kubuntu-users Digest, Vol 12, Issue 48
C Hamel
yogich at sc2000.net
Sat Jan 28 00:10:58 UTC 2006
On Friday January 27 2006 03:45, kubuntu-users-request at lists.ubuntu.com wrote:
> Send kubuntu-users mailing list submissions to
> kubuntu-users at lists.ubuntu.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
> or, via email, send a message with subject or body 'help' to
> kubuntu-users-request at lists.ubuntu.com
>
> You can reach the person managing the list at
> kubuntu-users-owner at lists.ubuntu.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of kubuntu-users digest..."
>
>
> Today's Topics:
>
> 1. Resizing the Desktop (Russ)
> 2. ctrl e fn keys (Alessandro Pironi)
> 3. Re: Katapult (Tobi Vollebregt)
> 4. Re: NAT & bash questions (Jordi Ferrando Fabra)
> 5. Re: kubuntu Dapper: kded crashes 'CppSQLite3Exception'
> -SOLVED (Bharat Rajagopalan)
> Date: Fri, 27 Jan 2006 10:37:06 +0100
> From: Jordi Ferrando Fabra <jferrando at netplc.com>
> Subject: Re: NAT & bash questions
> To: Kubuntu Help and User Discussions <kubuntu-users at lists.ubuntu.com>
> Message-ID: <43D9E9C2.9010706 at netplc.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I use an own-written init script to enable iptables at start-up:
> /etc/init.d/iptables_tc:
>
> /#!/bin/sh/
> /#/
<SNIP>
> ------------------------------
I am intrigued by your script even if I am having trouble following it. I am
not terribly script-savvy, I fear. (I may be moderately good at some things,
but scripting is not one of them.) The script I put together was taken from
my last distro, and works great. The only rub is that I really have not much
of an idea how to write debian-friendly scripts that one can
stop,start,restart,force-restart, etc.
Mine looks like this:
#!/bin/sh
#Set up IPTABLES here, since it is problematic where to place the startup
#First we flush our current rules
iptables -F
iptables -t nat -F
#Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#Copy and paste these examples ...
export LAN=eth0
export WAN=ppp0
#Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
#(Optional) Allow access to our ssh server from the WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
#Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
#Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
#Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
Finally, I enable ppp0-on-demand (note: no wireless where I live, it's still a
dream):
#Enable on-demand ppp0
/usr/sbin/pppd call sc2k
I'd be very interested in your insight.
--
...CH
More information about the kubuntu-users
mailing list