# Making a firewall/router...  help!

## aNtHrAx323

I finally finished emerging Gentoo on my router (P3 500, Intel 440BX chipset, two 3Com 3C905 NICs), and have both interfaces set up properly (eth0 being the local network with static IP 192.168.0.1, eth1 being the Internet with a dynamic IP).  Now, I've emerged iptables, and compiled every networking option I could think of that would be necessary (namely under Netfilter Configuration) directly into the kernel.

What's the best way to go about setting up a flexible router/firewall?  At the moment, all I need is for NAT to work (so my computers can get on the 'net).  Also, information regarding configuring DHCP would be useful (I emerged DHCP, but for some reason, there's no /etc/init.d/dhcpd, just /etc/init.d/dhcp...  is this the same thing?).  Here's the command I just used to get this to work for right now:

```
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j SNAT --to-source [IP obtained via DHCP]
```

Is there anything wrong with this command, other than the fact that it's tailored specifically for my current IP?  Please guide me in the right direction...  And, if it's not too much to ask, try to explain a little of the logic involved in using the IPTABLES command.  Thanks so, so much in advance!

----------

## christsong84

I use shorewall and webmin setup so that only localhost can access it (or a specified IP).  It was the easiest way for me to set one up...I did a security scan with nessus and some other tools and I'm quite happy with the security.  NAT is easy to following the directions on http://shorewall.sourceforge.net

I've heard that some people don't like shorewall all that much but it's a way to get started and get up and running for me at least.

*hides behind flame shield*

----------

## aNtHrAx323

Thanks for the tip.  However, I'd like to avoid software packages like that...  Not only because of how much of a neat freak I am, but also because I'd like to learn a few things about iptables so I can apply my knowledge in other ways in the future (should those situations happen to present themselves).

Still up for tips using the iptables command  :Smile: 

----------

## Qubax

you may have a look at http://projectfiles.com/firewall thats a firewall script using iptables

----------

## aNtHrAx323

Thanks man.  Does anyone know of any good tutorials, though?  I'd like to actually learn what's behind iptables, if at all possible.

----------

## aNtHrAx323

Oh yeah...  And where does Gentoo look for startup scripts?  Is it /etc/rc.d, or something else?  I need to know where to put the rc.firewall file...  Also, for my own references  :Smile: 

----------

## grooveman

I should think that /etc/init.d would be the most appropriate place for your rc.firewall.  That is where gentoo stores its init scripts, and then links from there with rc-update.

BTW, I found Oskar  Andreasson's tuturial tremendously helpful.  You can find it here:

http://iptables-tutorial.frozentux.net/

Good luck with your project!

Chris

----------

## splooge

I remember when learning iptables and it just 'clicked' like a light switch.  It's very readable when you think about it, almost like spoken english:

We'll use your little one liner as an example:

iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j SNAT --to-source [IP obtained via DHCP]

Can be read like this:

hey iptables, in the nat table, add a rule to the postrouting chain saying that anything that matches source address 192.168.0.0 and is going out eth1 it's the routers -job (or is it -jump?) to source nat it with this IP address.

iptables [optional table] [add/delete] [chain] [match criteria] [job]

iptables -A INPUT -s 10.1.1.1 -j DROP

Would add a rule to the input chain that anything matching source address 10.1.1.1 should be dropped.

Likewise we could add more info to the match criteria:

iptables -A INPUT -s 10.1.1.1 -i eth0 -j DROP

Would add a rule to the input chain that anything matching source address arriving on eth0 should be dropped.

Going further:

iptables -A INPUT -s 10.1.1.1 -d 216.239.53.99 -i eth0 -j DROP

Would add a rule to the input chain that anything matching source address 10.1.1.1 going to destination 216.239.53.99 (google) arriving on eth0 should be dropped.

This starting to make sense?  ;p

Also for your firewall script... since you're getting a DHCPd address it's recommended you use MASQUERADE instead of SNAT:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

----------

## aNtHrAx323

 *splooge wrote:*   

> Also for your firewall script... since you're getting a DHCPd address it's recommended you use MASQUERADE instead of SNAT:
> 
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

 

Thanks for the help, guys.  However, splooge...  I tried using the MASQUERADE command first (almost that exact line you typed there), but it didn't work.  Upon closer inspection, I realized I don't have a /proc/net/ip_masquerade file, despite specifying every possible option under netfilter config (while configuring my kernel).  I'm using vanilla-sources, and actually saw no mention of masquerading anywhere (just one option under netfilter that said "MASQ" in it, can't remember it all).  Should I try using gentoo-sources?  I remember seeing it in there...

----------

## geek

Here's a tutorial that I found very helpful with iptables.  It by Gentoo president Daniel Robbins.  Free Registration is required.  Hope it helps.

http://www-106.ibm.com/developerworks/edu/l-dw-linuxfw-i.html

----------

## dontgetit

I have the same problem.

I can get my gentoo router up with nat, my router scripts looks like this:

#!/bin/bash

ext_ip=**.***.***.***

iptables=/sbin/iptables

$iptables -F

$iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $ext_ip

echo 1 > /proc/sys/net/ipv4/ip_forward

But when i try to get my router up with masquerde it fails, i cant giver a rule like this:

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

I don't  have ip_masquerade: /proc/net/, and I don't know how to get it there,

Thanks...........

----------

