iptables questions

Wed Jul 12 11:40:41 EDT 2006

Hello,
I don't understand how the maskerading works.
I currently have a router, that is connected to the modem.
Then, I have another 3 computers behind the router, one of which is the
linux. What I want to do is dmz linux so that it acts as a firewall.
Thanks,
~~TheCreator~~
website:
http://tysplace.shaned.net
msn:
compgeek134 at hotmail.com
aim:
st8amnd2005
skype:
st8amnd127
moo coder/wizard and administrator

----- Original Message ----- 
From: "Gregory Nowak" <greg at romuald.net.eu.org>
To: "Speakup is a screen review system for Linux." <speakup at braille.uwo.ca>
Sent: Tuesday, July 11, 2006 8:08 PM
Subject: Re: iptables questions

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, Jul 11, 2006 at 03:04:23PM -0600, Tyler Littlefield wrote:
> > I tried running endoshield, and got a ton of errors.
>
> When I first started using endoshield, I found the errors I got were
> the result of not configuring all the iptables stuff during my kernel
> config. So, your best bet in my humble opinion is to include all the
> iptables, nat, and connection tracking stuff as modules, and tying
> endoshield again. You could also post your errors, so we can see if a
> lack of modules is the case here, or if it's something else.
>
> > So, now I will try to do it manually. I'm going through a tutorial now,
and I have a coupel questions.
> > I can do the following.
> > iptables -A INPUT -p tcp -dport 2200 -j queue
> > iptables -A INPUT -p tcp -sport 2200 -j queue
> > to allow for the traffic on port 2200 to go through. I think.
>
> I've never used the queue target, so I can't help you here. I can only
> tell you that when I want to open a port, I use the ACCEPT target to
> do so.
>
> > But, lets say I create a rule for each port. The ones I want to allow,
and the ones I don't want to allow.
> > I think I can use a -s to make it only local if I want.
> > Then, how would I block the ports that I haven't created rules for?
>
> Off the top of my head, without looking at the iptables docs, or at
> the endoshield script, I believe you use the DROP target on the entire
> input chain, and below that, use the ACCEPT target on the ports you
> want to open. I do however stand to be corrected here.
>
> > next, if I set up the box as a DMZ, in front of the router, is there a
way that I can make it manage all traffic coming in and out of the network?
Just like the router would?
>
> Yes, this is called ip masquerading, and endoshield is a good example
> of how it's done. Also note that if you intend to share your
> connection with multiple machines, your main machine will need 2
> network cards, one from the router to the pc, and the other from the
> pc to the switch/hub that your other machines are connected to.
>
> Greg
>
>
>
>
> - -- 
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
>
> - --
> Free domains: http://www.eu.org/ or mail dns-manager at EU.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFEtFmy7s9z/XlyUyARAsrtAKDBUJ2A64LR4gOHroSFnORWAoSmvwCcC2En
> 78FEqOYvuvSIEOYuM8Ic3M4=
> =MPIm
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup