[nSLUG] Easy ICS for Linux
dteed at artistic.ca
Sat Jul 26 23:38:21 ADT 2003
If you look at the information Michael Taylor provided to the list on July 16th:
I think that provides a good baseline to get basic NAT up.
If you run through the commands, find it is working well,
then save the results with iptables-save. With redhat that should
be saved in a file under /etc/sysconfig/iptables
Mandrake might be the same - check what is referenced
State level packet inspection rules are difficult to understand
without knowing quite a bit about TCP/IP networking. This is
where the iptables how-tos fall apart for the average Linux user.
Most people know about IPs, inbound, outbound, NAT and port
numbers, but references to ICMP, UDP, SYN, ACK, etc., are
going into details they don't know about. Following some
simple examples is probably the best place to start, and then
add on more as you learn of more useful examples.
As for knowing what it is doing, you have two basic types of
tests. First is whether you can do everything you want even
with the firewall rules up. Second is whether your firewall passes
the basic probe tests. You can visit websites such as the
shields up website and it will probe the most common ports
for you from the outside. If you have access to a *nix machine
somewhere outside your LAN you can probe it with a run of nmap.
These are the basics from my knowledge, others may have more to
add to that.
Redhat's network scripts automatically handle opening ports
for DHCP, so that shouldn't be required. You can verify what
is open by running iptables -L and iptables -L nat .
One thing I found in Redhat 7.2 is that the networking scripts
were clobbering my /etc/resolv.conf on connection, assuming
I wanted the ISP's DNS. I run my own (full) DNS server for
my home LAN so I adjusted the offending script :
Your locations and names may be different under Mandrake.
For incoming SMTP on the firewall itself you'd need this:
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
If SMTP is on a machine behind the firewall it is a different story.
If SMTP is on the firewall just for outbound, then you should
be OK without more rules, except that you'll need
to configure the mail server to relay through eastlink
and masquerade (not same as iptables msaquerade) as if
it were part of the eastlink domain. It will work without
doing this, but a good percentage of your outbound email
will bounce as anti-spam email server measures are growing in use.
On Sat, 26 Jul 2003, Soren Aalto wrote:
> Michelle and George wrote:
> >You may remember I had asked for help sharing my net connection
> >(eastlink) using my Redhat 9 box as a gateway. The advice I received was
> >good, but I was convinced that there must be a GUI tool out there to do
> >the work for me. There is, and it uses a very simple wizard interface.
> >It took about four mouse clicks to get her XP laptop chugging away
> >happily. If you use Apt-get try Firestarter. I was amazed, it's even
> >easier that Windows ICS wizard.
> Grrrr...I'm busy trying to do the same thing with Mandrake 9.1
> and an eastlink setup. I got eastlink connectivity easily enough,
> once I realised that the shorewall firewall was eating every
> packet in and stopped it.
> So I figured that the Mandrake ICS-ish wizard would be a lot
> easier than trying to roll my own iptables stuff.
> Not so...but feel free to tell me what I missed here. NAT works
> just fine, but I don't seem to be able to get DHCP addresses from
> the box because shorewall eats the DHCP queries. OK, so I
> put a static IP on the laptop...well, shorewall eats the DNS queries
> too...I'm running a caching DNS on the Mandrake box & SMTP
> as well. And shorewall generates a monster sized list of iptables
> rules, has a zillion config files & I won't be the first to complain
> about the documentation.
> Basically, I'm going to sit down and bash out my own set of iptables
> stuff -- I worry about making mistakes (both from carelessness and
> ignorance) when doing my own firewalling, but there's no way I
> can feel safe running something I just don't understand at all.
> Soren Aalto
> nSLUG mailing list
> nSLUG at nslug.ns.ca
More information about the nSLUG