Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On Tue, Feb 25, 2003 at 05:44:54PM -0800, Abhishake Pathak wrote: > I had a couple of questions regarding iptables, dhcp > and redhat 8. > I'm running redhat 8. I want to use my linux box as a > firewall/router. I have two other computers that will > be connected to it. Can someone please tell me how i > would be able to setup iptables to do this? Also i > wanted to know how i would do this if i had dhcp. If you have dhcp where? You'll need to choose between using your multi-homed linux box as a transparent bridge or using it's NAT capabilities to masquerade a private network. If you take the transparent bridge route, you'll need to patch your kernel if you want to run iptables rules over the bridge. I'd suggest ip masquerading, and running dhcpd on the masquerading NAT box. The following script sets up masquerading (the last line) and also disallows any traffic not associated with connections established by masqueraded hosts. #!/bin/bash IPTABLES="/sbin/iptables" EXTIF="eth0" INTIF="eth1" echo "1" > /proc/sys/net/ipv4/ip_forward echo " clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD ACCEPT $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW -j DROP $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE If you do this, you'll likely want to run a dhcp server for your masqueraded hosts as well. Something like the following /etc/dhcpd.conf: option domain-name "mydomain.com"; option domain-name-servers a.nameserver.com, b.nameserver.com; option subnet-mask 255.255.0.0; default-lease-time 600; max-lease-time 7200; # do this while setting up so you don't mess things up. # default-lease-time 120; # max-lease-time 120; shared-network MY-PRIVATE { subnet 172.17.0.0 netmask 255.255.0.0 { range dynamic-bootp 172.17.1.1 172.17.1.255; option broadcast-address 172.17.0.0; # address of private interface on masquerading NAT box option routers 172.17.0.1; } } Make sure to tell dhcpd the proper interface! I use debian. I don't know if there are RH 8.0 has any peculiar pecadillos. -- Ron Peterson -o) 87 Taylor Street /\\ Granby, MA 01033 _\_v https://www.yellowbank.com/ ----
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |