Linuxathome.net - Linux news and help for home broadband internet users
 Home | Files | Case Mods | Reviews | Forum | Search | Links | RDF | Contact | Uptime | Server Info | Tracker
Sections

Installation Guide
Setting Up
Internet Sharing
Port Forwarding
Services Config
Installing Programs
Game Servers
Using IPTables
Useful Commands
Kernel Upgrading
System Recovery
Red Hat 7.2 Setup
OpenBSD Setup
BPA Login Setup
PPPoE Setup
Add New Hardware
Using PPTP VPN
VMware ESX Cmds
Our RC5 Team
Folding@Home
Help Support Us

 
Articles
Linux Security
NetStats FAQ
Linux KIS Trojan
CAT5/LAN Cables
Domain Names
Presario RH Install APC Debian DVD
 
Slashdot.org
  • Researchers Discover Critical Security Flaws Found In Nuke Plant Radiation Monitors
  • Heavier Rainfall Will Increase Water Pollution In the Future
  • YouTube Red and Google Play Music Will Merge To Create a New Service
  • US Indicts Suspected Russian 'Mastermind' of $4 Billion Bitcoin Laundering Scheme
  • Subscription Journals Are Doomed Because of Sci-Hub's Big Cache of Pirated Papers, Suggests Data Analyst
  • FreeBSD 11.1 Released
  • First Human Embryos Edited In US
  • German Court Rules Bosses Can't Use Keyboard-Tracking Software To Spy On Workers
  • Where's All My CPU and Memory Gone? The Answer: $5B Worth Slack App
  • Why Your Call Center is Only Getting Noisier
  • Twitter Added Zero New Users Last Quarter Despite Trump Tweets
  • AMD Launches Ryzen 3 Series Low Cost Processors Starting At $109
  • 'Apple's Refusal To Support Progressive Web Apps is a Detriment To Future of the Web'
  • Samsung Said To Open Its Pay Service, Could Make It Available On Rival Companies' Smartphones
  • Apple Discontinues iPod Nano and iPod Shuffle
  •  
    Affiliates

    TweakTown.com
    ZGeek.com
    pebkac-consulting.com.au

     
    Webmail
      E-mail Address:

    Password:


     

      IPTables

      This information is for people using the 2.4.x Linux Kernel (Red Hat 7.2 and all the latest Linux distributions) and thus are using IPTables instead of IPChains. The following information covers how to share your Internet connection as well as to setup up various forwarding rules etc., so that you can setup your server similar to the IPChains information present in the Sharing page found here.
     

      Sharing Instructions

     
    Sharing The Internet

    In order to get Internet Sharing working you will need to have the appropriate modules compiled in your Linux Kernel, this should be the case for most people but for some of you, you will need to do this manual.

    The first thing you need to do is to the following three commands which enable IP forwarding and tell the system which interface (i.e. eth0) to use as the main connection for the outside world.

    modprobe iptable_nat
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    Once you have done the above then you need to tell the system the rules for accepting, rejecting and dropping connections from the outside world to the system behind the network. (NOTE: The following example is setup to be rather aggressive, when people ping your system it will pretend its not even there and thus gives more security)

    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix "ATTACK"
    /sbin/iptables -A INPUT -j DROP


    This allows the traffic from your machine in and out, but will drop everything else unless you put some more accept lines, it will also logs it with a prefix of ATTACK in the /var/log/messages/.

    The next thing to do is to setup the magic line to share the information to a certain network that the Server is connected to, namely your home LAN.

    /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

    This line is the equivalent of the IPChains: /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ

    The above command "tells Linux to append another rule for forwarding that will forward packets to the allowed IP address of client machines. On our example above we have given room for upto 256 computers to be on our network, this is shown by 192.168.0.0/24 which will cover the range of IP address starting at 192.168.0.0 and ending at 192.168.0.255, you can adjust this as you want. The 24 section relates to the 'bits' in the 'network' portion of the subnet mask. A 24 bit subnet mask is 255.255.255.0. This is indicating an entire "C class" network. If you wish to setup a network only having 16 allowable IP address's then you should use 192.168.0.0/28 which actually means 16 IP's and NOT 28. The subnet mask for this block would be 255.255.255.240. It is recommended that unless you want to make a secure network at home that you just stick with the good old 24 bit configuration. But if you wish to allow a specific number of computers on your network, it is recommended you do a search and find/use a IP Address and Subnet Calculator to make sure you setup exactly the right number of allowable address's."

