CCL Home Page
Up Directory CCL mysetup.txt
Committed by Jan K. Labanowski (jkl@ccl.net) in Aug. 2001.

How I installed the Firewall and IP Masquerading at home

I have a cable modem at home and about 4 computers working at a time
(I am usually plugged in as on Linux, and my wife and kids surf the net
with Windoz). My goal is to use a single IP address, and protect
my computers at home from attacks as it is feasible. I also plan
to move to DSL one day, and have static IP address. At that time,
I want to have a Web server and few other things on my firewall machine.

I started from reading. It all becomes clear after you read circa 100 pages.
Before that, you do not really know what you are doing.
When you read, take into account that this is bleeding edge technology,
that stuff which worked a year ago, need not to work today, since things
still change.

Nice collection of Netfilter documents is available at:
http://www.linuxguruz.org/iptables/

The Netfilter site: The Netfilter Project: Packet Mangling for Linux 2.4
http://netfilter.filewatcher.org/

Linux 2.4 Packet Filtering HOWTO
by Rusty Russel. 
http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc.html

Linux Gets Stateful Firewalling:
http://www.securityportal.com/cover/coverstory20010122.html
by Jay Beale, 
Explains in a simple way the operation of the stateful firewall

Using Linux 2.4 Firewalling - Building a Firewall with Netfilter
http://securityportal.com/articles/netfilter20010219.html
by Jay Beale,
Explains how to use Netfilter

iptables Tutorial 1.0.7
http://people.unix-fu.org/andreasson/index.html
by Oskar Andreasson

Common threads -- Dynamic iptables firewalls
http://www-106.ibm.com/developerworks/linux/library/l-fw/
by Daniel Robbins

James C. Stephens: Connection Tracking
http://www.kalamazoolinux.org/presentations/20010417/conntrack.html

Firewalling and Netfilter Terms
http://www.kalamazoolinux.org/presentations/20010417/terms.html

The quick guide to iptables (syntax only):
http://www.kalamazoolinux.org/presentations/20010417/quick

Kernel Recompilation
===================== 

I took an old computer and installed Linux on it.
It had a cheap video card (S3 Virge), and 2 ether cards (an old ISA 3c509
and a tulip 10/100 clone which you can get at $10 a piece).

I installed 7.1 Red Hat from the first release CDs.
My PC had 78 Megs of memory, 20Gig drive, 200 Pentium MMX.
  
I had a Maxtor 20Gig drive. After I installed stuff, partitions looked like:

df -k
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/hda4             18295120   1474832  15890928   9% /
/dev/hda1               101089      3479     92391   4% /boot
/dev/hda3              1035692        20    983060   1% /ftp

fdisk
p
q
Disk /dev/hda: 255 heads, 63 sectors, 2491 cylinders
Units = cylinders of 16065 * 512 bytes

   Device Boot    Start       End    Blocks   Id  System
/dev/hda1   *         1        13    104391   83  Linux
/dev/hda2            14        46    265072+  82  Linux swap
/dev/hda3            47       177   1052257+  83  Linux
/dev/hda4           178      2491  18587205   83  Linux

I created separate /ftp partition so in case I want to install ftp server
and do not want hackers to kill my computer by filling up the incoming
directory.

Started with stock RH 7.1 and made all the updates (but not
the kernel) until August 20, 2001.
I made sure that I boot in TTY console mode by changing the line
in /etc/inittab to be:

   id:3:initdefault:

(you can do it by entering "linux single" on the LILO prompt when booting
which will put you in he single user mode). It will boot you to X-window
by default if you are not careful answering Xconfigurator queries.

Then installed 2 ether cards in my PC:
  a) old 3Com ISA 3C509 Etherlink III  (10BaseT)
  b) the cheap Tulip PCI card ($10) Linksys NC100 v 2.1  (10/100 BaseT)

Then, I put to /etc/modules.conf
alias eth0 3c509
alias eth1 tulip

I assume that eth0 will be pointing to outside internet (cable modem with
dynamic IP assignment) and eth1 will be my internal Ethernet (LAN).
BTW... If you are installing more than 1 Ethernet card in your box,
do yourself a favor. Install cards which use different modules. This
means that not only cards should be different, but also the drivers (i.e.,
modules) should be different. For example, there are tens of different
cards which use tulip.o driver. Use only one of these. It is my experience
that when cards are using the same module, they are not recognized/initialized
properly by the kernel, unless you compile them statically into the kernel.
Maybe I am missing something, but when cards use different drivers (modules)
they coexist sensibly. 

