How to set iptables script for lan

matthewchin · 07-03-2003, 10:09 PM

Hello,

I have two PCs, first installed RH9 with two NICs:
one eth0 to internet and 2nd eth1 cross-over to second PC,
also installed with RH9.

Please tell me how to set the dns/gateway/ip for these
two PCs and their iptables scripts for
internet / file / printer sharing ?

Thanks,
Matthew

Robert0380 · 07-04-2003, 01:14 AM

1. give eth1 of computer 1 an ip of 192.168.0.1
2. give eth0 of computer 2 and ip of 192.168.0.2
3. set the default route on computer 2 to point to computer 1

1. #ifconfig eth1 192.168.0.1 netmask 255.255.255.0
2. #ifconfig eth0 192.168.0.2 netmask 255.255.255.0
3. #route add default 192.168.0.1

to get these setting to stick on boot you could later the appropriate
networking script (ifcfg-ethX) in /etc/sysconfig/network-scripts/

Code:

example of my ifcfg-eth0

DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.1.200
NETMASK=255.255.255.0
ONBOOT=yes

for dns just use the DNS servers that your ISP provides for you or with
RH9 you COULD just turn on named and run a caching only server, it
comes pre-configured with Red Hat.

Code:

open up   /etc/resolv.conf

nameserver 127.0.0.1    <<< use this if you turn on named and only on the machine tired to the net.
nameserver 1.2.3.4    <<< isp provided
nameserver 1.2.3.5   <<< second isp server..make sure you use the proper values

you only have to run 1 DNS server if you really want to run the caching
only name server and that would be the one tied to the internet

for firewalling you'll want the following basic rules (On the computer tied t the internet)

Code:


iptables -P INPUT DROP
iptables -P OUTPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ! INVALID

NAT RULE:

iptables -A POSTROUTING -t nat -s $LAN_COMPUTER -j SNAT --to $INET_IP

or if you have a dynamic ip address you will have to do this instead:

iptables -A POSTROUTING -t nat -s $LAN_COMPUTER -j MASQUERADE

you'll want to add more rules if u plan to run a server on either computer 
because it blocks all INPUT that wasnt established by from you lan or from 
the router itself.

get this stuff working, then consult samba for file and printer sharing, this
stuff is all over these forums also.....try using the search for more help.

i havent proof read this so there may be something wrong, but as i am
an expert

(kiddin sort of) it should work out fine. i must say that i have
never use RH9 so something may be different about it. I'm giving my answers
based on RH 7.3

matthewchin · 07-04-2003, 02:41 AM

Thanks for info.
I will try.

matthewchin · 07-07-2003, 11:08 PM

Hello,

For PC1 eth1 , do I need to set gateway ip to the isp ?
If I don't set, seems cannot connect to internet for eth0 ?
eth0 is dynamic ip assigned by my isp.

I wrongly set one to 192.168.0.1 and dns cannot be resolved
and RH9 became very slow (sendmail / gnome etc).

Can you have a brief explanation of the iptables rules and how it work ?

Thanks,
Matthew

matthewchin · 07-21-2003, 04:23 AM

Robert0380,

Do you have any update to me ?

Matthew