Network newbie queston

Chris Lingard chris at stockwith.uklinux.net
Mon Oct 1 01:55:14 PDT 2001


Björn Lindberg wrote:

Hello Bjorn,

Set up you fire wall running a scripts like:


bash-2.05$ cat /etc/init.d/masquerade
#!/bin/sh

# activate IP-Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# be verbose on dynamic ip-adresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable ExplicitCongestionNotification - too many routers are still 
ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Allow ssh to access the box
iptables -v -A INPUT  -p tcp --dport 22                              -j 
ACCEPT
iptables -v -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j 
ACCEPT

#Alternativly, if you want to ping your box to ensure it's still alive:
iptables -v -A INPUT  -p icmp -m icmp --icmp-type echo-request       -j 
ACCEPT
iptables -v -A OUTPUT -p icmp -m icmp --icmp-type echo-reply         -j 
ACCEPT

# Create chain which blocks new connections, except if coming from inside.
iptables -v -N block
iptables -v -A block -m state --state ESTABLISHED,RELATED            -j 
ACCEPT
iptables -v -A block -m state --state NEW -i ! ppp+                  -j 
ACCEPT
iptables -v -A block                                                -j DROP


## Jump to that chain from INPUT and FORWARD chains.
iptables -v -A INPUT                                                 -j 
block
iptables -v -A FORWARD                                               -j 
block

#  Turn on IP forwarding
iptables -v  -t  nat -A POSTROUTING  -o ppp+                         -j  
MASQUERADE

# set a sane policy
iptables -v -P INPUT       DROP
iptables -v -P FORWARD     DROP
iptables -v -P OUTPUT      DROP

Give this machine a private name/number and make it the default route of 
you other boxes.

On my setup my DNS is inside the fire wall, as is everthing else.

All the machines use private numbers such as 192.168.0.*

Chris

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list