[Gllug] iptables replacement for ipchains

[Bruce Richardson]

On Thu, Sep 20, 2007 at 11:25:16AM +0100, t.clarke wrote:
> I am currently in the process of replacing a Debian box (being used primarily
> as a mail server) with the another debian box running the latest stable release.
> To give is some resilience with adsl connections the box will also run another
> web server (hence the queries the other day about problems with http
> connections) and will need to do some port-forwarding/natting to deal with a
> few direct connections necessary to the outside world including ftp.
> Outgoing http connections will simple be handed by squid.
> 
> I have not used iptables before  (the other old redhat box uses ipchains),
> so I am a bit unsure abopuit the required rules etc.

The major difference is that the NAT rules live in a separate "table"
than the main filter rules, so you will need to specify "-t nat" when
working with NAT chains.

> 
> I assume that:
> modprobe ip_nat_ftp

Shouldn't be necessary.  Iptables should dynamically load modules as
necessary when you add rules.

> and
> echo 1 > /proc/sys/net/ipv4/ip_forward
> will be necessary ?

You can specify that in /etc/network/interfaces or in
/etc/network/options (although the latter file is now deprecated, I
think)

> 
> I note that the old redhat boxes also does:
> echo 1 > /proc/sys/net/ipv4/ip_always_defrag
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Same for those, can be specified in the same files.


-- 
Bruce

It is impolite to tell a man who is carrying you on his shoulders that
his head smells.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20070920/938cec5f/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug