setting up nat

Sat May 20 11:12:54 UTC 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antoine wrote:
> Thanks for that... but I hope you are joking! You mean there is no
> gui/wizard for setting up nat?!?
> Cheers
> Antoine

no, not really.
Unless you install third-party software to control it, the default
graphical firewall config tools on FC don't do NAT. Welcome to our world. :)
Command-line utilities also allow you to make incremental changes to
firewall settings. Graphical tools (In my experience) tend to be
all-or-nothing

a few additional points and a brief walkthrough:

std_disclaimer:
This is fairly simplistic and may not cover any or all of your security
requirements. Particularly as they do not include any access rules at
all, just NAT stuff.
You should realise that netfilter rules applied using the 'iptables'
command take immediate effect.
Applying badly written rules over a network login can severely
compromise your connectivity (and stress levels)
For this reason I can't see why you would need to restart the entire
connection after creating NAT rules.

on your router you would need to do a few simple things:
1) put NAT rules in place
2) possibly put other restrictions on the traffic you wish to allow
through your box (particularly from the outside world)
3) permit packet forwarding through your box
4) save the rules
5) make sure the 'iptables' service runs at boot time
( although, technically it is not a traditional 'service', all it does
is load rules into memory )

I am going to ignore any standard firewall rules you have on the system
(you can set these up through the standard graphical interface. DO not
do this after the NAT setup, you will break it.)

to control NAT you'll need to run a few shell commands.
A shell script is not necessary. Although it simplifies taking rules
from one system to another.
Setting up iptables rules in rc.local is a *bad* idea (IMHO) - this
means that on boot your interfaces are up and unprotected *before* the
firewall rules are in place.

as root:
iptables -nvL
will show you the rules that are currently in place for normal traffic.
iptables -t nat -nvL
will shoe you any nat rules you already have in place
to nat all outgoing traffic:
assume your internal interface is eth0 and external is ppp0

a) clear any existing rules (if needed):
iptables -t nat -F POSTROUTING

b) add a rule natting traffic from your boxes to the outside world. this
is all one line (I've just separated the arguments)
iptables -t nat
- -I POSTROUTING
- -s your_internal_network
- -d ! your_internal_network
- -i eth0
- -o ppp0
- -j MASQUERADE

c) save your rules and make sure they will apply on next boot:
service iptables save
chkconfig iptables on

d) allow packets to route through your system:
edit /etc/sysctl.conf so that it has a line like this:
net.ipv4.ip_forward = 1

e) apply that change immediately
sysctl -p

voila! you are routing packets through your box.

these rules should then be permanently in place *unless* you run
system-config-securitylevel to set up others... (bad design, I know.)

Regards

Stuart
- --
Stuart Sears RHCA RHCX
To err is human, to forgive is Not Company Policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEbvhmamPtx1brPQ4RApTXAJ9+gMjFng2DkA1TElnPR/OX5k63agCfVXyi
dTF1IGDRJpMhMO0s6ca86yY=
=oJXa
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.