Tilted Forum Project Discussion Community - View Single Post

Silvy · 02-04-2004, 11:15 AM

Well packet forwarding in itself is a minimum firewall, as it usually shields the identity and type of machine(s) behind it.

My setup sounds like yours (only I don't use dcc or a httpserver).
You should take a look at iptables. It is capable of what you ask and a lot more.
I believe most distro's install it automatically.

Iptables needs to be compiled into the kernel, so you might have some work there.
Next, it needs a rule set which is probably very simple for your setup

As an idea my firewall script (run at startup) is somewhat like this:

Code:

#!/bin/sh

  # Turn on IP forwarding in the kernel
  echo "1" > /proc/sys/net/ipv4/ip_forward
  echo "************ STARTING ipTABLES config ***************"

#create variables to contain network devices
#private LAN:
  PRIVATE_IF=eth0
#Public Internet:
  PUBLIC_IF=ppp0
#LAN address space:
  PRIVATE_NET=10.0.0.0/16


#Flush and re-fill ip-tables ruleset:

  /sbin/iptables -F
  /sbin/iptables -F -t nat
  /sbin/iptables -P INPUT ACCEPT
  /sbin/iptables -P FORWARD DROP
  /sbin/iptables -P OUTPUT ACCEPT

#some bastard I don't like was on this IP:
  /sbin/iptables --append PREROUTING -t nat -s 217.155.0.0/16 -j DROP

#enable LAN-to-Internet traffic (masqueraded)
  /sbin/iptables -t filter -A FORWARD -i $PRIVATE_IF -o $PUBLIC_IF -s $PRIVATE_NET -d ! $PRIVATE_NET -j ACCEPT

  /sbin/iptables -t filter -A FORWARD -i $PUBLIC_IF -o $PRIVATE_IF -s ! $PRIVATE_NET -d $PRIVATE_NET -j ACCEPT

  /sbin/iptables -t nat -A POSTROUTING -o $PUBLIC_IF -d ! $PRIVATE_NET -s $PRIVATE_NET -j MASQUERADE

  echo "iptables enabled"


####### Outside-to-LAN access:  ##########

#Dungeon Siege

/sbin/iptables -t nat -A PREROUTING -p tcp --destination-port 6073 -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3:6073
/sbin/iptables -t nat -A PREROUTING -p tcp --destination-port 2302 -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3:2302
/sbin/iptables -t nat -A PREROUTING -p tcp --destination-port 2300 -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3:2300
/sbin/iptables -t nat -A PREROUTING -p udp --destination-port 6073 -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3:6073
/sbin/iptables -t nat -A PREROUTING -p udp --destination-port 2302 -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3:2302
/sbin/iptables -t nat -A PREROUTING -p udp --destination-port 2300 -i $PUBLIC_IF -j DNAT --to-destination 10.0.0.3:2300

The first section above enables masquerading, allowing internet access from within your complete LAN, masked as traffic coming from your gateway only.

The second section (I use mainly for games) allows outsiders to access your internal LAN by addressing the gateway on certain ports.

I hope this helps.

Disclaimer: The above rules don't originate from any howto's I've seen before and may or may not be completely 'right'. They do work fine however in my current setup.
2nd note: If you want all traffice except dc and http forwarded to your internal machine, you would probably replace the second section by more general rules. (hint: port-ranges are allowed if setup right in newer kernels)