Categories
How-To's

Alcatel Speedtouch under Gentoo linux


Internet for everybody

We now need to activate forwarding and masquerading.

I’ll show the basic setup which simply activates it and also my own scripts which are a little more complex but also provide more options.

The basic masquerading setup

This is the basics from the Masquerading How-To which is also covered in the Dialup Connection How-To. Although functional, I have my own scripts which you can find in the next section.

Anyway, use the following commands (or put them in a script) to start the internet routing and close the ports on the outside world:

 

iptables -F; iptables -t nat -F; iptables -t mangle -F
 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
 iptables -A INPUT -p icmp -j ACCEPT
 iptables -P INPUT DROP

 

This is the HowTo I referred to: HOWTO setup a home-server on Gentoo Wiki

The ‘better’ masquerading setup

This is my own, custom script. It handles the masquerading, checks if the interface for internet is up (otherwise inserting rules would be pointless) and shows how to forward a port to an internal machine.

Note that I designed this with the main goal of being able to (re)start the firewall using a remote ssh login. Therefor it first strips the policies of the network to make sure we don’t get shut out when the firewall comes up (and probably never finishes to come up as the script is stopped when the connection got killed).

I smacked this one in /usr/sbin so I can simply enter ‘internet’ and the routing would start.

File: /usr/sbin/internet 

 #!/bin/bash
  # Written by Berend Dekens
  #
  # Masquerading for server and port forwarding to internal servers 
  echo "Setting free policy on default chains"
 
  iptables -P INPUT ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT
  
  echo "Flushing iptables"
  iptables -F
  iptables -X
  
  EXT_IP=`ifconfig ppp0 | grep inet | awk '{ print $2 }' | awk -F ':' '{ print $2 }'`
  
  if [ ${#EXT_IP} -eq 0 ]
  then
     echo "Error while detecting external ip adress. Please make sure you are connected"
     exit
  else
     echo "Auto detection found your internet address: $EXT_IP"
  fi
 
  
  # Reset to accept all normal policy (this is a safeguard for failing one the next rules and losing ssh capabilities)
  iptables -P INPUT ACCEPT
  iptables -P FORWARD ACCEPT
  
  # Allow existing connections on all interfaces
  iptables -A INPUT -d $EXT_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
  # Filter on ppp0 - Drop new connection requests from internet
  iptables -A INPUT -d $EXT_IP -m state --state NEW -i ppp0 -j DROP
  # Allow traffic from other interfaces than ppp0
  iptables -A INPUT -i ! ppp0 -j ACCEPT
  # All other traffic is illigal - drop it
  iptables -P INPUT DROP
  # We wont do forwarding by default for any port
  iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
  
  # Clear the NAT table
  iptables -F -t nat
  
  # Turn on NAT for ppp0
  iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
  
  # Forward port 25 (SMTP) to internal mailserver, 192.168.0.151
  # Uncomment the next 2 lines to enable port forwarding of port 25 to the internal mail server
  #iptables -A PREROUTING -t nat -p tcp -i ppp0 -d $EXT_IP --dport 25 -j DNAT --to 192.168.0.151:25
  #iptables -A FORWARD -p tcp -i ppp0 -d 192.168.0.151 --dport 25 -j ACCEPT
  
  # Enable IP forwarding in general
  echo 1 > /proc/sys/net/ipv4/ip_forward

 

Related Post

Alpha ready for book library
Free roaming in Akihabara
Bilbo: Finally a decent blogging program for KDE?
Getting Evolution to go native on KDE4

Leave a Reply

Your email address will not be published. Required fields are marked *