15 Feb
2009
15 Feb
'09
8:47 a.m.
Fons Adriaensen:
I once put the lines belo into an init file to do this.
I don't know what happens, I just copied from a post
found on the internet, one like this. :-)
In case there is a security problem with this method,
someone will hopefully write a comment about it. I think
eth0 is connected to the world, and eth1 is
connected to the local network, but it could
have been the other way too.
/sbin/rmmod ipchains
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/iptables -F -t filter
/sbin/iptables -Z -t filter
/sbin/iptables -X -t filter
/sbin/iptables -F -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -X -t nat
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# drop spoof packets
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
... And if it's a public server,
I'd rather not have anybody logging in through ssh who is not capable
of
dealing with key logins. I disabled password
logins through ssh on
my public machines.
That seems to be the best way to deal with it.
A weakly related OT question:
I need to set up a machine as a router. One side is
a fixed public IP address, the other side is a local
net using 192.168.1.x. I want to give internet access
to the machines on the local net, so this requires
(AFAIK) NAT. Anyone has a pointer to a good tutorial
about how to do this ?