    Now that your Internet Connection Sharing is setup it is recommend that you combine all of the above commands into a script file so that it can be loaded automatically every time your system boots up. To do this simply go to the directory that contains some of the boot up commands, for example cd /etc/rc.d/, in this directory you want to create a file say called rc.firewall, and enter the following into the file:

    #!/bin/sh
    # DHCP Internet and Connection Sharing Script - IPTables Version
    # Coded by Mayhem (C)2002


    # Net Sharing
    modprobe iptable_nat
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix "ATTACK"
    /sbin/iptables -A INPUT -j DROP
    # Add your additional rules here
    /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

    Once you have finished you will need to make the file executable by typing chmod u+x rc.firewall. To make the system run this when it boots up simply edit rc.local and add a line at the very bottom that runs your script, i.e. add the line ./rc.firewall, now that your done the system should now load your Internet connection and share it to all your client machines whenever the server is rebooted.

     

    Setting Up Client Computers To Use The Internet

    Setting up your client machines to access the Internet is rather easy and can be done by following the instructions on the Sharing page, unless of course you have setup DHCPD which in that case you simply need to set your client machines to access the Internet from the LAN (Local Area Network).

     

    Port Forwarding Rules (IRC, ICQ, FTP etc)

    In order to get some programs working on your client machine you will have to load additional modes and setup certain ports to be forwarded to your client machines, with the following information you should be able to setup IRC (for DCC sends etc) and various other programs as well as gaining enough basic information to work out how to do other various port forwarding that you may require.

    IRC
    You simply need to compile the modules with your kernel and then modprobe or insmod the two modules adding the ports directive to the conntrack module to tell it which ports to watch (these modules should be compiled by default installed). The standard IRC ones should do:

    /sbin/modprobe ip_conntrack_irc / ports=6667,6668,6669,7000,7001,7002
    /sbin/modprobe ip_nat_irc

    With the above you should have no more problems with IRC, Fserv's or DCC sending etc.

    ICQ
    Coming soon...

    FTP
    Once again simply add the following lines to your script to allow more detailing FTP tracking and forwarding, (these modules should be compiled by default installed).

    /sbin/modprobe ip_conntrack_ftp / ports=21,22
    /sbin/modprobe ip_nat_ftp

     

    More Secure IPTables Script

    For those of you who wish to have a bit more of an advanced and complete script then this might be for you:

    #!/bin/sh
    # DHCP Internet and Connection Sharing Script - IPTables Secure Version
    # Coded by Mayhem (C)2002

    # Create a clean new IPTABLES ruleset
    /sbin/iptables --flush

    # Load the appropriate modules
    /sbin/depmod -a
    /sbin/insmod ip_tables
    /sbin/insmod ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ip_conntrack_irc / ports=6667,6668,6669,7000,7001,7002
    /sbin/modprobe ip_nat_irc
    #/sbin/modprobe ip_masq_quake
    #/sbin/modprobe ip_masq_raudio

    # Set up the Ports for the main servers: FTP, HTTP etc
    /sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT ## FTP - Data Transfer
    /sbin/iptables -A INPUT -p udp --dport 20 -j ACCEPT ## FTP - Data Transfer
    /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT ## FTP - Connection
    /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT ## HTTP

    # Net Sharing
    /sbin/modprobe iptable_nat
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix "ATTACK"
    /sbin/iptables -A INPUT -j DROP
    /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

    Proudly Hosted By:
    Hosted by PEBKAC Consulting

    Please read our Legal Notice for information concerning our site and its content.
    All logos and trademarks in this site are property of their respective owner. All the rest © 2000 - 2016 by Linuxathome.net

    Reviews

    D-Link DI-704P
    VIA EPIA-M 9000
    Tux Applique
    Ricoh MP5125A
    AMD XP 2600+
    3DProphet 9000Pro
    Radeon 9700 Pro
    XTNDAccess IrDA
    Netgear FS-524s
    DSR2161 KVM
    Game TheaterXP & XPS-510 Speakers
    3D Prophet 4000XT
    AutoView 400
    Back-UPS CS 350
    Dual Neon Kit
    SwitchView KVM
    20x4 LCD Kit
    Window Kit

     
    Kuro5hin.org
    XML error: Mismatched tag at line 26.
     
    Google (Linux)
    Enter Keywords:

     
    Bash Jokes

    % \(-

    (-: Command not found.

     
    Virtualization, Virtual Machine & Virtual Server Consolidation - VMware

    The Community ENTerprise Operating System

    Get Slackware Linux

    Use OpenOffice.org

    Use Asterisk