Linuxathome.net - Linux news and help for home broadband internet users
 Home | Files | Case Mods | Reviews | Forum | Search | Links | RDF Feed | Contact
Sections

Installation Guide
Setting Up
Internet Sharing
Port Forwarding
Services Config
Installing Programs
Game Servers
Using IPTables
Useful Commands
Kernel Upgrading
System Recovery
Red Hat 7.2 Setup
OpenBSD Setup
BPA Login Setup
PPPoE Setup
Add New Hardware
Using PPTP VPN
VMware ESX Cmds
Our RC5 Team
Folding@Home
Help Support Us

 
Articles
Linux Security
NetStats FAQ
Linux KIS Trojan
CAT5/LAN Cables
Domain Names
Presario RH Install APC Debian DVD
 
Slashdot.org
  • Python Developer Survey: 55% Use Linux, 6% Use Python 2
  • 'Is It Ethical to Have Children in the Face of Climate Change?'
  • Tech Worker Builds Free AI-Powered Tool For Fighting US Health Insurance Denials
  • Oceanographers Mapping Underwater Mountain Find Flying Spaghetti Monster
  • Washington Post Calls Telegram 'a Haven for Free Speech - and Child Predators'
  • Inside Boeing's Factory Lapses That Led To the Alaska Air Blowout
  • Long Covid Knocked a Million Americans Off Their Career Paths
  • How Not To Hire a North Korean IT Spy
  • How a Group of Teenagers Pranked 'One Million Checkboxes'
  • Woman Mailed Herself an Apple AirTag To Help Catch Mail Thieves
  • Google Play Store Can Finally Update Multiple Apps At Once
  • Scientists Detect Invisible Electric Field Around Earth For First Time
  • US Government Opens Up 31 Million Acres of Federal Lands For Solar
  • Apple Stands By Decision To Terminate Account Belonging To WWDC Student Winner
  • Wells Fargo Worker Dies At Desk, Nobody Notices For Four Days
  •  
    Affiliates

    TweakTown.com
    ZGeek.com
    pebkac-consulting.com.au

      IPTables

      This information is for people using the 2.4.x Linux Kernel (Red Hat 7.2 and all the latest Linux distributions) and thus are using IPTables instead of IPChains. The following information covers how to share your Internet connection as well as to setup up various forwarding rules etc., so that you can setup your server similar to the IPChains information present in the Sharing page found here.
     

      Sharing Instructions

     
    Sharing The Internet

    In order to get Internet Sharing working you will need to have the appropriate modules compiled in your Linux Kernel, this should be the case for most people but for some of you, you will need to do this manual.

    The first thing you need to do is to the following three commands which enable IP forwarding and tell the system which interface (i.e. eth0) to use as the main connection for the outside world.

    modprobe iptable_nat
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    Once you have done the above then you need to tell the system the rules for accepting, rejecting and dropping connections from the outside world to the system behind the network. (NOTE: The following example is setup to be rather aggressive, when people ping your system it will pretend its not even there and thus gives more security)

    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix "ATTACK"
    /sbin/iptables -A INPUT -j DROP


    This allows the traffic from your machine in and out, but will drop everything else unless you put some more accept lines, it will also logs it with a prefix of ATTACK in the /var/log/messages/.

    The next thing to do is to setup the magic line to share the information to a certain network that the Server is connected to, namely your home LAN.

    /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

    This line is the equivalent of the IPChains: /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ

    The above command "tells Linux to append another rule for forwarding that will forward packets to the allowed IP address of client machines. On our example above we have given room for upto 256 computers to be on our network, this is shown by 192.168.0.0/24 which will cover the range of IP address starting at 192.168.0.0 and ending at 192.168.0.255, you can adjust this as you want. The 24 section relates to the 'bits' in the 'network' portion of the subnet mask. A 24 bit subnet mask is 255.255.255.0. This is indicating an entire "C class" network. If you wish to setup a network only having 16 allowable IP address's then you should use 192.168.0.0/28 which actually means 16 IP's and NOT 28. The subnet mask for this block would be 255.255.255.240. It is recommended that unless you want to make a secure network at home that you just stick with the good old 24 bit configuration. But if you wish to allow a specific number of computers on your network, it is recommended you do a search and find/use a IP Address and Subnet Calculator to make sure you setup exactly the right number of allowable address's."

    Now that your Internet Connection Sharing is setup it is recommend that you combine all of the above commands into a script file so that it can be loaded automatically every time your system boots up. To do this simply go to the directory that contains some of the boot up commands, for example cd /etc/rc.d/, in this directory you want to create a file say called rc.firewall, and enter the following into the file:

    #!/bin/sh
    # DHCP Internet and Connection Sharing Script - IPTables Version
    # Coded by Mayhem (C)2002


    # Net Sharing
    modprobe iptable_nat
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix "ATTACK"
    /sbin/iptables -A INPUT -j DROP
    # Add your additional rules here
    /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

    Once you have finished you will need to make the file executable by typing chmod u+x rc.firewall. To make the system run this when it boots up simply edit rc.local and add a line at the very bottom that runs your script, i.e. add the line ./rc.firewall, now that your done the system should now load your Internet connection and share it to all your client machines whenever the server is rebooted.

