streeter Posted March 15, 2005 Report Share Posted March 15, 2005 (edited) Hi all After my long absence from this forum, I received a mail telling me my ICS howto doesn't always work... If read in conjunction with this, it may help (or confuse!!) Anyway, for the people asking what these commands do: net.ipv4.ip_forward = 1 Tells the OS to allow the routing of data to another node iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP These 3 lines set the default actions for the firewall - NOTE having a default of ACCEPT for INPUT is NOT a good idea - this means that if any packet is not stopped by your other firewall rules, it drops off the end of your firewall 'rule list' and is then accepted... what if that packet belongs to a cracker??? Set it to DROP. Effectively, these are the last rules in your firewall list. iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT A rule that ACCEPTs 'replies' to your 'requests' (ESTABLISHED,RELATED) that are coming In your external interface (eth0) and going Out through your internal interface (eth1). For instance, if you requested a web page. it allows that page through. iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT This rule ACCEPTs any packet coming in eth1 and going out eth0. i.e. packets being routed from your own network to the internet. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE This rule performs network address translation (nat or masquerading). Difficult to explain easily and simply, but here goes: Each network node (computer, router etc) must have a different IP address so that they know where to send data, but you only have a single public IP address - the one allocated to you by your ISP. So the router (in this case your Linux box) has to perform NAT - it changes the IP address in the data packets to the public one (it remembers which ones it changes, because each packet has a unique serial number). This allows your ISP to send the reply back to the correct place (your Linux router) where the IP address is then changed back to your private one and routed to the correct PC. Does that make sense? :) Chris Edited March 15, 2005 by streeter Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.