[dundee] Hardware for a firewall/content filter
Andrew Clayton
andrew at digital-domain.net
Sun Oct 9 12:32:06 UTC 2011
On Thu, 12 May 2011 12:37:03 +0100, Andrew Clayton wrote:
> NAT with a single NIC
>
> Starting from scratch with a machine with a single NIC and two
> networks; 192.168.1.x external and 192.168.10.x internal.
>
> Bring up eth0
>
> # ip link set eth0 up
>
> Assign it some IP addresses
>
> # ip addr add 192.168.1.10/24 brd + dev eth0
> # ip addr add 192.168.10.10/24 brd + dev eth0
>
> Add a default route for the external address
>
> # ip route add default via 192.168.1.254 dev eth0
>
> Clear iptables and set default policies.
>
> # iptables -F
> # iptables -t nat -F
> # iptables -P INPUT ACCEPT
> # iptables -P OUTPUT ACCEPT
> # iptables -P FORWARD DROP
>
> Set up NAT
>
> # iptables -A FORWARD -i eth0 -o eth0 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> # iptables -A FORWARD -i eth0 -o
> eth0 -j ACCEPT
Keeping with the above example IP addresses, a better version of the
above two rules would be:
# iptables -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -j ACCEPT
# iptables -A FORWARD -i eth0 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
The first one only forwards anything from the internal network.
The second one only forwards already established connections or
related connections.
> # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
> 192.168.1.10
>
> Enable IP forwarding
>
> # echo 1 > /proc/sys/net/ipv4/ip_forward
Andrew
More information about the dundee
mailing list