Iptables is actually a user interface tool and depends on the kernel implementation called netfilter.
Netfilter includes support only for IPv4 and IPv6, and does not filter
any other protocols. Hence if your system should run something like
IPX, remember that the protocols other than IPv4 and IPv5 are not going
to be filtered according to the iptables rules. User kerne 2.4.18 or
above, if possible to have all the new features of netfilter.
Install the iptables software on your system (apt-get install
iptables). Once you know that your kernel is configured with netfilter
support, you need not worry about it at all. Just remember that
iptables need the kernel support from netfilter.
Check if your
kernel is configured for supporting iptables. Though most distributions
include this support by default, do this quick test as root.
If
any of the above commands give an error or ip_tables doesn't show up in
module listing, you must enable these options in the kernel
configuration using make menuconfig or make xmenuconfig
Code maturity-level options for development and/or incomplete code/drivers
/sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F #ignore if you get an error here /sbin/iptables -X #deletes every non-builtin chain in the table
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT # only if both of the above rules succeed, use /sbin/iptables -P INPUT DROP
/sbin/iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
# use this line if you have a dynamic IP address (on DHCP or BOOTP) # configured from your ISP /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp
/sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F #ignore if you get an error here /sbin/iptables -X #deletes every non-builtin chain in the table
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT # only if both of the above rules succeed, use /sbin/iptables -P INPUT DROP
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# use this line if you have a static IP address from your ISP # replace your static IP with x.x.x.x /sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to x.x.x.x
# use this line only if you have dynamic IP address from your ISP /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth0 -j REJECT
# If no rules, do nothing. [ -f /etc/gateway.rules ] || exit 0
case "$1" in start) echo -n "Turning on packet filtering:"
/sbin/modprobe ip_masq_ftp #only if using ipchains /sbin/modprobe iptable_nat #only if using iptables /sbin/modprobe ipt_MASQUERADE #only if using iptables /sbin/ipchains-restore < /etc/ipchains.rules || exit 1
echo 1 > /proc/sys/net/ipv4/ip_forward # for RedHat users, the above line is not needed if you have # FORWARD_IPV4=true in /etc/sysconfig/network file
echo "1" > /proc/sys/net/ipv4/ip_dynaddr # the above option is for Dynamic IP users (DHCP,PPP or BOOTP)
static IP address : 192.168.1.2 to 192.168.2.max-hosts subnet Mask : 255.255.255.0 Default gateway : 192.168.1.1 Primary DNS Server : <primary dns server as given by your ISP> Secondary DNS Server: <secondary dns server as given by your ISP>