kubuntu-users Digest, Vol 12, Issue 48

C Hamel yogich at sc2000.net
Sat Jan 28 00:10:58 UTC 2006 

On Friday January 27 2006 03:45, kubuntu-users-request at lists.ubuntu.com wrote:
> Send kubuntu-users mailing list submissions to
> 	kubuntu-users at lists.ubuntu.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
> or, via email, send a message with subject or body 'help' to
> 	kubuntu-users-request at lists.ubuntu.com
>
> You can reach the person managing the list at
> 	kubuntu-users-owner at lists.ubuntu.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of kubuntu-users digest..."
>
>
> Today's Topics:
>
>    1. Resizing the Desktop (Russ)
>    2. ctrl e fn keys (Alessandro Pironi)
>    3. Re: Katapult (Tobi Vollebregt)
>    4. Re: NAT & bash questions (Jordi Ferrando Fabra)
>    5. Re: kubuntu Dapper: kded crashes 'CppSQLite3Exception'
>       -SOLVED (Bharat Rajagopalan)
> Date: Fri, 27 Jan 2006 10:37:06 +0100
> From: Jordi Ferrando Fabra <jferrando at netplc.com>
> Subject: Re: NAT & bash questions
> To: Kubuntu Help and User Discussions <kubuntu-users at lists.ubuntu.com>
> Message-ID: <43D9E9C2.9010706 at netplc.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I use an own-written init script to enable iptables at start-up:
> /etc/init.d/iptables_tc:
>
> /#!/bin/sh/
> /#/
<SNIP>
> ------------------------------

I am intrigued by your script even if I am having trouble following it.  I am 
not terribly script-savvy, I fear.  (I may be moderately good at some things, 
but scripting is not one of them.)  The script I put together was taken from 
my last distro, and works great.  The only rub is that I really have not much 
of an idea how to write debian-friendly scripts that one can 
stop,start,restart,force-restart, etc. 

 Mine looks like this:

#!/bin/sh

#Set up IPTABLES here, since it is problematic where to place the startup
#First we flush our current rules
 iptables -F
 iptables -t nat -F

#Setup default policies to handle unmatched traffic
 iptables -P INPUT ACCEPT
 iptables -P OUTPUT ACCEPT
 iptables -P FORWARD DROP

#Copy and paste these examples ...
 export LAN=eth0
 export WAN=ppp0

#Then we lock our services so they only work from the LAN
 iptables -I INPUT 1 -i ${LAN} -j ACCEPT
 iptables -I INPUT 1 -i lo -j ACCEPT
 iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
 iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

#(Optional) Allow access to our ssh server from the WAN
 iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

#Drop TCP / UDP packets to privileged ports
 iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
 iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

#Finally we add the rules for NAT
 iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
 iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
 iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
 iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
#Tell the kernel that ip forwarding is OK
 echo 1 > /proc/sys/net/ipv4/ip_forward
 for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

Finally, I enable ppp0-on-demand (note: no wireless where I live, it's still a 
dream):

#Enable on-demand ppp0
/usr/sbin/pppd call sc2k

I'd be very interested in your insight.
-- 
...CH

More information about the kubuntu-users mailing list