Making a firewall/router... help!

aNtHrAx323

I finally finished emerging Gentoo on my router (P3 500, Intel 440BX chipset, two 3Com 3C905 NICs), and have both interfaces set up properly (eth0 being the local network with static IP 192.168.0.1, eth1 being the Internet with a dynamic IP). Now, I've emerged iptables, and compiled every networking option I could think of that would be necessary (namely under Netfilter Configuration) directly into the kernel.

What's the best way to go about setting up a flexible router/firewall? At the moment, all I need is for NAT to work (so my computers can get on the 'net). Also, information regarding configuring DHCP would be useful (I emerged DHCP, but for some reason, there's no /etc/init.d/dhcpd, just /etc/init.d/dhcp... is this the same thing?). Here's the command I just used to get this to work for right now:

christsong84 · Posted: Mon May 05, 2003 11:10 pm Post subject:

I use shorewall and webmin setup so that only localhost can access it (or a specified IP). It was the easiest way for me to set one up...I did a security scan with nessus and some other tools and I'm quite happy with the security. NAT is easy to following the directions on http://shorewall.sourceforge.net

I've heard that some people don't like shorewall all that much but it's a way to get started and get up and running for me at least.

*hides behind flame shield*

aNtHrAx323 · Posted: Mon May 05, 2003 11:59 pm Post subject:

Thanks for the tip. However, I'd like to avoid software packages like that... Not only because of how much of a neat freak I am, but also because I'd like to learn a few things about iptables so I can apply my knowledge in other ways in the future (should those situations happen to present themselves).

Still up for tips using the iptables command

_________________
-Campbell "aNtHrAx323" Krueger
http://www.flargen.com/
http://www.h2overclocking.com/

Qubax · Posted: Tue May 06, 2003 8:36 am Post subject:

you may have a look at http://projectfiles.com/firewall thats a firewall script using iptables

aNtHrAx323 · Posted: Tue May 06, 2003 4:11 pm Post subject:

Thanks man. Does anyone know of any good tutorials, though? I'd like to actually learn what's behind iptables, if at all possible.
_________________
-Campbell "aNtHrAx323" Krueger
http://www.flargen.com/
http://www.h2overclocking.com/

aNtHrAx323 · Posted: Tue May 06, 2003 4:37 pm Post subject:

Oh yeah... And where does Gentoo look for startup scripts? Is it /etc/rc.d, or something else? I need to know where to put the rc.firewall file... Also, for my own references

_________________
-Campbell "aNtHrAx323" Krueger
http://www.flargen.com/
http://www.h2overclocking.com/

grooveman · Veteran Joined: 24 Feb 2003 Posts: 1217

I should think that /etc/init.d would be the most appropriate place for your rc.firewall. That is where gentoo stores its init scripts, and then links from there with rc-update.

BTW, I found Oskar Andreasson's tuturial tremendously helpful. You can find it here:
http://iptables-tutorial.frozentux.net/

Good luck with your project!

Chris
_________________
To look without without looking within is like looking without without looking at all.

splooge · l33t Joined: 30 Aug 2002 Posts: 636

I remember when learning iptables and it just 'clicked' like a light switch. It's very readable when you think about it, almost like spoken english:

We'll use your little one liner as an example:

iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j SNAT --to-source [IP obtained via DHCP]

Can be read like this:

hey iptables, in the nat table, add a rule to the postrouting chain saying that anything that matches source address 192.168.0.0 and is going out eth1 it's the routers -job (or is it -jump?) to source nat it with this IP address.

iptables [optional table] [add/delete] [chain] [match criteria] [job]

iptables -A INPUT -s 10.1.1.1 -j DROP

Would add a rule to the input chain that anything matching source address 10.1.1.1 should be dropped.

Likewise we could add more info to the match criteria:

iptables -A INPUT -s 10.1.1.1 -i eth0 -j DROP

Would add a rule to the input chain that anything matching source address arriving on eth0 should be dropped.

Going further:

iptables -A INPUT -s 10.1.1.1 -d 216.239.53.99 -i eth0 -j DROP

Would add a rule to the input chain that anything matching source address 10.1.1.1 going to destination 216.239.53.99 (google) arriving on eth0 should be dropped.

This starting to make sense? ;p

Also for your firewall script... since you're getting a DHCPd address it's recommended you use MASQUERADE instead of SNAT:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
_________________
http://get.a.clue.de

aNtHrAx323 · Posted: Tue May 06, 2003 9:56 pm Post subject:

geek · n00b Joined: 23 Nov 2002 Posts: 51 Location: Ellendale, ND

Here's a tutorial that I found very helpful with iptables. It by Gentoo president Daniel Robbins. Free Registration is required. Hope it helps.

http://www-106.ibm.com/developerworks/edu/l-dw-linuxfw-i.html

dontgetit · n00b Joined: 18 Dec 2003 Posts: 1

I have the same problem.
I can get my gentoo router up with nat, my router scripts looks like this:

#!/bin/bash

ext_ip=**.***.***.***
iptables=/sbin/iptables

$iptables -F
$iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $ext_ip
echo 1 > /proc/sys/net/ipv4/ip_forward

But when i try to get my router up with masquerde it fails, i cant giver a rule like this:

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

I don't have ip_masquerade: /proc/net/, and I don't know how to get it there,

Thanks...........