iptables, masquerading & forwarding
hi, i am going to set up my own firewallscript on my suse 7.3 box using iptables in order to get familiar with iptables. i have two nic's setup: eth0 192.168.0.0/24, connected to my private lan with 192.168.0.250 assigned to eth0 eth1 192.168.1.0/24, connected to my dsl-modem with 192.168.1.250 assigned to eth1 at the beginning i would like to achieve the following: 1. blocking all incoming requests to ports 0-1023 with 2. masquerading, so all clients on my network can talk to the net via eth1 first point can be done with iptables -A INPUT -p tcp --dport 1:1023 -j DROP, second with iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -j MASQUERADE, right ? what i don't understand is how to "route" packets between eth0 & eth1, so packets from/to the internet are routed via eth1 *WITHOUT* bypassing my firewall. is "echo 1 > /proc/sys/net/ipv4/ip_forward" the right choice ? regards, jens
Jens Georg wrote (on 23 Jan 2002 at 10:25):
at the beginning i would like to achieve the following:
1. blocking all incoming requests to ports 0-1023 with 2. masquerading, so all clients on my network can talk to the net via eth1
first point can be done with iptables -A INPUT -p tcp --dport 1:1023 -j DROP, second with iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -j MASQUERADE, right ?
Almost! You want to make sure internal traffic is not masqueraded, so you want your MASQ rule to trigger on output interface: iptables -t nat -I POSTROUTING -o ppp+ -j MASQUERADE
what i don't understand is how to "route" packets between eth0 & eth1, so packets from/to the internet are routed via eth1 *WITHOUT* bypassing my firewall. is "echo 1 > /proc/sys/net/ipv4/ip_forward" the right choice ?
iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT Or change the -I to -A and wedge these in where you want them. -- -- Tony Crawford -- tc@crawfords.de -- +49-3341-30 99 99 --
participants (2)
-
Jens Georg
-
Tony Crawford