[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf ipnat iptables



On Wed, Oct 30, 2002 at 04:21:47PM -0600, Bob T. Kat wrote:
> does anyone know of a good document on the web that explains the
> conversion from ipf/ipnat line of thinking to iptables line of
> thinking

I don't know about that, but there is a ton of documentation here:

    http://www.netfilter.org/documentation/

Specifically, when I was moving from ipchains to iptables, I found
this explanation of how packets are handled by the various chains
helpful:

    http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-6.html

The basic idea is that the INPUT chain filters packets destined for
the local box, the OUPUT chain filters everything leaving from the
local box, and the FORWARD chain handles everything being routed
otherwise.  (Those are all in the filter table.  Other tables, such as
the nat table, are used to do packet mangling.)

Since you know the input and output interfaces in the FORWARD chain,
you want to filter by pairs of interfaces.  For example, you might
want to allow anything from the internal network to the outside world,
but most likely you want to block anything going the other direction
(other than established connections, of course).  The rules to get
that effect look something like this (assuming eth0 is inside and eth1
is out):

    iptables -P FORWARD DROP # Default action is to drop everything.
    iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
    iptables -A FORWARD -i eth1 -o eth0 \
        -m state --state 'ESTABLISHED,RELATED' -j ACCEPT

Of course, there's a bunch of junk that you'll want to include to make
everything happy, which is why I wrote my genfw script.  It will
either generate a shell script to do all your rules, or just run
iptables and apply all the rules.  If you run it with no options, it
will generate the shell script, so it should be nice for learning
purposes.  (Create the config file, run genfw, look at the output.)

Steve
-- 
steve@silug.org           | Southern Illinois Linux Users Group
(618)398-7360             | See web site for meeting details.
Steven Pritchard          | http://www.silug.org/

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.