[ubuntu-nz] ubuntu

Andrew McMillan andrew at catalyst.net.nz
Wed Feb 21 08:49:34 GMT 2007 

On Tue, 2007-02-20 at 18:41 -0800, Blair Cooper wrote:
> Hi there,
> 
> CAn I please borrow a litle of your time?
> 
> I have a friend I'm trying to help setup a ubuntu
> server as a firewall. I have a basic understanding of
> Linux as I have come from a Window$ environment and
> keen to learn Linux.
> I also have a good IT/Networking knowledge.
> 
> So issue is I have the ubuntu 6.10 ISO I have burnt
> and need to setup a firewall for the internet
> connection with NAT.
> At this stage he only wants to allow SMTP traffic to
> and from his exchange server.
> Maybe allow port 80 traffic at a later time.
> 
> Can you please assist in pointing me in the right
> direction?
> Is FireStarter an option that will work on ubuntu?

You can use FireStarter, or you might want to play with fwbuilder if you
are a sophisticated networking person.  It doesn't produce incredibly
readable scripts though.

Or you can write simple scripts for the particular situation you are
talking about relatively easily.  Such a script would usually start
something like this:

============================================================
#!/bin/sh

######################### Configuration ########################
# The IP for our external world-facing interface
MY_IP=1.2.3.4

# The range of IPs which we may see internally on the LAN
LAN_NET=192.168.0.0/16

######################### Initialisation #######################
# Reject everything
iptables -t filter -P INPUT DROP

# Flush the table
iptables -t filter -F INPUT

# Let people ping us
iptables -t filter -I INPUT -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -i ! lo -j ACCEPT

# Allow any traffic on the loopback interface
iptables -t filter -A INPUT -s 0.0.0.0/0 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -t filter -A INPUT -s 127.0.0.0/8 -d 0.0.0.0/0 -i lo -j ACCEPT

# Flush the nat tables
iptables -t nat -F

# NAT things that we are sending out
iptables -t nat -A POSTROUTING -j SNAT --to ${MY_IP} -s ${LAN_NET}

# enable forwarding in the linux kernel
echo 1 >/proc/sys/net/ipv4/ip_forward 


######################### Customisation #######################

... any specific rules ...

============================================================


Note that the above has been hacked together from combinations of
various scripts and stuff I have, and is not pasted from any working
script!

If you already understand networking, however, you will probably
understand iptables (and don't forget "man iptables" is your friend! :-)
once you have got it debugged and added the necessary rules acepting
RELATED,ESTABLISHED and port 25 ...


Hope this helps,
					Andrew McMillan.

-------------------------------------------------------------------------
Andrew @ Catalyst .Net .NZ  Ltd,  PO Box 11-053, Manners St,  Wellington
WEB: http://catalyst.net.nz/            PHYS: Level 2, 150-154 Willis St
DDI: +64(4)803-2201      MOB: +64(272)DEBIAN      OFFICE: +64(4)499-2267
                        You look tired.
-------------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/ubuntu-nz/attachments/20070221/352c5524/attachment.pgp

More information about the ubuntu-nz mailing list