Hello,

I have a dual nic Linux Box (RH9) that I setup (or tried to) to be a firewall/dhcpd server.
Everything seem to start up properly (no error messages)

eth0 = card connected to lan (ip 192.168.0.0) sub 255.255.255.0

eth1 = card connected to internet..

so i only have xp box connected to the lan, i'm trying to get it connected to the net through my firewall, but is doesn't connect.. only connects to the firewall it seems..

Do I absoultely have to setup an iptables/NAT? or that just a popular way of doing things?
-It looks incredibly complicated...

::my dhcpd.conf file::

ddns-update-style interim;
ignore client-updates;

subnet 192.168.0.0 netmask 255.255.255.0 {

# --- default gateway
option routers 192.168.0.1;
# option subnet-mask 255.255.255.0;
# option nis-domain "domain.org";
option domain-name "bc.hsia.telus.net";
option domain-name-servers 209.53.4.130;

option time-offset -18000; # Eastern Standard Time
# option ntp-servers 192.168.1.100;
# option netbios-name-servers 192.168.1.100;

# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;

range dynamic-bootp 192.168.0.32 192.168.0.99;
default-lease-time 21600;
max-lease-time 46400;
option ip-forwarding on;

# we want the nameserver to appear at a fixed address
# host ns {
# next-server marvin.redhat.com;
# hardware ethernet 12:34:56:78:AB:CD;
# fixed-address 207.175.42.254;
# }

}

Well if you can ping your firewall your half way there

1.) yes you have to use nat and iptables, how else can you call it a "firewall"?
2.) NAT stands for Network address translation it routes ip and stuff all over the place

your script for simple stuff is real easy

just copy and paste the stuff below into a file and give it a
chmod +x (filename)
then execute it

#!/bin/sh
# simple firewall made by otis cause this dude needed one
EXTIF = eth1
INTIF = eth0
IPADDR = `ifconfig eth1 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1`
IPTABLES = /sbin/iptables
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -F
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTALBES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p TCP -m state --state INVALID -j DROP


and thats it! oh btw, its very insecure but it'll route

I tweaked otis's script to give you a little bit of security. I also dropped the modprobe lines in the hope they won't be necessary (I've never needed them, anyway.) Also, iptables's path may differ on your machine so I changed that bit too. And I dropped the IPADDR variable since I didn't see it referenced anywhere else in the script.

This script will allow your internal machine to connect to the outside world, but nothing can connect to it (unless in response to your request of course, hence, ESTABLISHED,RELATED.)

I don't mean to be rude, Otis, I'm just bored right now so I figured I would gild your rose.

#!/bin/sh
# simple firewall made by otis cause this dude needed one
EXTIF=eth1
INTIF=eth0
IPTABLES=`which iptables`
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -F
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTALBES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTALBES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTALBES -A FORWARD -o $EXTIF -i $INTIF -j ACCEPT

Hello,

I also have two computer which are:

first PC ---> win98
2nd PC ---> winXP + RH8.0 (dual boot)

My 2nd pc have 2 NIC and which is respectively connected to the internet and also the first PC for internet connection sharing while i'm using my winXP platform.

Which means, I just know how to make the internet connection sharing through winxp, but not LINUX.

Could somebody pelase show me how to do so? Your suggestion will be much appreciated.

Thankyou~

Adam

Myboysherman: dude! tweak my script all you want.
I forgot to write the rule to use the IPADDR variable, its a dope rule too!

$IPTABLES -A INPUT -i $EXTIF -s $IPADDR -j DROP

it drops all connections from an external spoofed IP of your own, good rule!

oh and meow man post your question in a new thread man!