[Gllug] iptables and flaky ssh, ftp, vnc
Ian Norton-Badrul,,,
bredroll at darkspace.org.uk
Tue Jun 21 23:03:41 UTC 2005
On Tue, Jun 21, 2005 at 09:54:02PM +0100, Tom Schutzer-Weissmann wrote:
> On Tue, 2005-06-21 at 16:37 +0100, Peter Grandi wrote:
>
> > There is probably wrong with the 'iptables' rules too, they are
> > very very difficut to get right (and, as usual, very easy to get
> > wrong but ''working''). I usually recommend using a rule set
> > generator... But even that does not avoid the need for clear
> > thinking.
>
> I'll stick my neck out. This is a semi-theoretical question. Given that
> I wanted as transparent a link as possible, isn't this the minimal
> ruleset I could have?
>
> regards,
> Tom Weissmann
>
> ----------------------------------------
> world=0.0.0.0/0.0.0.0
> dest=192.168.200.0/24
> dev=$1
> dynip=`/sbin/ifconfig | grep -A 4 $dev | awk '/inet/ { print $2 } ' |
> sed -e s/addr://`
>
> iptables -I OUTPUT 1 -s $world -d $dest -j ACCEPT -o $dev
> iptables -I INPUT 1 -s $dest -d $world -j ACCEPT -i $dev
> iptables -I FORWARD 1 -s $world -d $dest -j ACCEPT -o $dev
> iptables -I FORWARD 1 -s $dest -d $world -j ACCEPT -i $dev
> iptables -t nat -A POSTROUTING -o $dev -j SNAT --to $dynip
>
> echo 1 > /proc/sys/net/ipv4/ip_dynaddr
> echo 1 > /proc/sys/net/ipv4/ip_forward
The most simple transparent link as possible,
# where eth1 is device connected to your route to the outside world
iptables -F
iptables -F -t nat
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 >/proc/sys/net/ipv4/ip_forward
Ian
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list