Site menu
Login form
Search
Publicatii
Main » Articles » Unix/Linux

Setting up a Linux Home Gateway

3. Choices of implementation


6. Kernel configuration

6.1. If using iptables

Iptables is actually a user interface tool and depends on the kernel implementation called netfilter. Netfilter includes support only for IPv4 and IPv6, and does not filter any other protocols. Hence if your system should run something like IPX, remember that the protocols other than IPv4 and IPv5 are not going to be filtered according to the iptables rules. User kerne 2.4.18 or above, if possible to have all the new features of netfilter.

Install the iptables software on your system (apt-get install iptables). Once you know that your kernel is configured with netfilter support, you need not worry about it at all. Just remember that iptables need the kernel support from netfilter.

Check if your kernel is configured for supporting iptables. Though most distributions include this support by default, do this quick test as root.

bash# modprobe ip_tables
bash# lsmod | grep ip_tables

If any of the above commands give an error or ip_tables doesn't show up in module listing, you must enable these options in the kernel configuration using make menuconfig or make xmenuconfig

  • Code maturity-level options for development and/or incomplete code/drivers

  • Network packet filtering in Networking options.

  • IP: Netfilter Configuration iin Networking options

select all these options as modules.


8. Network Settings on Gateway


9. IP Masquerade Configuration

9.1. For PPP Connections

Create the file /etc/gateway.rules with the following initial ruleset,


9.1.1. If using ipchains

/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i ppp0 -s 192.168.1.0/24 -j MASQ

9.1.2. If using iptables

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F #ignore if you get an error here
/sbin/iptables -X #deletes every non-builtin chain in the table

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
# only if both of the above rules succeed, use
/sbin/iptables -P INPUT DROP

/sbin/iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

/sbin/iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT

9.2. For Ethernet connections (cable-mode, DSL or T1)

I am assuming that eth0 refers to the external interface and eth1 refers to the internal interface.


9.2.1. If using ipchains

For users connecting to external network on ethernet & using ipchains:

/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
/sbin/ipchains -P forward REJECT

# use this line if you have a dynamic IP address (on DHCP or BOOTP)
# configured from your ISP
/sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp

/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth0 -s 192.168.1.0/24 -j MASQ

9.2.2. For iptables Users

For users connecting to external network on ethernet & using iptables:

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F #ignore if you get an error here
/sbin/iptables -X #deletes every non-builtin chain in the table

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
# only if both of the above rules succeed, use
/sbin/iptables -P INPUT DROP

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# use this line if you have a static IP address from your ISP
# replace your static IP with x.x.x.x
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to x.x.x.x

# use this line only if you have dynamic IP address from your ISP
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

/sbin/iptables -A FORWARD -i eth0 -o eth0 -j REJECT

10. Creating Startup Scripts

Create a script /etc/init.d/gateway

#! /bin/sh

# If no rules, do nothing.
[ -f /etc/gateway.rules ] || exit 0

case "$1" in
start)
echo -n "Turning on packet filtering:"

/sbin/modprobe ip_masq_ftp #only if using ipchains
/sbin/modprobe iptable_nat #only if using iptables
/sbin/modprobe ipt_MASQUERADE #only if using iptables
/sbin/ipchains-restore < /etc/ipchains.rules || exit 1

echo 1 > /proc/sys/net/ipv4/ip_forward
# for RedHat users, the above line is not needed if you have
# FORWARD_IPV4=true in /etc/sysconfig/network file

echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# the above option is for Dynamic IP users (DHCP,PPP or BOOTP)

echo "."
;;
stop)
echo -n "Turning off packet filtering:"
echo 0 > /proc/sys/net/ipv4/ip_forward

/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
echo "."
;;
*)
echo "Usage: /etc/init.d/gateway {start|stop}"
exit 1
;;
esac

exit 0

Give execute permissions to the startup scripts

bash# chmod 744 /etc/init.d/gateway

Use rcconf or chkconfig to create startup links for this file.

Category: Unix/Linux | Added by: Gaby (2008-11-04) | Author: gaby weeb
Views: 606 | Rating: 0.0/0 |
Total comments: 0
Name *:
Email *:
Code *:
Catalog categories
Articolele lui Gaby [0]
Diverse [1]
Oracle [0]
Unix/Linux [4]
Windows [1]
Web Design [0]
Programare [0]
SAP [2]
Link-uri utile [1]
Our poll
Ati gasit articole interesante in acest site?
Total of answers: 15
Site friends
 
 
Total online: 1
Oaspeti: 1
Useri: 0
Copyright MyCorp © 2018
Hosted by uCoz