iptables

Labitt, Bruce labittb1 at tycoelectronics.com
Mon Sep 22 15:56:48 EDT 2008 

Thanks Ben.  

Now I have some more reading to do :) .  I will go thru the list below
to make sure there aren't any stupid bugs (tm).  I do have a firewall on
the corporate side AND obviously, corporate has their own.  I've been
warned...

If I already have an iptables file, how do I go about editing it?  Is
there some special way to do this, similar to visudo?  
Or just $ sudo favorite-editor iptables?

-Bruce

back to your previously scheduled Comcast discussions ;)

-----Original Message-----
From: gnhlug-discuss-bounces at mail.gnhlug.org
[mailto:gnhlug-discuss-bounces at mail.gnhlug.org] On Behalf Of Ben Scott
Sent: Monday, September 22, 2008 2:45 PM
To: Greater NH Linux User Group
Subject: Re: iptables

On Mon, Sep 22, 2008 at 11:27 AM, Labitt, Bruce
<labittb1 at tycoelectronics.com> wrote:
>> Are you still using running Sci Linux 5, or have
>> you changed to something else by now?
>
> Not yet.

  Okay, I think RHEL/CentOS/SL have a GUI for this, but I think the
following should work for you, if run as root:

	# turn on IP tables service
	service iptables start
	chkconfig iptables on
	# clear all existing rules and chains in both "nat" and "filter"
tables
	iptables -t filter -F
	iptables -t filter -X
	iptables -t nat -F
	iptables -t nat -X
	# allow all traffic to/from this host
	iptables -t filter -A INPUT -j ACCEPT
	iptables -t filter -A OUTPUT -j ACCEPT
	# masquerade traffic from lab to corporate
	iptables -t nat -A POSTROUTING -i eth0 -o eth1 -j MASQUERADE
	# allow traffic from lab to corporate
	iptables -t filter -A FORWARD -i eth0 -o eth1 -j ACCEPT
	# use connection tracking to make masqueraded traffic work
	iptables -t filter -A FORWARD -m state --state
established,related -j ACCEPT
	# save for use in future
	service iptables save

  That assumes eth0 is your local/lab network, and eth1 is your
corporate/upstream network.

  I haven't tested the above.  Stupid bugs may be present. :)

  The above has absolutely no access control -- this assumes you
already have a firewall somewhere, protecting you.  If you use the
above config on a public network connection, you're a sitting duck.
You have been warned.

-- Ben
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss at mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

More information about the gnhlug-discuss mailing list