[Gllug] iptables replacement for ipchains
t.clarke
tim at seacon.co.uk
Thu Sep 20 10:25:16 UTC 2007
I am currently in the process of replacing a Debian box (being used primarily
as a mail server) with the another debian box running the latest stable release.
To give is some resilience with adsl connections the box will also run another
web server (hence the queries the other day about problems with http
connections) and will need to do some port-forwarding/natting to deal with a
few direct connections necessary to the outside world including ftp.
Outgoing http connections will simple be handed by squid.
I have not used iptables before (the other old redhat box uses ipchains),
so I am a bit unsure abopuit the required rules etc.
I assume that:
modprobe ip_nat_ftp
and
echo 1 > /proc/sys/net/ipv4/ip_forward
will be necessary ?
I note that the old redhat boxes also does:
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
- I am not sure if these are now redundant or shOuld be replaced by something
else?
The ipchains rules I nede to effectively duplicate are:
#forwarding chain default policy: deny anything not listed below
ipchains -P forward DENY
#deny anything arriving on the external interface that purports to come
#from an internal IP address!
ipchains -A input -i eth1 -s 192.168.0.0/255.255.0.0 -j DENY
#forwarding chain: enable services/connections we /do/ want
#----------------------------------------------------------
#ping from any internal machine
ipchains -A forward -p ICMP -s 192.168.123.0/24 -d 0/0 -j MASQ
#
#from main server to selected destinations:
ipchains -A forward -s 192.168.123.100 -d 99.123.124.125 -j MASQ
ipchains -A forward -s 192.168.123.100 -d 99.145.123.124 -j MASQ
#
#from main server to external ftp servers only
#(need to allow connections to port 21 and replies-only to any port)
ipchains -A forward -p tcp -s 192.168.123.100 -d 0/0 21 -j MASQ
ipchains -A forward -p tcp -s 192.168.123.100 -d 0/0 ! -y -j MASQ
#vpn tunnel
ipchains -A forward -s 192.168.123.107 -d 99.8.159.0/0 -j MASQ
I believe the iptables equivalents should be:-
iptables -A INPUT -i eth1 -s 192.168.0.0/255.255.0.0 -j DENY
iptables -t nat -A POSTROUTING -p ICMP -s 192.168.123.0/24 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.123.100 -d 99.123.124.125
-j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.123.100 -d 99.145.123.124
-j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp -s 192.168.123.100 -d 0/0 -dport 21
-j MASQUERADE
This one I am really baffled about:
ipchains -A forward -p tcp -s 192.168.123.100 -d 0/0 ! -y -j MASQ
I vaguely recall it being to allow outgoing 'reply' packets to incoming
ftp PORT connections. Is an equivalent in iptables necessary? - such as :
iptables -t nat -A POSTROUTING -p tcp -s 192.168.123.100 -d 0/0 ! --syn
-j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.123.107 -d 99.8.159.0/0
-j MASQUERADE
nb: it seems from the iptables man page that if the external interface has a
a static address I should specify SNAT nnn.nnn.nnn.nnn instead of masquerade??
Apologies for the long-winded questions !
Tim
--------------------------------------------------------------------------------
This E-Mail (and any files transmitted with it) is intended solely for the use
of the individual or entity to whom it is addressed. If you have received it in
error please notify the sender and delete the message.
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list