[Cialug] Home/Office Network start script

Dave Weis djweis at sjdjweis.com
Mon Jun 13 23:08:46 CDT 2005 

On Tue, 14 Jun 2005, steve.phares at mchsi.com wrote:
> Thank you in advance for your time and concideration.
> I have a new/clean install of RedHat Pro WorkStation (kernel = 2.4.21)
> with two ethetnet NICs to be used primarily as a router/firewall.
> One NIC pointing to the cable/broadband service provider and the second
> pointing to a number of wintel and linux boxes via a small switch on the
> inside VLAN.
> I currently login as root and run, (manually) a very simple seven line script
> that I wrote/borrowed (see below).

You can cut this down quite a bit and use some of the startup things that 
are already on your machine.

Edit /etc/sysctl.conf, look for
net.ipv4.ip_forward = 0
and change it to
net.ipv4.ip_forward = 1

Run
/sbin/sysctl -p
as root

Before running your script, run this:
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Then
/sbin/service iptables save
/sbin/chkconfig --level 345 iptables on

Take the line out of rc.local, your firewall will come up automatically in 
any of the appropriate runlevels.

You might also want to edit
/etc/sysconfig/iptables-modules
Change the line reading
#IPTABLES_MODULES=""
to
IPTABLES_MODULES="ip_nat_ftp"

This will make active FTP work correctly.

> Four lines to cleanup/flush iptables and nat, two lines to re-establish
> iptables and nat with the last line to enable packet forwording by the kernel.
>
> I know the script needs A LOT of firewall TLC/tweeking, but it DOES function
> and allows IP traffic to pass to/from the office network to the real world!

The simpler, the better. Most of the iptables scripts online are verbatim 
translations of ipchains scripts that had big holes to begin with. The 
single line above is tighter than about anything you would have been able 
to do in kernels 2.2 and lower.

dave



> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> #ScriptX
> #
> #Flush and delete filters and chains
>       iptables --flush
>       iptables –-table nat –flush
>       iptables –-delete-chain
>       iptables --table nat –delete-chain
> #
> #Setup Forwarding and Masquerading
>       iptables –table nat –append POSTROUTING –out-interface eth1 –j
> MASQUERADE
>       iptables –append FORWARD –in-interface eth0 –j ACCEPT
> #
> #Enable IP packet forwarding by the kernel
>       echo > 1 /proc/sys/net/ipv4/ip_forward
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>

-- 
Dave Weis             "I believe there are more instances of the abridgment
djweis at sjdjweis.com   of the freedom of the people by gradual and silent
                       encroachments of those in power than by violent
                       and sudden usurpations."- James Madison

More information about the Cialug mailing list