Iptables
From Wsms
Note: This page should be titled iptables (all lowercase). It is Iptables due to technical limitations of Mediawiki.
Iptables is the built-in firewall/netfilter functionality of current linux systems.
Contents |
[edit]
simple usage
Get rid of the current rules:
iptables --flush
[edit]
make your notebook act as a wireless bridge/gateway
Modify this script to reflect the name of your notebooks wired and wireless adapters (probably eth0 and eth1), then execute as root.
#!/bin/sh ##GGG 20080908 ##Adapted from Linux Network Cookbook, page 52 #iptables firewall script for sharing #broadband Internet, with no public services #This if for when your wireless works, but your friend's does not. #At Panera (or sdcoe or home. This doesn't work at the San Diego City Library because they filter NAT'ed packets.) connect to the wireless in the usual way # from the working laptop. #The wireless interface will be the WAN_IFACE. #Set up the wired ethernet adapter with a static IP such as 192.168.0.1, netmask 255.255.255.0, gateway 0.0.0.0 #When both interfaces are up, you see something like this: # ggeller@roosevelt:~$ route -n # Kernel IP routing table # Destination Gateway Genmask Flags Metric Ref Use Iface # 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3 # 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 # 0.0.0.0 192.168.2.1 0.0.0.0 UG 100 0 0 eth3 # In this case, the working notebook is accessing the wireless on eth3 and the wired ethernet is on eth1 #Connect the working laptop to the non-working one with a crossover cable or through a hub. #Set the non-working laptop's ethernet adapter, probably eth0, to a static ip such as 192.168.0.2, netmask 255.255.255.0, gateway 192.168.0.1 and specify a # DNS server manually. #make sure that ip_forwarding is turned on echo 1 > /proc/sys/net/ipv4/ip_forward #define variables ipt="/sbin/iptables" mod="/sbin/modprobe" LAN_IFACE="eth1" WAN_IFACE="eth3" #basic set of kernel modules $mod ip_tables $mod ip_conntrack $mod iptable_filter $mod iptable_nat $mod iptable_mangle $mod ipt_LOG $mod ipt_limit $mod ipt_state $mod ipt_MASQUERADE #add these for IRC and FTP $mod ip_nat_ftp $mod ip_nat_irc $mod ip_conntrack_ftp $mod ip_conntrack_irc # Flush all active rules and delete all custom chains $ipt -F $ipt -t nat -F $ipt -t mangle -F $ipt -X $ipt -t nat -X $ipt -t mangle -X #Set default policies $ipt -P INPUT DROP $ipt -P FORWARD DROP $ipt -P OUTPUT ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t mangle -P PREROUTING ACCEPT $ipt -t mangle -P POSTROUTING ACCEPT #this line is necessary for the loopback interface #and internal socket-based services to work correctly $ipt -A INPUT -i lo -j ACCEPT #Enable IP masquerading $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE #Enable unrestricted outgoing traffic, incoming #is restricted to locally-initiated sessions only $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Accept important ICMP messages $ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT #Reject connection attempts not initiated from inside the LAN $ipt -A INPUT -p tcp --syn -j DROP
[edit]
port forwarding
You can use iptables to forward ports. See Linux Server Hacks page 94.
# Use DNAT to port forward http iptables -t nat -A PREROUTING ! -i $INT_IFACE -p tcp --destination-port 80 -j DNAT --to 10.0.0.3:80
[edit]
See also
20061108
Shorewall
Eola
http://www.linuxjournal.com/article/5660 Netfilter 2: in the POM of Your Hands
http://iptables-tutorial.frozentux.net/iptables-tutorial.html Iptables Tutorial 1.2.2
