iptables questions

Alex Snow alex_snow at gmx.net
Wed Jul 12 12:44:07 EDT 2006 

What exactly are you trying to do? From yur message it seems like you 
want to do 1 of 2 things:
1.  Have the linux machine dmz'ed so services running on it can be 
accessed from the outside world.  For this you just need to set up 
iptables to block incoming connections on ports you don't want people 
to be able to connect to.
2.  have your linux box as a firewall for your entire lan.  For this 
you need 2 interfaces in your box, one from the modem and one to your 
existing router/switch.  Then you would set up iptables to nat, and 
add the proper firewall rules for your network.
On Wed, Jul 12, 2006 at 
09:40:41AM -0600, Tyler Littlefield wrote:
> Hello,
> I don't understand how the maskerading works.
> I currently have a router, that is connected to the modem.
> Then, I have another 3 computers behind the router, one of which is the
> linux. What I want to do is dmz linux so that it acts as a firewall.
> Thanks,
> ~~TheCreator~~
> website:
> http://tysplace.shaned.net
> msn:
> compgeek134 at hotmail.com
> aim:
> st8amnd2005
> skype:
> st8amnd127
> moo coder/wizard and administrator
> 
> ----- Original Message ----- 
> From: "Gregory Nowak" <greg at romuald.net.eu.org>
> To: "Speakup is a screen review system for Linux." <speakup at braille.uwo.ca>
> Sent: Tuesday, July 11, 2006 8:08 PM
> Subject: Re: iptables questions
> 
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Tue, Jul 11, 2006 at 03:04:23PM -0600, Tyler Littlefield wrote:
> > > I tried running endoshield, and got a ton of errors.
> >
> > When I first started using endoshield, I found the errors I got were
> > the result of not configuring all the iptables stuff during my kernel
> > config. So, your best bet in my humble opinion is to include all the
> > iptables, nat, and connection tracking stuff as modules, and tying
> > endoshield again. You could also post your errors, so we can see if a
> > lack of modules is the case here, or if it's something else.
> >
> > > So, now I will try to do it manually. I'm going through a tutorial now,
> and I have a coupel questions.
> > > I can do the following.
> > > iptables -A INPUT -p tcp -dport 2200 -j queue
> > > iptables -A INPUT -p tcp -sport 2200 -j queue
> > > to allow for the traffic on port 2200 to go through. I think.
> >
> > I've never used the queue target, so I can't help you here. I can only
> > tell you that when I want to open a port, I use the ACCEPT target to
> > do so.
> >
> > > But, lets say I create a rule for each port. The ones I want to allow,
> and the ones I don't want to allow.
> > > I think I can use a -s to make it only local if I want.
> > > Then, how would I block the ports that I haven't created rules for?
> >
> > Off the top of my head, without looking at the iptables docs, or at
> > the endoshield script, I believe you use the DROP target on the entire
> > input chain, and below that, use the ACCEPT target on the ports you
> > want to open. I do however stand to be corrected here.
> >
> > > next, if I set up the box as a DMZ, in front of the router, is there a
> way that I can make it manage all traffic coming in and out of the network?
> Just like the router would?
> >
> > Yes, this is called ip masquerading, and endoshield is a good example
> > of how it's done. Also note that if you intend to share your
> > connection with multiple machines, your main machine will need 2
> > network cards, one from the router to the pc, and the other from the
> > pc to the switch/hub that your other machines are connected to.
> >
> > Greg
> >
> >
> >
> >
> > - -- 
> > web site: http://www.romuald.net.eu.org
> > gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> > skype: gregn1
> > (authorization required, add me to your contacts list first)
> >
> > - --
> > Free domains: http://www.eu.org/ or mail dns-manager at EU.org
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.3 (GNU/Linux)
> >
> > iD8DBQFEtFmy7s9z/XlyUyARAsrtAKDBUJ2A64LR4gOHroSFnORWAoSmvwCcC2En
> > 78FEqOYvuvSIEOYuM8Ic3M4=
> > =MPIm
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Speakup mailing list
> > Speakup at braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

-- 
...Unix, MS-DOS, and Windows NT (also known as the Good, the Bad, and
the Ugly).
	-- Matt Welsh

More information about the Speakup mailing list