Clayton's Tech Bits

Home

Contact

Resumé / C.V.

Links

Search this site:
Custom Search

Categories:

/ (224)
  Admin/ (86)
    Apache/ (7)
      HTTPS-SSL/ (4)
    Cherokee/ (1)
    LAN/ (4)
    LVM/ (3)
    Monitoring/ (2)
      munin/ (2)
    OpenVPN/ (1)
    SSH-Proxy/ (3)
    SSH-SSL/ (6)
    backups/ (16)
      SpiderOak/ (1)
      backuppc/ (5)
      dirvish/ (1)
      misc/ (6)
      rdiff-backup/ (1)
      rsync/ (1)
      unison/ (1)
    commandLine/ (11)
    crontab/ (1)
    databases/ (8)
      MSSQL/ (2)
      MySQL/ (5)
      PostgreSQL/ (1)
    dynamicDNS/ (2)
    email/ (9)
      Dovecot/ (1)
      deliverability/ (1)
      misc/ (1)
      postfix/ (6)
    iptables/ (2)
    virtualization/ (8)
      VMware/ (1)
      virtualBox/ (7)
  Coding/ (11)
    bash/ (1)
    gdb/ (1)
    git/ (2)
    php/ (4)
    python/ (3)
      Django/ (1)
  Education/ (1)
  Hosting/ (23)
    Amazon/ (14)
      EBS/ (3)
      EC2/ (11)
    Godaddy/ (2)
    NearlyFreeSpeech/ (3)
    Rackspace/ (1)
    vpslink/ (3)
  Linux/ (20)
    Awesome/ (3)
    CPUfreq/ (1)
    Chinese/ (1)
    Debian/ (5)
      WPA/ (1)
    audio/ (1)
    encryption/ (2)
    fonts/ (1)
    misc/ (4)
    router-bridge/ (2)
  SW/ (39)
    browser/ (2)
      Chrome/ (1)
      Firefox/ (1)
    business/ (25)
      Drupal/ (8)
      KnowledgeTree/ (6)
      Redmine/ (2)
      SugarCRM/ (6)
      WebERP/ (2)
      eGroupware/ (1)
    email/ (1)
    fileSharing/ (1)
      mldonkey/ (1)
    graphics/ (2)
    research/ (2)
    website/ (6)
      blog/ (6)
        blosxom/ (3)
        rss2email/ (1)
        webgen/ (1)
  Security/ (12)
    IMchat/ (1)
    circumvention/ (2)
    e-mail/ (4)
    greatFirewall/ (1)
    hacking/ (1)
    password/ (1)
    privacy/ (1)
    skype/ (1)
  Services/ (1)
    fileSharing/ (1)
  TechWriting/ (1)
  xHW/ (13)
    Lenovo/ (1)
    Motorola_A1200/ (2)
    Thinkpad_600e/ (1)
    Thinkpad_a21m/ (3)
    Thinkpad_i1300/ (1)
    Thinkpad_x24/ (1)
    USB_audio/ (1)
    scanner/ (1)
    wirelessCards/ (2)
  xLife/ (17)
    China/ (9)
      Beijing/ (5)
        OpenSource/ (3)
    Expatriation/ (1)
    Vietnam/ (7)

Archives:

  • 2012/03
  • 2012/01
  • 2011/12
  • 2011/11
  • 2011/10
  • 2011/09
  • 2011/08
  • 2011/07
  • 2011/06
  • 2011/05
  • 2011/04
  • 2011/02
  • 2010/12
  • 2010/11
  • 2010/10
  • 2010/09
  • 2010/08
  • 2010/07
  • 2010/06
  • 2010/05
  • 2010/04
  • 2010/03
  • 2010/02
  • 2010/01
  • 2009/12
  • 2009/11
  • 2009/10
  • 2009/09
  • 2009/08
  • 2009/07
  • 2009/06
  • 2009/05
  • 2009/04
  • 2009/03
  • 2009/02
  • 2009/01
  • 2008/12
  • 2008/11
  • 2008/10
  • 2008/09

    • Subscribe XML RSS Feed

    Thu, 21 Jul 2011

    /Admin/iptables: Build A Router With iptables

    This[1] is a deeper reference, but it did not quite get the job done for me. (Nor did a lot of other recipes I looked at either, for that matter....) The "Example Scenario: SOHO" here[2] got me a working router.

    First make sure forwarding is enabled in your router OS. The standard way to do this on Debian is to edit /etc/sysctl.conf to turn on net.ipv4.ip_forward. My machine is not a full-time router, so I added a

    up echo 1 > /proc/sys/net/ipv4/ip_forward
    line to the /etc/network/interfaces clause that brings up my internal LAN interface, ie. 
    iface static inet static
  address 10.1.1.1
  netmask 255.255.255.0
  network 10.1.1.0
  broadcast 10.1.1.255
  up echo 1 > /proc/sys/net/ipv4/ip_forward

    Then I added these lines to my "basic firewall": 

    -A POSTROUTING -o eth0 -j MASQUERADE

-A INPUT -s 10.1.1.0/24 -i eth4 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.1.0/24 -i eth4 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.1.1.0/24 -i eth0 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.1.1.0/24 -o eth4 -m state --state NEW,ESTABLISHED -j ACCEPT

    where eth0 is the outward/WAN interface, eth4 is the inward/LAN interface, and 10.1.1.0/24 is the IP address block used on the LAN. Note that only ESTABLISHED, not NEW, connections are allowed to come in on eth0/WAN.

    To configure DHCP[3] add this line to rules.v4:

    -A INPUT -i eth4 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
    and
    apt-get install dnsmasq

    Just configure the dhcp-range in /etc/dnsmasq.conf, ie.

    dhcp-range=10.1.1.50,10.1.1.150,12h

    and it should be all ready to go.

    [1] http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#Masquerading_.28Many_to_One_NAT.29
    [2] http://fedorasolved.org/Members/kanarip/iptables-howto
    [3] http://www.faqs.org/docs/iptables/lettingdhcprequests.html

    posted at: 03:52 | path: /Admin/iptables | permanent link to this entry

    Tue, 21 Jun 2011

    /Admin/iptables: Build A Basic Firewall with iptables

    This seems like a good starting point[1], blocking everything except SSH, established, loopback, and outgoing connections: 

    iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -L -v
/etc/init.d/iptables-persistent save

    On my Debian system, the last "save" line puts a reloadable copy of the current running iptables rules in /etc/iptables/rules.v4 & /etc/iptables/rules.v6. Thereafter, it is also possible (advisable?) to edit these files directly to add/modify rules. For instance to open up the http port, add the following line to /etc/iptables/rules.v4:

    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    Then load the new ruleset using:
    iptables-restore < rules.v4

    [1] http://wiki.centos.org/HowTos/Network/IPTables

    posted at: 09:56 | path: /Admin/iptables | permanent link to this entry