iptables
Labitt, Bruce
labittb1 at tycoelectronics.com
Mon Sep 22 15:56:48 EDT 2008
Thanks Ben.
Now I have some more reading to do :) . I will go thru the list below
to make sure there aren't any stupid bugs (tm). I do have a firewall on
the corporate side AND obviously, corporate has their own. I've been
warned...
If I already have an iptables file, how do I go about editing it? Is
there some special way to do this, similar to visudo?
Or just $ sudo favorite-editor iptables?
-Bruce
back to your previously scheduled Comcast discussions ;)
-----Original Message-----
From: gnhlug-discuss-bounces at mail.gnhlug.org
[mailto:gnhlug-discuss-bounces at mail.gnhlug.org] On Behalf Of Ben Scott
Sent: Monday, September 22, 2008 2:45 PM
To: Greater NH Linux User Group
Subject: Re: iptables
On Mon, Sep 22, 2008 at 11:27 AM, Labitt, Bruce
<labittb1 at tycoelectronics.com> wrote:
>> Are you still using running Sci Linux 5, or have
>> you changed to something else by now?
>
> Not yet.
Okay, I think RHEL/CentOS/SL have a GUI for this, but I think the
following should work for you, if run as root:
# turn on IP tables service
service iptables start
chkconfig iptables on
# clear all existing rules and chains in both "nat" and "filter"
tables
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
# allow all traffic to/from this host
iptables -t filter -A INPUT -j ACCEPT
iptables -t filter -A OUTPUT -j ACCEPT
# masquerade traffic from lab to corporate
iptables -t nat -A POSTROUTING -i eth0 -o eth1 -j MASQUERADE
# allow traffic from lab to corporate
iptables -t filter -A FORWARD -i eth0 -o eth1 -j ACCEPT
# use connection tracking to make masqueraded traffic work
iptables -t filter -A FORWARD -m state --state
established,related -j ACCEPT
# save for use in future
service iptables save
That assumes eth0 is your local/lab network, and eth1 is your
corporate/upstream network.
I haven't tested the above. Stupid bugs may be present. :)
The above has absolutely no access control -- this assumes you
already have a firewall somewhere, protecting you. If you use the
above config on a public network connection, you're a sitting duck.
You have been warned.
-- Ben
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss at mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
More information about the gnhlug-discuss
mailing list