fedora core -2.

i have 2 NIC on my system. suppose,
eth0 is 60.61.62.63 (public IP ) and
eth1 is 192.168.239.20 (for internal users).
i want to configure nat as well as firewall. following are the commands which i am planning to run. will it be ok ??

FLUSH

iptables -t filter -F INPUT
iptables -t filter -F OUTPUT
iptables -t filter -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -t nat -F OUTPUT

DEFAULT policies
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

Set up the firewall rules
iptables -t filter -A INPUT -i ${LOOPBACK} -j ACCEPT
iptables -t filter -A INPUT -i eth1 -j ACCEPT
iptables -t filter -A INPUT -i eth0 state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth1 state --state RELATED,ESTABLISHED -j ACCEPT

Set up ip masquerading
iptables -t nat -A POSTROUTING -s 192.168.239.0/255.255.255.0 -o eth0 -j MASQUERADE


i can understand this is a lengthy post . but i have been trying this since 2 days. Is this OK ?? pliz help....

Looks like it should work. Might want to add iptables -X to the FLUSH rules, but that is rather nit-picky. If you're have problems try doing:

echo "1"> /proc/sys/net/ipv4/ip_forward

Beyond that try describing your problem in more detail (ie. can you ping hosts inside the network, outside the network, by hostname, etc)

Hello.
It's OK. Your post is not a a lengthy one.
1) You forgot to flush 'mangle' table and set up its default policy
2) Think about adding some policies to packets with wrong flag combinations etc.

I missed this the first time I looked over your rules, but there appears to be a typo in your state matching rules. You need to prefix the state match with the -m option, so your rules for state matching should be:

iptables -t filter -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

hi Capt_Caveman & RomanG,
Thanx.
i used the same commands & working fine now. but, The commands which i have used .......is it sufficient for a good firewall.
what exactly "iptables -X "does ?
flushing 'mangle' table and setting up its default policy....................is it mandatory ???
Think about adding some policies to packets with wrong flag combinations etc..............what does this mean ???
yeah, i used the -m state --state option.

i used the same commands & working fine now. but, The commands which i have used .......is it sufficient for a good firewall.
It's a very minimal firewall that you could use some additional features. However, it is reasonably secure.

what exactly "iptables -X "does ?
Removes any user-defined chains (see the iptables man page under the -N option for more info)

flushing 'mangle' table and setting up its default policy....................is it mandatory ???
technically no, because if no default policy is defined then it will automatically be set to ACCEPT. However, you set policies for all the other tables and it's a good idea in case you've inadvertantly set the policy to something else or have rules listed for mangle.

Think about adding some policies to packets with wrong flag combinations etc..............what does this mean ???
This would be a good feature to add to your firewall. It DROPs/LOGs packets that contain imposible TCP flag combinations. These are almost always associated with malicious traffic like port scanning. Another good feature to add would be spoofing protection (rules to prevent forging of IP addresses on packets). This post has a basic example of both spoofing and bad flags protection.