Slackware  Knowledge Base  
 
 
  ZoneCheck 
  IRC 
  Newsgroups 
Main
Home
     
Site Net
iptables
Basic setup for gateway on a private LAN

  • This assumes your LAN uses 192.168.1.x on eth0 with the Internet connection on eth1
  • This is a rough, OK... a VERY rough guide, but it works.

Firstly you should ensure the kernel is told to do forwarding...
Edit /etc/sysctl.conf and make sure you have the line:
net.ipv4.ip_forward = 1
Then run: sysctl -p

Now create a file in /etc/rc.d called rc.fw and put in the following, make sure you personalise it :) you may also have to add the full path to iptables..


#!/bin/sh
iptables -P INPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# let your LAN use the net
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT # local
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
#
# need to keep anyone out? put them in here...
#iptables -A INPUT -s 1.2.3.4 -j DROP
#
# stop the 20 hour delay for irc ident :)
iptables -A INPUT -s 0/0 -p tcp --destination-port 113 -j REJECT
#


Extras..... To redirect Internet connections to an internal machine, add these rules
EG: to send to a mail server on 192.168.1.2 you would add:


iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 0/0 --dport 25 -j DNAT --to 192.168.1.2:25


Need priority on getting out those packets?

iptables -A OUTPUT -t mangle -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --dport 80 -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --dport ftp -j TOS --set-tos Minimize-Delay
iptables -A OUTPUT -t mangle -p tcp --dport ftp-data -j TOS --set-tos Maximize-Throughput

Now to have all this kick in at reboot, add the following into /etc/rc.d/rc.local


if [ -x /etc/rc.d/rc.fw ]; then
/etc/rc.d/rc.fw ; echo "Firewall started"
fi

Viewed with any Browser
8:02 PM - Tuesday Dec 12, 2017                        

     Copyright © Noel Butler 2001-2017. All rights Reserved.