Electricmonk

Ferry Boender

Programmer, DevOpper, Open Source enthusiast.

Blog

Linux 2.6 and iptables

Wednesday, November 10th, 2004

Well, since my server was dead as a brick anyway, I decided to put Linux 2.6 on the new machine during the reinstall, mostly for the ext3 support (yes, I know they also backported it to 2.4)

Being used to ipchains, I was always too lazy too find out how the new netfilter stuff worked. But now the server had been down for three weeks anyway, so I thought it wouldn’t matter if it took me two more days to get NAT and my firewall running again.

Configuring the kernel
Turns out of was a real cinch. Just had to compile in support for CONFIG_NETFILTER, CONFIG_IP_NF_CONNTRACK, CONFIG_IP_NF_IPTABLES and then select some NetFilter matching modules (I chose a couple, but you only really need CONFIG_IP_NF_MATCH_IPRANGE, CONFIG_IP_NF_MATCH_PKTTYPE for the firewall I believe).

Setting up masquerading
After booting the new kernel, all I had to do to get masquerading to work was run this:

iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

and masquerading worked.

Setting up the firewall
At first, IPtables seemed to work the same as IPChains. Turns out though that there are some subtle differences. For instance, the chain names (INPUT) are case-sensitive with iptables. I also had to manually insert some modules to get the various targets (REJECT) for the rules to work. Another caveat was the fact that iptables works on a first-rule-matches bases. My old setup (ipchains) closed all ports < 1024 and then opened up things like HTTP and SMTP. For iptables, I had to first open up a couple of ports and then close everything below 1024. Quite counter intuitive, but anyway.

Ultimately, I ended up with these modules loaded:
ipt_iprange
ipt_REJECT
iptable_filter
ipt_MASQUERADE

and a whole bunch if lines similar to these for the firewall:

iptables -A INPUT -i eth0 -p tcp --destination-port 20:22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --destination-port 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --destination-port 110 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --destination-port 443 -j ACCEPT

# Deny all this shit below 1026
iptables -A INPUT -i eth0 -p tcp --destination-port 1:1025 -j REJECT
iptables -A INPUT -i eth0 -p udp --destination-port 1:1025 -j REJECT

More information
More information on setting up masquerading with iptables can be found here.

The text of all posts on this blog, unless specificly mentioned otherwise, are licensed under this license.