Moving to iptables from ipchains - need advice

Moving to iptables from ipchains - need advice

Post by Mark Lor » Sun, 14 Jul 2002 05:39:35



For some time I was running ipchains on a RedHat box (7.2, now 7.3) but it
always had problems.  Although I seemed to have configured ipchains
correctly to act as a NAT, client PC's would stop downloading web pages
before they were complete.  I goggle'd for the problem, and eventually found
a forum post stating that this was a bug in ipchains, and was never going to
be fixed.  So I installed the Dante socks daemon and forgot about ipchains'
web problems.

Unfortunately, a problem with RealPlayer sparked my decision to finally fix
it, by switching to iptables.  After figuring out how to stop ipchains from
starting, so that iptables would start instead, I got a quick 'n' unsafe
iptables config running thanks to the iptables howto.  Wheee, thought I, it
works.  Web pages loaded perfectly sans Dante.

I eventually came up with the following script, based on my knowledge of
ipchains.  However, reading through a few of the iptables howto's it looks
like this may be inadequate.  I'd be grateful if somebody could let me know
what I've missed.

Thanks,
Mark Lord.

#!/bin/sh
IPTABLES="/sbin/iptables"

# Reset default policies...
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

# Flush all chains
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Remove all custom chains
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Enable masquerade
$IPTABLES -t nat -A POSTROUTING -j MASQUERADE

# Ensure ACCEPT policy
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# eth0 is trusted (internal network)
$IPTABLES -A INPUT -i eth0 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT

# Give lo free reign
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A FORWARD -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Explicitly allow icmp through eth1 (cable modem)
$IPTABLES -A INPUT -p icmp -i eth1 -j ACCEPT

# Drop any input to port <= 1024
$IPTABLES -A INPUT -i eth1 -p tcp --dport 0:1024 -j DROP

# Allow any output through eth1 (cable modem)
$IPTABLES -A OUTPUT -o eth1 -j ACCEPT

# Accept forwarding to/from 192.168.0.0/16
$IPTABLES -A FORWARD -s 192.168.0.0/16 -j ACCEPT
$IPTABLES -A FORWARD -d 192.168.0.0/16 -j ACCEPT

# Drop any other forward requests
$IPTABLES -A FORWARD -j DROP

 
 
 

1. HELP! Need advice on moving to Unix platform.

The Problem:

        My organization has developed a set of image processing programs in
C under MS-DOS (using MSC 6.0, as ANSI compatible as possible) and we
are now under extreme pressure to move into a Unix environment on very
short notice. We have very little information from our client as to what
Unix platform we will be working on. What we need is information on what
people with experience in this area can recommend as far as:

        - hardware platform (this is a number chewing package)
        - what Unix OS we should use
        - what C compiler should we use

        We have a budget of around $10K (CDN) to aquire the main unix box
and aditionally two high powered terminals (NOT dumb-ish terminals, or
X-terminals, the program has very meager graphics display needs... B&W
bitmaps are fine). Currently we are leaning heavily towards using Intel
boxes (high powered 386s for the terminals and a beast of a 486 for the
Unix box itself). This is simply because we wish to leave open the option
of re-using the boxes for our DOS developement.

        Our main concern is portability above all else. Since we do not
currently know what exact flavour of Unix we will end up running this
system under we need to port it to a "generic" Unix. Currently we are
contemplating using gcc as the compiler for this project. How widely
available is gcc? Are chances good that it will be already running under
most Unixes that we will encounter?

        In short, any and all pointers and recommendations are welcome. We
need info about everything, down to the last nut, bolt and byte. We have
some Unix experience in-house, but none from the point of view of purchasing
or adminning a system (only from a user/programmer point of view).

        I'm crossposting this to all the unix related groups that seemed
appropriate since this is a problem we need answers and recommendations

since I may miss responses in some of these groups.

        Thanks in advance for any help you can give us,

                Paul Gauthier,
                Worthigton Software Company.

--
============================================================================

President, Cerebral Computer Technologies  |  exceptions."
Phone: (902)462-8217    Fax: (902)420-1675 |

2. Unbale to create process

3. VIP Conector

4. Advice needed on moving email server from NT to SCO

5. Can't close port 389

6. ipchains: simple advice needed

7. Fortran compiler in Linux

8. I need some advice of a wise person and iptables

9. I need some Iptables usage advice

10. my iptables rules, need suggestions and advice

11. Need some expert advice with iptables port 25 (rate limiting) or using tcp_wrappers

12. Cconvert ipchains to iptables. Need help