[dundee] Hardware for a firewall/content filter
Andrew Clayton
andrew at digital-domain.net
Sat Oct 15 12:14:38 UTC 2011
On Sun, 9 Oct 2011 13:32:01 +0100, Andrew Clayton wrote:
> On Thu, 12 May 2011 12:37:03 +0100, Andrew Clayton wrote:
>
> > NAT with a single NIC
> >
> > Starting from scratch with a machine with a single NIC and two
> > networks; 192.168.1.x external and 192.168.10.x internal.
> >
> > Bring up eth0
> >
> > # ip link set eth0 up
> >
> > Assign it some IP addresses
> >
> > # ip addr add 192.168.1.10/24 brd + dev eth0
> > # ip addr add 192.168.10.10/24 brd + dev eth0
> >
> > Add a default route for the external address
> >
> > # ip route add default via 192.168.1.254 dev eth0
> >
> > Clear iptables and set default policies.
> >
> > # iptables -F
> > # iptables -t nat -F
> > # iptables -P INPUT ACCEPT
> > # iptables -P OUTPUT ACCEPT
> > # iptables -P FORWARD DROP
> >
> > Set up NAT
> >
> > # iptables -A FORWARD -i eth0 -o eth0 -m state --state
> > NEW,ESTABLISHED,RELATED -j ACCEPT
> > # iptables -A FORWARD -i eth0 -o
> > eth0 -j ACCEPT
>
> Keeping with the above example IP addresses, a better version of the
> above two rules would be:
>
> # iptables -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -j ACCEPT
> # iptables -A FORWARD -i eth0 -o eth0 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> The first one only forwards anything from the internal network.
> The second one only forwards already established connections or
> related connections.
>
> > # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
> > 192.168.1.10
> >
> > Enable IP forwarding
> >
> > # echo 1 > /proc/sys/net/ipv4/ip_forward
One final thing. You'll want to disable ICMP redirects, or you'll see
some weird network behaviour.
# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
Andrew
More information about the dundee
mailing list