[Cialug] Home/Office Network start script
djweis at sjdjweis.com
Mon Jun 13 23:08:46 CDT 2005
On Tue, 14 Jun 2005, steve.phares at mchsi.com wrote:
> Thank you in advance for your time and concideration.
> I have a new/clean install of RedHat Pro WorkStation (kernel = 2.4.21)
> with two ethetnet NICs to be used primarily as a router/firewall.
> One NIC pointing to the cable/broadband service provider and the second
> pointing to a number of wintel and linux boxes via a small switch on the
> inside VLAN.
> I currently login as root and run, (manually) a very simple seven line script
> that I wrote/borrowed (see below).
You can cut this down quite a bit and use some of the startup things that
are already on your machine.
Edit /etc/sysctl.conf, look for
net.ipv4.ip_forward = 0
and change it to
net.ipv4.ip_forward = 1
Before running your script, run this:
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
/sbin/service iptables save
/sbin/chkconfig --level 345 iptables on
Take the line out of rc.local, your firewall will come up automatically in
any of the appropriate runlevels.
You might also want to edit
Change the line reading
This will make active FTP work correctly.
> Four lines to cleanup/flush iptables and nat, two lines to re-establish
> iptables and nat with the last line to enable packet forwording by the kernel.
> I know the script needs A LOT of firewall TLC/tweeking, but it DOES function
> and allows IP traffic to pass to/from the office network to the real world!
The simpler, the better. Most of the iptables scripts online are verbatim
translations of ipchains scripts that had big holes to begin with. The
single line above is tighter than about anything you would have been able
to do in kernels 2.2 and lower.
> #Flush and delete filters and chains
> iptables --flush
> iptables -table nat flush
> iptables -delete-chain
> iptables --table nat delete-chain
> #Setup Forwarding and Masquerading
> iptables table nat append POSTROUTING out-interface eth1 j
> iptables append FORWARD in-interface eth0 j ACCEPT
> #Enable IP packet forwarding by the kernel
> echo > 1 /proc/sys/net/ipv4/ip_forward
> Cialug mailing list
> Cialug at cialug.org
Dave Weis "I believe there are more instances of the abridgment
djweis at sjdjweis.com of the freedom of the people by gradual and silent
encroachments of those in power than by violent
and sudden usurpations."- James Madison
More information about the Cialug