Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

iptables and dhcp



On Tue, Feb 25, 2003 at 05:44:54PM -0800, Abhishake Pathak wrote:
> I had a couple of questions regarding iptables, dhcp
> and redhat 8.  
> I'm running redhat 8.  I want to use my linux box as a
> firewall/router.  I have two other computers that will
> be connected to it.  Can someone please tell me how i
> would be able to setup iptables to do this? Also i
> wanted to know how i would do this if i had dhcp. 

If you have dhcp where?  You'll need to choose between using your
multi-homed linux box as a transparent bridge or using it's NAT
capabilities to masquerade a private network.  If you take the
transparent bridge route, you'll need to patch your kernel if you want
to run iptables rules over the bridge.  I'd suggest ip masquerading, and
running dhcpd on the masquerading NAT box.  The following script sets up
masquerading (the last line) and also disallows any traffic not
associated with connections established by masqueraded hosts.

#!/bin/bash

IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD 
$IPTABLES -t nat -F

echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW -j DROP
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

If you do this, you'll likely want to run a dhcp server for your
masqueraded hosts as well.  Something like the following /etc/dhcpd.conf:

option domain-name "mydomain.com";
option domain-name-servers a.nameserver.com, b.nameserver.com;
option subnet-mask 255.255.0.0;

default-lease-time 600;
max-lease-time 7200;
# do this while setting up so you don't mess things up.
# default-lease-time 120;
# max-lease-time 120;

shared-network MY-PRIVATE {
  subnet 172.17.0.0 netmask 255.255.0.0 {
    range dynamic-bootp 172.17.1.1 172.17.1.255;
    option broadcast-address 172.17.0.0;
# address of private interface on masquerading NAT box
    option routers 172.17.0.1;
  }
}

Make sure to tell dhcpd the proper interface!

I use debian.  I don't know if there are RH 8.0 has any peculiar
pecadillos.

-- 
Ron Peterson                   -o)
87 Taylor Street               /\\
Granby, MA  01033             _\_v
https://www.yellowbank.com/   ---- 




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org