iptables and dhcp
ron.peterson at yellowbank.com
ron.peterson at yellowbank.com
Tue Feb 25 21:08:05 EST 2003
On Tue, Feb 25, 2003 at 05:44:54PM -0800, Abhishake Pathak wrote:
> I had a couple of questions regarding iptables, dhcp
> and redhat 8.
> I'm running redhat 8. I want to use my linux box as a
> firewall/router. I have two other computers that will
> be connected to it. Can someone please tell me how i
> would be able to setup iptables to do this? Also i
> wanted to know how i would do this if i had dhcp.
If you have dhcp where? You'll need to choose between using your
multi-homed linux box as a transparent bridge or using it's NAT
capabilities to masquerade a private network. If you take the
transparent bridge route, you'll need to patch your kernel if you want
to run iptables rules over the bridge. I'd suggest ip masquerading, and
running dhcpd on the masquerading NAT box. The following script sets up
masquerading (the last line) and also disallows any traffic not
associated with connections established by masqueraded hosts.
#!/bin/bash
IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW -j DROP
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
If you do this, you'll likely want to run a dhcp server for your
masqueraded hosts as well. Something like the following /etc/dhcpd.conf:
option domain-name "mydomain.com";
option domain-name-servers a.nameserver.com, b.nameserver.com;
option subnet-mask 255.255.0.0;
default-lease-time 600;
max-lease-time 7200;
# do this while setting up so you don't mess things up.
# default-lease-time 120;
# max-lease-time 120;
shared-network MY-PRIVATE {
subnet 172.17.0.0 netmask 255.255.0.0 {
range dynamic-bootp 172.17.1.1 172.17.1.255;
option broadcast-address 172.17.0.0;
# address of private interface on masquerading NAT box
option routers 172.17.0.1;
}
}
Make sure to tell dhcpd the proper interface!
I use debian. I don't know if there are RH 8.0 has any peculiar
pecadillos.
--
Ron Peterson -o)
87 Taylor Street /\\
Granby, MA 01033 _\_v
https://www.yellowbank.com/ ----
More information about the Discuss
mailing list