[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipf ipnat iptables
Hmmm this is interesting, thanks steve for the link, also another good
link for this is http://www.linuxguruz.org/iptables/
But they all seem to ignore one important piece of information which if
you used ipchains you already knew, if you are a user of ipf/ipnat you
know that you write the general rule first and then start writing the
specific rules, hmm why am I writing rules to allow with iptables and
nothings getting through, well it seems as if it's because someone
decided that it all needs to be done backwards, so if anyone out there
is looking at this before you start banging your head against the wall
remember the first match wins (reading through the ipchains section of
an older book the author made this clear for users of the older ipfw),
so now it seems to make a little more sense, just got to get used to the
idea of chains and the natting and filtering being done in the same app
and I should be good
Thanks again
Bob T. Kat
"We demand rigidly defined areas of doubt and uncertainty."
- Douglas Adams -
-----Original Message-----
From: silug-discuss-owner@silug.org
[mailto:silug-discuss-owner@silug.org] On Behalf Of Steven Pritchard
Sent: Wednesday, October 30, 2002 9:39 PM
To: silug-discuss@silug.org
Subject: Re: ipf ipnat iptables
On Wed, Oct 30, 2002 at 04:21:47PM -0600, Bob T. Kat wrote:
> does anyone know of a good document on the web that explains the
> conversion from ipf/ipnat line of thinking to iptables line of
> thinking
I don't know about that, but there is a ton of documentation here:
http://www.netfilter.org/documentation/
Specifically, when I was moving from ipchains to iptables, I found
this explanation of how packets are handled by the various chains
helpful:
http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-6.ht
ml
The basic idea is that the INPUT chain filters packets destined for
the local box, the OUPUT chain filters everything leaving from the
local box, and the FORWARD chain handles everything being routed
otherwise. (Those are all in the filter table. Other tables, such as
the nat table, are used to do packet mangling.)
Since you know the input and output interfaces in the FORWARD chain,
you want to filter by pairs of interfaces. For example, you might
want to allow anything from the internal network to the outside world,
but most likely you want to block anything going the other direction
(other than established connections, of course). The rules to get
that effect look something like this (assuming eth0 is inside and eth1
is out):
iptables -P FORWARD DROP # Default action is to drop everything.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 \
-m state --state 'ESTABLISHED,RELATED' -j ACCEPT
Of course, there's a bunch of junk that you'll want to include to make
everything happy, which is why I wrote my genfw script. It will
either generate a shell script to do all your rules, or just run
iptables and apply all the rules. If you run it with no options, it
will generate the shell script, so it should be nice for learning
purposes. (Create the config file, run genfw, look at the output.)
Steve
--
steve@silug.org | Southern Illinois Linux Users Group
(618)398-7360 | See web site for meeting details.
Steven Pritchard | http://www.silug.org/
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.