Excellent HOWTO. Good work
We had a talk about IP blacklist before, so this is what I am using now, by also changing ssh port away from 22, closing it to IP/PORT or MAC/PORT I do not have any unwelcome visits.
This is a code for blacklist:
Code:# $IP_BLACKLIST is a file name with ip addresses on a row by row base if [ "$IP_BLACKLIST" != "" ]; then if [ -f $IP_BLACKLIST ]; then # file exists echo "applying custom IP blacklist...." $IPT -N ipblacklist #-N creates a New, user defined chain (blacklist for example). while read line do #echo $line $IPT -A ipblacklist -s $line -j DROP done < "$IP_BLACKLIST" else echo "Error reading custom blacklist file:" echo "$IP_BLACKLIST" fi fi
just have to say thank you for this excellent HOWTO! Your Howto is one of very few documentations which are compact, easy to understand and most important - it's easy to implement.
There's no need to spend hours with "try & error" to find out how to migrate the given examples onto my own machine! Your solution works pretty well
I just have a question about NAT, because my server is also working as an NAT Server which is used by six (internal LAN) clients to connect to the internet. Working solution.
When I try to implement your firewall solution I have trouble with the other clients which can't connect to the server and to the internet anymore.
When I stop the firewall service, prevent it from starting up automatically and delete the files "firewall.bash, etc..." I still have the same problem as before. Tried several reboots but it took no effect.
The firewall is implemented exactly as you are describing it in this HOWTO - no changes or mods.
The server has been set up from the scratch and still never had any firewall installed.
The question is, if there may be any other files or hidden options to be set to make the firewall changes dissappear so that NAT will work again?
Very interresting is if there might be any way that let's the Firewall do it's job and let's the server still provide NAT Services?
I don't want to remove the firewall because it's working really good. That's why I'm searching for a solution to gets your Firewall and the NAT functionality together on one server
Thank you so much in advance!!
In the firewall script i give in first post you can see the following :
It means that FORWARD packets are all dropped so this is normal than connection sharing don't work anymore.Code:# DROP all forward packets, we don't share internet connection in this example iptables -A FORWARD -j DROP
If you want to transfer all ports to your LAN you can just comment this line and add the following instead :
You have some basis on first post about FORWARD packets, they are those who handle/create the NAT feature.Code:iptables -A FORWARD -j ACCEPT # hide computers behind the firewall iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward
Last edited by frodon; April 20th, 2009 at 09:41 PM.
wow... that's what I'd call "JUST IN TIME"!!
Thanks for your very quick response! Everythings running as desired, now!
Firewall AND Nat-Service are both working together on one single Server now . GREAT!!
Thank you once again for your support and for this excellent HOWTO!! Helped me very much
I actually used Ubuntu Firewal by Robert Pectol for his installation script log etc, but added some corrections from this great guide, ip blacklist...
and made a digg.
I'm new to Iptables. This has been very helpful so far. I want to make a whitelist of sites to let my students access. I'm still confused.
I was able to kill Internet access totally today for the classes that just waste time playing games and turn it back on for the others. Hooray.
Now I want to give those kids a short list of sites related to the class they can access.
So this line will drop any site not google.
Do I DROP the FORWARD chain then add rules to ACCEPT sitesCode:iptables -A INPUT -p tcp --source ! google.com -j DROP
or ACCEPT the FORWARD chain than add rules to DROP sites
Or am I completely confused?
Frodon, thanks for the great writeup.
What do I need to do to open port 22 for ssh in addition to what you have shown?