Loading
A NATural Progression
David continues his series on the Netfilter framework with a look at NAT and how to avoid common errors when constructin iptales rules.
Netfilter and iptables make an extremely powerful firewall. But to take advantage of it, you need to master the basic syntax as explained in my first article (“Taming the Wild Netfilter”, published in the September 2001 issue of LJ), have an understanding of the modules and matches available to you and have an understanding of what a particular system can know about a packet. Armed with these three things, you can build highly complex, tailored firewall solutions for whatever problem you might have.
Know how to take advantage of new and experimental matches and targets (and always test them). You learned this in last month's article with the iptables build targets of pending-patches, most-of-pom and patch-o-matic. Testing by creating and sending specific packets to a firewall interface is beyond the scope of this particular article, but a number of utilities exist to assist you here (sendip or ipmagic come to mind).
Build the missing modules for the kernel (make sure they're selected).
Build your rule chains, more specific rules first followed by more general rules. If it helps you organize things, go ahead and build custom user chains that can be called from another chain. While this was not covered specifically in this article, it was addressed in the September 2001 article. Use everything at your disposal, including the LOG target to help you see if particular rules were applied and to which packets.
With just some basic knowledge, iptables are not difficult to use. Read some iptables scripts on the Internet. I don't recommend using them as they are; they almost certainly won't work for you without a lot of tweaking, but they will show you syntax, rules (from which you can grab fragments), thought processes, etc.
- « first
- ‹ previous
- 1
- 2
- 3
______________________
White Paper
Fabric-Based Computing Enables Optimized Hyperscale Data Centers
Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- Validate an E-Mail Address with PHP, the Right Way
- New Products
- Tech Tip: Really Simple HTTP Server with Python
- Developer Poll
- git-annex assistant
51 min 38 sec ago - direct cable connection
1 hour 14 min ago - Agreed on AirDroid. With my
1 hour 24 min ago - I just learned this
1 hour 28 min ago - enterprise
1 hour 58 min ago - not living upto the mobile revolution
4 hours 49 min ago - Deceptive Advertising and
5 hours 25 min ago - Let\'s declare that you have
5 hours 26 min ago - Alterations in Contest Due
5 hours 27 min ago - At a numbers mindset, your
5 hours 28 min ago
Enter to Win an Adafruit Prototyping Pi Plate Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Prototyping Pi Plate Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- Next winner announced on 5-21-13!
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
Developer Poll
Comments
Re: Kernel Korner: A NATural Progression
My copy of Linux Journal had page 21 missing. It had two (2) identical page 20's followed by page 22. Is this a known error in this month's print? [Page 20 - 24 is this Kernel Korner: A NATural Progression article]
Re: Kernel Korner: A NATural Progression
No - it was an error.
Read the next issue's first page of letters/comments/whatever - in the lower-right corner it mentions the double-printing as a mistake...
(too lazy to find the actual page right now... :-P )
Re: Kernel Korner: A NATural Progression
same here. is this an advertising campaign? :) And could I just print a page 21 and add it back to the printed copy?
Re: Kernel Korner: A NATural Progression - MASQUERADE
One rule you did not mention which many home users may be interested in is the MASQUERADE rule. This rule comes in handy when you're riding on a dynamic IP connection, but still want to use NAT. MASQUERADE uses the interface IP vs. having to hard code within your tables script (or your iptables-save list).
An example may be:
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j MASQUERADE
Which would masquerade the 192.168.0.0/24 block as whatever address is assigned to eth0 - be it static or dynamic (though static should stick with SNAT for best results).
I've seen some firewalls use this in static situations as well (Astaro Security Linux 2.x - based on iptables) due to it's simplicity.
Hope this helps.
-Rick
Re: Kernel Korner: A NATural Progression - MASQUERADE
David's previous NetFilter article covered MASQUERADE, IIRC
Re: Kernel Korner: A NATural Progression - MASQUERADE
This article, a two-part article (of which this month was the second part), was a continuation of a more basic article I wrote and was published in last September's LJ. The basic article (referred back to in this article) discussed MASQUERADE and provided examples and scripts. Please check out September's LJ article on Netfilter/iptables.
David A. Bandel