On Monday 17 Feb 2003 3:28 pm, Ted Gervais wrote: > I am wondering about whether there are any good examples of various > configurations for iptables. > In particular the use of NAT and port forwarding etc. > > Actually any good examples of general useage of iptables would be > helpful. I am changing over (again) from ipchains and while there are good > tutorials out there, a few good examples now and then sure makes things a > lot clearer.. > > Thanks..
Hi Ted, this is a VERY basic iptables file. It allows outbound masqueraded connections, plus has a single port forward to make a remote host appear to be on my local network. It also stops (most) inbound connections by dropping the SYN packet coming in on the public interface. The file itself was generated by iptables-save which basically dumps the current iptables settings created by the iptables command. I then saved the file as /etc/sysconfig/iptables so it gets read in automatically at bootup. The file can also be read in using the iptables-restore command. To play with the file, you can simply take a line from the file and prepend the iptables command to it, e.g. iptables -A PREROUTING -d 10.1.0.34 -j DNAT --to-destination 192.168.1.2 will add the port forward rule directly. HTH Gary # Generated by iptables-save v1.2.5 on Fri Jan 17 14:50:07 2003 # comments added by G.Stainburn *nat :PREROUTING ACCEPT [1490:290942] :POSTROUTING ACCEPT [33:2048] :OUTPUT ACCEPT [22:1452] # Make 192.168.1.2 appear as 10.1.0.34 -A PREROUTING -d 10.1.0.34 -j DNAT --to-destination 192.168.1.2 # allow outbound connections -A POSTROUTING -s 10.1.0.0/255.255.0.0 -j MASQUERADE -A POSTROUTING -s 10.2.0.0/255.255.0.0 -j MASQUERADE -A POSTROUTING -s 10.3.0.0/255.255.0.0 -j MASQUERADE -A POSTROUTING -s 10.4.0.0/255.255.0.0 -j MASQUERADE -A POSTROUTING -s 10.5.0.0/255.255.0.0 -j MASQUERADE COMMIT # Completed on Fri Jan 17 14:50:07 2003 # Generated by iptables-save v1.2.5 on Fri Jan 17 14:50:07 2003 *filter :INPUT ACCEPT [2001:354022] :FORWARD ACCEPT [879:116086] :OUTPUT ACCEPT [460:57383] # disable inbound connections by ignoring SYN packets -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP COMMIT # Completed on Fri Jan 17 14:50:07 2003 > > --- > Ted Gervais, > Coldbrook, Nova Scotia, Canada -- Gary Stainburn This email does not contain private or confidential material as it may be snooped on by interested government parties for unknown and undisclosed purposes - Regulation of Investigatory Powers Act, 2000 -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list