     

    Setting Up Client Computers To Use The Internet

    Setting up your client machines to access the Internet is rather easy and can be done by following the instructions on the Sharing page, unless of course you have setup DHCPD which in that case you simply need to set your client machines to access the Internet from the LAN (Local Area Network).

     

    Port Forwarding Rules (IRC, ICQ, FTP etc)

    In order to get some programs working on your client machine you will have to load additional modes and setup certain ports to be forwarded to your client machines, with the following information you should be able to setup IRC (for DCC sends etc) and various other programs as well as gaining enough basic information to work out how to do other various port forwarding that you may require.

    IRC
    You simply need to compile the modules with your kernel and then modprobe or insmod the two modules adding the ports directive to the conntrack module to tell it which ports to watch (these modules should be compiled by default installed). The standard IRC ones should do:

    /sbin/modprobe ip_conntrack_irc / ports=6667,6668,6669,7000,7001,7002
    /sbin/modprobe ip_nat_irc

    With the above you should have no more problems with IRC, Fserv's or DCC sending etc.

    ICQ
    Coming soon...

    FTP
    Once again simply add the following lines to your script to allow more detailing FTP tracking and forwarding, (these modules should be compiled by default installed).

    /sbin/modprobe ip_conntrack_ftp / ports=21,22
    /sbin/modprobe ip_nat_ftp

     

    More Secure IPTables Script

    For those of you who wish to have a bit more of an advanced and complete script then this might be for you:

    #!/bin/sh
    # DHCP Internet and Connection Sharing Script - IPTables Secure Version
    # Coded by Mayhem (C)2002

    # Create a clean new IPTABLES ruleset
    /sbin/iptables --flush

    # Load the appropriate modules
    /sbin/depmod -a
    /sbin/insmod ip_tables
    /sbin/insmod ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ip_conntrack_irc / ports=6667,6668,6669,7000,7001,7002
    /sbin/modprobe ip_nat_irc
    #/sbin/modprobe ip_masq_quake
    #/sbin/modprobe ip_masq_raudio

    # Set up the Ports for the main servers: FTP, HTTP etc
    /sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT ## FTP - Data Transfer
    /sbin/iptables -A INPUT -p udp --dport 20 -j ACCEPT ## FTP - Data Transfer
    /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT ## FTP - Connection
    /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT ## HTTP

    # Net Sharing
    /sbin/modprobe iptable_nat
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix "ATTACK"
    /sbin/iptables -A INPUT -j DROP
    /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

    Proudly Hosted By:
    Hosted by PEBKAC Consulting

    Please read our Legal Notice for information concerning our site and its content.
    All logos and trademarks in this site are property of their respective owner. All the rest © 2000 - 2016 by Linuxathome.net

    Reviews

    D-Link DI-704P
    VIA EPIA-M 9000
    Tux Applique
    Ricoh MP5125A
    AMD XP 2600+
    3DProphet 9000Pro
    Radeon 9700 Pro
    XTNDAccess IrDA
    Netgear FS-524s
    DSR2161 KVM
    Game TheaterXP & XPS-510 Speakers
    3D Prophet 4000XT
    AutoView 400
    Back-UPS CS 350
    Dual Neon Kit
    SwitchView KVM
    20x4 LCD Kit
    Window Kit

     
    LinuxSecurity
  • 5 Open-Source Blockchain Technologies That Linux Users Need to Know About
  • The Three Best Tools You Need to Scan Your Linux System for Malware
  • Navigating the Linux Kernel's Latest DMA Security Vulnerability
  • Staying a Step Ahead of Adversaries: Mitigating Chromium's Security Flaws on Linux
  • Slackware: 2024-244-01: libpcap Security Advisory Update
  • Fedora 40: microcode_ctl 2024-5c5c384fa7 Security Advisory Updates
  • Fedora 40: python3.11 2024-985017d277 Security Advisory Updates
  • Fedora 40: xen 2024-91ddad6c8b Security Advisory Updates
  • Fedora 39: xen 2024-ed546e3543 Security Advisory Updates
  • Debian: DSA-5762-1: webkit2gtk Security Advisory Updates
  •  
    Google Search
    Enter Keywords:

     
    Bash Jokes

    % make war

    Make: Don't know how to make war. Stop.

     
    Virtualization, Virtual Machine & Virtual Server Consolidation - VMware

    The Community ENTerprise Operating System

    Get Slackware Linux

    Use OpenOffice.org

    Use Asterisk