still 
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Allow ssh to access the box
iptables -v -A INPUT  -p tcp --dport 22                              -j 
iptables -v -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j 

#Alternativly, if you want to ping your box to ensure it's still alive:
iptables -v -A INPUT  -p icmp -m icmp --icmp-type echo-request       -j 
iptables -v -A OUTPUT -p icmp -m icmp --icmp-type echo-reply         -j 

# Create chain which blocks new connections, except if coming from inside.
iptables -v -N block
iptables -v -A block -m state --state ESTABLISHED,RELATED            -j 
iptables -v -A block -m state --state NEW -i ! ppp+                  -j 
iptables -v -A block                                                -j DROP

## Jump to that chain from INPUT and FORWARD chains.
iptables -v -A INPUT                                                 -j 
iptables -v -A FORWARD                                               -j 

#  Turn on IP forwarding
iptables -v  -t  nat -A POSTROUTING  -o ppp+                         -j  

# set a sane policy
iptables -v -P INPUT       DROP
iptables -v -P FORWARD     DROP
iptables -v -P OUTPUT      DROP

Give this machine a private name/number and make it the default route of 
you other boxes.

On my setup my DNS is inside the fire wall, as is everthing else.

All the machines use private numbers such as 192.168.0.*


