Knowledge Base

Basic setup for gateway on a private LAN

  • This assumes your LAN uses 192.168.1.x on eth0 with the Internet connection on eth1
  • This is a rough, OK... a VERY rough guide, but it works.

Firstly you should ensure the kernel is told to do forwarding...
Edit /etc/sysctl.conf and make sure you have the line:
net.ipv4.ip_forward = 1
Then run: sysctl -p

Now create a file in /etc/rc.d called rc.fw and put in the following, make sure you personalise it :) you may also have to add the full path to iptables..

iptables -P INPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
# let your LAN use the net
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -s -j ACCEPT # local
iptables -A INPUT -s -j ACCEPT
# need to keep anyone out? put them in here...
#iptables -A INPUT -s -j DROP
# stop the 20 hour delay for irc ident :)
iptables -A INPUT -s 0/0 -p tcp --destination-port 113 -j REJECT

Extras..... To redirect Internet connections to an internal machine, add these rules
EG: to send to a mail server on you would add:

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 0/0 --dport 25 -j DNAT --to

Need priority on getting out those packets?

iptables -A OUTPUT -t mangle -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --dport 80 -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --dport ftp -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --dport ftp-data -j TOS --set-tos Maximize-Throughput

Now to have all this kick in at reboot, add the following into /etc/rc.d/rc.local

if [ -x /etc/rc.d/rc.fw ]; then
/etc/rc.d/rc.fw ; echo "Firewall started"

9:12 PM - Sunday January 20, 2019 (UTC +10)
Copyright © Noel Butler 1994-2018. All Rights Reserved.