Linux ipmasq and firewall
Posted on 2004-09-08
Here is my sample of rc.ipmasq
#All The lines below are NAT routing
# flush any old rules
$IPTABLES -F -t nat
# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forward
And here is my sample of rc.firewall
#Change the part after the = to the where you IPTABLES is on your system
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
#Allow incoming FTP requests
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
#Allow incoming SSH requests
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#Allow incoming HTTP requests (to Web server)
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
I have 3 NIC. eth0 is connected to my modem using static ip.
i getting confuse...
1) rc.ipmasq is to share the internet from eth0 to eth1 and eth2...[ is this correct? ]
2) is it my rc.firewall is secure, am i doing correct thing?? is the port fowarding is good?....
i have a ftp server which running on my linux router it self for temporary. how about i want to make other pc to act as ftp server and connected to eth1. So is it my rc.firewall script is correct?...every ftp connection request from external have to directed to my eth1 and connected to the ftp pc server.
external request ftp -> [eth0]linux router -> [eth1]direct to pc which only link to eth1 or pc ip
external request www ->[eth0]linux router -> [eth2] direct to pc which only link to eth2 or pc ip
Please I need help.