Then I rebooted the machine.

Then I logged in as root, and started X window

startx

and configured my network interfaces by using: 

   netcfg

I clicked on Interfaces and as a result  I had the following table:

Interface         IP               proto   atboot      active
lo             127.0.0.1           none    yes         active
eth0                               dhcp    yes         active
eth1           192.168.0.1         none    yes         active

You can get there by clicking on Add/Edit/Remove/Activate and Save/Quit
at the bottom of the netcfg window. Or you can edit files yourself.

As a result I got:
/etc/sysconfig/network
---------------
NETWORKING=yes
HOSTNAME=localhost.localdomain
GATEWAYDEV=
GATEWAY=
----------------

/etc/sysconfig/network-scripts/ifcfg-eth0
------------
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
---------------------

and
/etc/sysconfig/network-scripts/ifcfg-eth1
-----------
DEVICE=eth1
USERCTL=no
ONBOOT=yes
BOOTPROTO=none
BROADCAST=192.168.0.255
NETWORK=192.168.0.0
NETMASK=255.255.255.0
IPADDR=192.168.0.1
----------

You may (actually you must) want to read about kernel recompilation in
Brian Ward: The Linux Kernel HOWTO
It is available on many sites, but get some recent version
For example from:
http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html

Then, just in case, I made a copy of my /boot and /etc partition

mkdir /boot-old
cd /boot
tar cvf - . | ( cd /boot-old; tar xvf - )
mkdir /etc-old
cd /etc
tar cvf - . | ( cd /etc-old; tar xvf - )

I made a book diskette just in case
ls -l /boot            # find version of vmlinuz

mkinitrd /boot/initrd-2.4.2-2.img 2.4.2-2
fdformat /dev/fd0H1440
mkbootdisk --device /dev/fd0H1440 2.4.2-2


Now, saving configuration options for the current kernel

cd /usr/src
ls -l
---------------
lrwxrwxrwx    1 root     root           11 Aug 20 08:10 linux-2.4 -> linux-2.4.2
drwxr-xr-x   16 root     root         4096 Aug 21 08:15 linux-2.4.2
drwxr-xr-x    7 root     root         4096 Aug 20 08:07 redhat
------------------

I saved the config file from the /usr/src/linux-2.4.2/configs directory:
  cp /usr/src/linux-2.4.2/configs/kernel-2.4.2-i586.config  /root
since this was probably the file used to compile the default RH7.1 linux
for my MMX box.

Then removed the link in /usr/src
cd /usr/src
rm linux-2.4     # removed the link

I retrieved the latest version of linux kernel from kernel.org using wget
(but you can start from http://www.kernel.org).

wget ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.9.tar.gz

cd /usr/src
ls -l

drwxr-xr-x   16 root     root         4096 Aug 21 08:15 linux-2.4.2
-rw-r--r--    1 root     root     27474071 Aug 21 08:26 linux-2.4.9.tar.gz
drwxr-xr-x    7 root     root         4096 Aug 20 08:07 redhat


unpacked the tar achive
tar zxvf linux-2.4.9.tar.gz

renamed new directory
mv linux linux-2.4.9
ln -s linux-2.4.9 linux-2.4
ln -s linux-2.4.9 linux

My /usr/src is now:
ls -l 
----------------------
total 26876
lrwxrwxrwx    1 root     root           11 Aug 21 09:38 linux -> linux-2.4.9
lrwxrwxrwx    1 root     root           11 Aug 21 08:30 linux-2.4 -> linux-2.4.9
drwxr-xr-x   16 root     root         4096 Aug 21 08:15 linux-2.4.2
drwxr-xr-x   14 1046     101          4096 Aug 16 14:13 linux-2.4.9
-rw-r--r--    1 root     root     27474071 Aug 21 08:26 linux-2.4.9.tar.gz
drwxr-xr-x    7 root     root         4096 Aug 20 08:07 redhat
----------------------

Now, before you compile new linux kernel you need to remove the old
include files from /usr/include and put there the new include files

cd /usr/include
mv asm asm-2.4,2
mv linux linux-2.4.2
mv scsi scsi-2.4.2
ln -s /usr/src/linux-2.4/include/asm-i386 asm
ln -s /usr/src/linux-2.4/include/linux linux
ln -s /usr/src/linux-2.4/include/scsi scsi
 
Now, I wanted to reuse  the original RH7.1 kernel compilation config file
as much as possible file. Note that I am on Pentium MMX, so I use i586 configs.
This only asks me for new things which are new in the new kernel.

