Bluehost.com Web Hosting $6.95

pass-through iptables

This is a discussion on pass-through iptables within the Linux Networking forums, part of the Linux Forums category; My linux box can dial my ISP and it is connected to a hub (eth0). There are two Windows computers ...


Go Back   Usenet Forums > Linux Forums > Linux Networking

Reload this Page pass-through iptables

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 03-01-2004
Phisherman
 
Posts: n/a
Default pass-through iptables
My linux box can dial my ISP and it is connected to a hub (eth0).
There are two Windows computers connected to the hub.
How can I change the Linux firewall (temporarily)? IE, what are the
iptables syntax to do this?

The only thing I got working is the Windows machine can ping an
internet address. No surf, no email, no newsgroups, etc. At this
point I really don't care if my Linux box is attacked by hackers, I'm
ready to reformat the disk anyway.

I'm running squid (do I really need this?). I set it up for
transparent proxy.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

If anyone would like to explain the above command without using
network jargon, I'd appreciate it. It makes little sense to me, but
the HOWTO says I need to execute it. Personally, I find programming
in assembler easier (and more fun) than iptables.




Reply With Quote
  #2 (permalink)  
Old 03-01-2004
Cameron Kerr
 
Posts: n/a
Default Re: pass-through iptables
Phisherman <nobody@noone.com> wrote:
> My linux box can dial my ISP and it is connected to a hub (eth0).
> There are two Windows computers connected to the hub.
> How can I change the Linux firewall (temporarily)? IE, what are the
> iptables syntax to do this?

To do what?

> The only thing I got working is the Windows machine can ping an
> internet address. No surf, no email, no newsgroups, etc. At this
> point I really don't care if my Linux box is attacked by hackers, I'm
> ready to reformat the disk anyway.

That seems a bit odd. What is your firewall currently set to?

iptables -L
iptables -t nat -L

> I'm running squid (do I really need this?). I set it up for
> transparent proxy.

Running squid is quite useful. Even for dynamic sites, you can save a
considerable amount of bandwidth from the images it caches (although
this is only useful if you have multiple browsers viewing the site, as
the browser will do its own caching also.)

> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128

OK, what this means is that before the packet gets routed (hence the
PREROUTING chain), if it comes in eth0, and is a TCP packet destined to
port 80 (to anywhere on the internet, as there is no destination IP
address/network specified, then instead of forwarding it, cause it to be
delivered to port 3128 on 127.0.0.1.

Because this a form of NAT (port-forwarding to the local machine), we
need to specify the 'nat' table, where these rules are carried out.

> If anyone would like to explain the above command without using
> network jargon, I'd appreciate it. It makes little sense to me, but
> the HOWTO says I need to execute it. Personally, I find programming
> in assembler easier (and more fun) than iptables.

Once you've written your first firewall, it too can be fun.

--
Cameron Kerr
cameron.kerr@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!
Reply With Quote
  #3 (permalink)  
Old 03-01-2004
Rich Grise
 
Posts: n/a
Default Re: pass-through iptables
"Phisherman" <nobody@noone.com> wrote in message
news:jc4540ldmq9gr3b5vqn1934j6akua060k1@4ax.com...
> My linux box can dial my ISP and it is connected to a hub (eth0).
> There are two Windows computers connected to the hub.
> How can I change the Linux firewall (temporarily)? IE, what are the
> iptables syntax to do this?
>
> The only thing I got working is the Windows machine can ping an
> internet address. No surf, no email, no newsgroups, etc. At this
> point I really don't care if my Linux box is attacked by hackers, I'm
> ready to reformat the disk anyway.
>
> I'm running squid (do I really need this?). I set it up for
> transparent proxy.
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> If anyone would like to explain the above command without using
> network jargon, I'd appreciate it. It makes little sense to me, but
> the HOWTO says I need to execute it. Personally, I find programming
> in assembler easier (and more fun) than iptables.

Well, I'm making a WAG that you've got a dialup adapter on one
end of the Linux box and eth0 on the other, such that it's
a gateway. If that's the case, then it sounds like you're
looking for IP masquerading:
http://www.tldp.org/HOWTO/Masqueradi...WTO/index.html
I just copied his example, with my own IPs, and it worked
first try!

Good Luck!
Rich


Reply With Quote
  #4 (permalink)  
Old 03-02-2004
Phisherman
 
Posts: n/a
Default Re: pass-through iptables
On 1 Mar 2004 19:50:06 +1300, Cameron Kerr
<cameron.kerr@paradise.net.nz> wrote:

>Phisherman <nobody@noone.com> wrote:
>> My linux box can dial my ISP and it is connected to a hub (eth0).
>> There are two Windows computers connected to the hub.
>> How can I change the Linux firewall (temporarily)? IE, what are the
>> iptables syntax to do this?
>
>To do what?
>
>> The only thing I got working is the Windows machine can ping an
>> internet address. No surf, no email, no newsgroups, etc. At this
>> point I really don't care if my Linux box is attacked by hackers, I'm
>> ready to reformat the disk anyway.
>
>That seems a bit odd. What is your firewall currently set to?
>
>iptables -L
>iptables -t nat -L
>
>> I'm running squid (do I really need this?). I set it up for
>> transparent proxy.
>
>Running squid is quite useful. Even for dynamic sites, you can save a
>considerable amount of bandwidth from the images it caches (although
>this is only useful if you have multiple browsers viewing the site, as
>the browser will do its own caching also.)
>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>
>OK, what this means is that before the packet gets routed (hence the
>PREROUTING chain), if it comes in eth0, and is a TCP packet destined to
>port 80 (to anywhere on the internet, as there is no destination IP
>address/network specified, then instead of forwarding it, cause it to be
>delivered to port 3128 on 127.0.0.1.
>
>Because this a form of NAT (port-forwarding to the local machine), we
>need to specify the 'nat' table, where these rules are carried out.
>
>> If anyone would like to explain the above command without using
>> network jargon, I'd appreciate it. It makes little sense to me, but
>> the HOWTO says I need to execute it. Personally, I find programming
>> in assembler easier (and more fun) than iptables.
>
>Once you've written your first firewall, it too can be fun.


Thanks Cameron! I got Jay's Firewall working (!!!) and now all
machines can surf, email, Usenet works, RealAudio streaming, etc. The
iptables -L command spewed out a lot of stuff that I need to study.
Occasionally, the newsgroups stop working (every couple hours), then
work again when I restart (stop/start) the firewall. I went to
www.grc.com and Stealth shows all ports are in stealth mode but the
Linux box can be pinged from the internet (not sure how to prevent
this vulnerability yet). At least now, my family members are off my
back!
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 11:31 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0