On Monday 17 Feb 2003 3:28 pm, Ted Gervais wrote:
> I am wondering about whether there are any good examples of various
> configurations for iptables.
> In particular the use of NAT and port forwarding etc.
>
> Actually any good examples of general useage of iptables would be
> helpful.  I am changing over (again) from ipchains and while there are good
> tutorials out there, a few good examples now and then sure makes things a
> lot clearer..
>
> Thanks..

Hi Ted,

this is a VERY basic iptables file.  It allows outbound masqueraded 
connections, plus has a single port forward to make a remote host appear to 
be on my local network.

It also stops (most) inbound connections by dropping the SYN packet coming in 
on the public interface.

The file itself was generated by iptables-save which basically dumps the 
current iptables settings created by the iptables command. I then saved the 
file as /etc/sysconfig/iptables so it gets read in automatically at bootup.  
The file can also be read in using the iptables-restore command.

To play with the file, you can simply take a line from the file and prepend 
the iptables command to it, e.g. 

iptables -A PREROUTING -d 10.1.0.34 -j DNAT --to-destination 192.168.1.2

will add the port forward rule directly.

HTH

Gary

# Generated by iptables-save v1.2.5 on Fri Jan 17 14:50:07 2003
# comments added by G.Stainburn
*nat
:PREROUTING ACCEPT [1490:290942]
:POSTROUTING ACCEPT [33:2048]
:OUTPUT ACCEPT [22:1452]
# Make 192.168.1.2 appear as 10.1.0.34
-A PREROUTING -d 10.1.0.34 -j DNAT --to-destination 192.168.1.2 
# allow outbound connections
-A POSTROUTING -s 10.1.0.0/255.255.0.0 -j MASQUERADE 
-A POSTROUTING -s 10.2.0.0/255.255.0.0 -j MASQUERADE 
-A POSTROUTING -s 10.3.0.0/255.255.0.0 -j MASQUERADE 
-A POSTROUTING -s 10.4.0.0/255.255.0.0 -j MASQUERADE 
-A POSTROUTING -s 10.5.0.0/255.255.0.0 -j MASQUERADE 
COMMIT
# Completed on Fri Jan 17 14:50:07 2003
# Generated by iptables-save v1.2.5 on Fri Jan 17 14:50:07 2003
*filter
:INPUT ACCEPT [2001:354022]
:FORWARD ACCEPT [879:116086]
:OUTPUT ACCEPT [460:57383]
# disable inbound connections by ignoring SYN packets
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP 
COMMIT
# Completed on Fri Jan 17 14:50:07 2003


>
> ---
> Ted Gervais,
> Coldbrook, Nova Scotia, Canada

-- 
Gary Stainburn
 
This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000     



-- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to