I did:

cd /usr/src/linux-2.4
cp /usr/src/linux-2.4.2/configs/kernel-2.4.2-i586.config .config
make oldconfig

Basically I accepted all m's (modules), since it is only compilation time,
and they are loaded only if they are needed. Now, I would probably be more
careful, since some of them have bugs, and you need to watch the compilation
(later) rather than leave it unattended and come back in a few hours.

I did not accept anything which requires additions to kernel. 
This is not very relevant, since I will have to go through these options
again with a  comb when I do configuration. This step is simply to make sure
that the
/usr/src/linux-2.4/.config file is in sync with the 2.4.9 kernel release.

I then saved the .config file just in case

cd /usr/src/linux-2.4
cp .config default.config


Now, I retrieved the iptables (v1.2.2) from http://netfilter.samba.org/
cd /root
wget http://netfilter.samba.org/iptables-1.2.2.tar.bz2


It is bzipped tar. Check if you have bunzip2 installed:
bunzip2
If it tells you: "command not found", find it on your RH CDs or retrieve it
from the net, e.g.

wget ftp://rpmfind.net/linux/redhat/7.1/en/os/i386/RedHat/RPMS/bzip2-1.0.1-3.i386.rpm

and then 

rpm -Uhv bzip2-1.0.1-3.i386.rpm

Then, I unpacked the bzipped archive:

bunzip2 iptables-1.2.2.tar.bz2
tar xvf iptables-1.2.2.tar
(or you can just do it in one line as: tar jxvf iptables-1.2.2.tar,bz2 ).


Then I applied patches to kernel:

 make pending-patches KERNEL_DIR=/usr/src/linux

It told me:
Testing... 2.4.4.patch ALREADY APPLIED (6 rejects out of 96 hunks).

Excellent! Kernel is now ready for compilation.

Then I compiled kernel.

cd /usr/src/linux-2.4
make xconfig
and after going through questions, I clicked "Save and Exit"

This was an endless line of questioning. You have to make sure you
allow the Firewall and Masquerading options. To make it easy next time
to reproduce my answers, I saved my config file. Next time I only need
to Load it, change one item if needed, and then do Save and Exit.

cp /usr/src/linux-2.4/.config /root/config.nat
My config file is available together with this log from the index page.
You just copy it to 
   /usr/src/linux-2.4/.config
and run old config on it just in case, you grabbed the newer kernel.

Then I executed regular steps for kernel compilation.

make dep
make clean

make bzImage

After about an hour, it finished and created bzImage:

-rw-r--r--    1 root     root       767981 Aug 21 12:46 bzImage


I copied the new bxImage it to /boot directory and changed its name:

cp -p /usr/src/linux-2.4.9/arch/i386/boot/bzImage /boot/vmlinuz-2.4.9-1

Then, I built modules:

make modules

Unfortunately, it gave me some errors for some modules:

gcc -D__KERNEL__ -I/usr/src/linux-2.4.9/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fomit-frame-pointer -fno-strict-aliasing -fno-common -pipe -mpreferred-stack-boundary=2 -march=i586 -DMODULE -DMODVERSIONS -include /usr/src/linux-2.4.9/include/linux/modversions.h   -DEXPORT_SYMTAB -c miropcm20-rds-core.c
In file included from /usr/src/linux-2.4.9/include/asm/io.h:108,
                 from miropcm20-rds-core.c:23:
/usr/src/linux-2.4.9/include/linux/vmalloc.h: In function `vmalloc_dma':
/usr/src/linux-2.4.9/include/linux/vmalloc.h:45: Internal error: Segmentation fault.
Please submit a full bug report.
See  for instructions.
make[3]: *** [miropcm20-rds-core.o] Error 1
make[3]: Leaving directory `/usr/src/linux-2.4.9/drivers/media/radio'
make[2]: *** [_modsubdir_radio] Error 2
make[2]: Leaving directory `/usr/src/linux-2.4.9/drivers/media'
make[1]: *** [_modsubdir_media] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.9/drivers'
make: *** [_mod_drivers] Error 2


