Hi people
I am a newbie but i learn very fast

the server it`s a slack 9.0 .....sharing internet on 20 comps
now I rented 16 ip`s from my ISP .......but I don`t know how to use iptables......here it`s my configuration
in rc.local
/sbin/ifconfig eth0:1 213.xxx.xxx.xxx netmask 255.255.255.0 broadcast 213.xxx.xxx.xxx(identical with the ip)
/sbin/ifconfig eth0:1 213.xxx.xxx.xxx netmask ...........
etc etc for all 16 ip`s

in rc.firewall
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.2 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.3 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.4 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.5 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.6 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.7 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.8 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.9 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.10 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.11 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.12 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.13 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.14 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.15 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROTUING -s 192.168.0.16 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.17 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.20 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.23 -o eth0 -j SNAT --to 213.xxx.xxx.xxx


echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.0.3:27015
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.0.3:27015
$IPTABLES -A INPUT -p tcp -m tcp --dport 27015 -j ACCEPT
$IPTABLES -A INPUT -p udp -m tcp --dport 27015 -j ACCEPT

and works
now my questions

in a future i will install apache and the firewall must accept connections

how can I block the scaning and stuff like that??
nmap scan says this about open ports
79/tcp open finger
111/tcp open sunrpc
113/tcp open auth

it`s recommendet to block this ports??? and how i do that?
i forgot to tell you ......i use irc and i need to ident request otherwise i can`t connect

and the last request.....
i changed port for ssh ......how i can do to ssh response only on my adress(i am outside from this network)


P.s : i found this in syslog:
Aug 7 22:37:03 golden kernel: hda: status error: status=0x58 { DriveReady SeekComplete DataRequest }
Aug 7 22:37:03 golden kernel: hda: drive not ready for command
Aug 7 22:37:28 golden kernel: hda: irq timeout: status=0xd0 { Busy }
Aug 7 22:37:28 golden kernel: ide0: reset: success
Aug 8 10:25:45 golden in.identd[5709]: request_thread: read(10, ..., 1023) failed: Connection reset by peer
Aug 8 22:04:32 golden fingerd[7221]: Client hung up - probable port-scan

what is the first error with hda........please don`t say :hhd will fail soon

thanks all

ok you have 16 real ip's, by real i mean seeable on the net,

this means you have NO NEED FOR SNATING OR MASQUERADING

man, i wish i were you right now

all you have to do on your router is .....route and do firewalling.

1. If you have multiple NICS, you man need to modify your routing table to say which NIC goes to what address. if the 16 computers
are just tied to a switch then you dont need to do this. You may
also have to give the internal NIC one of the IPs you bought so
that it is on the same subnet as the others and it will be used
as the gateway for the other computers.


$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

note: the output and input chains will not affect
the lan machines if all traffic is headed to the internet.
INTPUT and OUTPUT only pertain to packets generated
on the machine. FORWARD however will affect them.


### LET PACKETS OUT ###
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

## ONLY LET PACKETS IN BOUND FOR PORT 27015 #####
iptables -A FORWARD -p tcp --dport 27015 -j ACCEPT



about the ssh, u said its not on the same network....is it still
connected to the router? does it also have a real ip?

if the answer to both of these is yes:

iptables -A FORWARD -p tcp --dport 22 -d $MYIP -j ACCEPT

this will work because your default policy for FORWARD is drop,
so any other ssh requests that dont match that rule will
be drop kicked by your firewall.

to sum it up, you need to re-do your rules.

post back with questions.....i reallly wanna get this one working
because its as close as i can get to setting up a network with real
ips.

what was the ifconfig eth0:1 stuff for?

you could change those command to :

ip is the real ip of the host, ethX is the network car that this computer is connected to (could be directly or indirectly via switch).

another thing: (man im full of suggestions)

instead of directly editing rc.local, put those rules in
a seperate file and call it in rc.local, that way if you put
other stuff non firewall related in rc.local, it will make your
rc.local cleaner.