So I started again. You do not loose much, since make will not recompile
the stuff which has been already compiled.  

cd /usr/src/linux-2.4.9
make modules

It did it again few hours later:
gcc -D__KERNEL__ -I/usr/src/linux-2.4.9/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fomit-frame-pointer -fno-strict-aliasing -fno-common -pipe -mpreferred-stack-boundary=2 -march=i586 -DMODULE -DMODVERSIONS -include /usr/src/linux-2.4.9/include/linux/modversions.h   -c -o pvr2fb.o pvr2fb.c
pvr2fb.c: In function `pvr2_update_display':
pvr2fb.c:876: warning: implicit declaration of function `ctrl_outl'
pvr2fb.c: In function `pvr2_init_display':
pvr2fb.c:930: warning: implicit declaration of function `ctrl_inl'
pvr2fb.c: In function `pvr2_init_cable':
pvr2fb.c:990: warning: implicit declaration of function `ctrl_inw'
pvr2fb.c: In function `pvr2fb_init':
pvr2fb.c:1009: `MACH_DREAMCAST' undeclared (first use in this function)
pvr2fb.c:1009: (Each undeclared identifier is reported only once
pvr2fb.c:1009: for each function it appears in.)
pvr2fb.c:1053: `HW_EVENT_VSYNC' undeclared (first use in this function)
make[2]: *** [pvr2fb.o] Error 1
make[2]: Leaving directory `/usr/src/linux-2.4.9/drivers/video'
make[1]: *** [_modsubdir_video] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.9/drivers'
make: *** [_mod_drivers] Error 2

so I did it again

cd /usr/src/linux-2.4.9
make modules

then again:
make[2]: Entering directory `/usr/src/linux-2.4.9/drivers/video'
gcc -D__KERNEL__ -I/usr/src/linux-2.4.9/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fomit-frame-pointer -fno-strict-aliasing -fno-common -pipe -mpreferred-stack-boundary=2 -march=i586 -DMODULE -DMODVERSIONS -include /usr/src/linux-2.4.9/include/linux/modversions.h   -c -o pvr2fb.o pvr2fb.c
pvr2fb.c: In function `pvr2_update_display':
pvr2fb.c:876: warning: implicit declaration of function `ctrl_outl'
pvr2fb.c: In function `pvr2_init_display':
pvr2fb.c:930: warning: implicit declaration of function `ctrl_inl'
pvr2fb.c: In function `pvr2_init_cable':
pvr2fb.c:990: warning: implicit declaration of function `ctrl_inw'
pvr2fb.c: In function `pvr2fb_init':
pvr2fb.c:1009: `MACH_DREAMCAST' undeclared (first use in this function)
pvr2fb.c:1009: (Each undeclared identifier is reported only once
pvr2fb.c:1009: for each function it appears in.)
pvr2fb.c:1053: `HW_EVENT_VSYNC' undeclared (first use in this function)
make[2]: *** [pvr2fb.o] Error 1
make[2]: Leaving directory `/usr/src/linux-2.4.9/drivers/video'
make[1]: *** [_modsubdir_video] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.9/drivers'
make: *** [_mod_drivers] Error 2

so I did it again

cd /usr/src/linux-2.4.9
make modules

but it did not help... But do not worry, if this is not the module you really
need you can just cheat...

cd /usr/src/linux-2.4.9/drivers/video
mv pvr2fb.c pvr2fb.c.orig
cat > pvr2fb.c
^D

(i.e., made empty file pvr2fb.c) since I will not be using this video card
anyhow.

And now, I asked the modules to be compiled again.
cd /usr/src/linux-2.4.9
make modules


So,finally, it finished after a few hours.

cd /usr/src/linux-2.4.9
make modules_install


Now, I had to make sure the new stuff is available for lilo to boot.

I already copied the bZimage there as vmlinuz-2.4.9-1.

cd /boot

# I removed links to old files: 
rm System.map
rm vmlinuz
rm module-info    (the module-info file is from RH *.rpm kernel distribution)
rm kernel.h

# I copied new fies to /boot directory
cp /usr/src/linux-2.4.9/System.map System.map-2.4.9-1
cp /usr/src/linux-2.4.9/include/linux/kernel.h kernel.h-2.4.9-1
cp /usr/src/linux-2.4.9/vmlinux vmlinux-2.4.9-1


# made new links
ln -s System.map-2.4.9-1 System.map
ln -s vmlinuz-2.4.9-1 vmlinuz
ln -s kernel.h-2.4.9-1 /kernel.h

# made new ram disk image
mkinitrd /boot/initrd-2.4.9-1.img 2.4.9

To be consistent, I made a link in /lib/modules directory
cd /lib/modules
ln -s 2.4.9 2.4.9-1


edited /etc/lilo.conf to be:
--------------------
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
prompt
timeout=50
message=/boot/message
linear
default=linux-2.4.9-1

image=/boot/vmlinuz-2.4.9-1
	label=linux-2.4.9-1
	read-only
	root=/dev/hda4

image=/boot/vmlinuz-2.4.2-2
	label=linux-2.4.2-2
	read-only
	root=/dev/hda4

--------------------------


and ran

 lilo -v

which updated the boot sector and boot maps, etc...

I also made a boot diskette in case I had problem booting from Hard Drive:

cd /boot
fdformat /dev/fd0H1440
mkbootdisk --device /dev/fd0 2.4.9-1

and then rebooted the machine.

It booted OK (Thank You My Lord...) and I logged in as root.

I installed the iptables package which came with RedHat since it is old..

First I stopped ipchains and removed init.d links which start ipchains
on boot
cd /etc/rc.d/init.d
./ipchains stop
chkconfig --del ipchains

Now, the
chkconfig --list ipchains
shows:
ipchains       	0:off	1:off	2:off	3:off	4:off	5:off	6:off

  rpm -q -a | grep iptables
      iptables-1.2.1a-1
  rpm  -e iptables-1.2.1a-1

As was described above, the new 1.2.2 version of iptables is already in:
/root/iptables-1.2.2

cd /root/iptables-1.2.2
make KERNEL_DIR=/usr/src/linux BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man
make install KERNEL_DIR=/usr/src/linux BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man

Now, the Netfilter and all needed kernel modules are available.

I rebooted the machine


Networking arrangement
======================
The goal was to make this:




 Internet---CableModem--[Ethernet Hub]--eth0(3C509)[Firewall/NAT Host]
                                                      (Tulip)
                                                      eth1 [192.168.0.1]
                                                          |
                                                          |
                                                          |
                                                          |
                                 --------                 |
                                | Ether  | uplink         |
                                | Hub    |-----------------
                                |        |
                                |        |----------------------
                                |        |                      |
                                |        |-----------           |
                                |        |           |          |
                                |        |-----      |          |
                                |        |     |     |          |
                                |        |     |     |          |
                                |        |     |     |          |
                                |        |     |     |          |
                                 --------      |     |          |
                                               |     |          |
                                               |     |          |
                                 --------------      |          ------
                                 |                   |                |
                                 |                   |                |
                           192.168.0.5         192.168.0.3      192.168.0.4
                       Static IP address    Static IP address  Static IP add.
                          Linux Laptop          Windows 98       Windows 98
                             eth0                  eth0             eth0


===================================================================


Now, for testing, learning, and playing...

I had the setup which consisted of 200MMX PC[Firewall/NAT Host] and a laptop.
which was working as an "Internal Network" or LAN, during the test period.
The PC was connected to Cable modem and got its IP address via DHCP.
The laptop was running linux, and was configured to have static IP address.
It also ran Windoz (dual boot) so I could check windoz over NAT/Firewal.

                                       DHCP
Internet---CableModem--[Ethernet Hub]--eth0(3C509)[Firewall/NAT Host]
                                                     (Tulip)
                                                     eth1 [192.168.0.1]  
                                                         |
                                                         |Cross over cable
                                                         |
                                                      eth0 [192.168.0.5]
                                                      (PCMCIA Ether Card)
                                                      My Laptop (Dell)


===================================================================
If you do not have the crossover cable, just use some Ethernet hub
and plug eth1 of Firewal/NAT and eth0 of laptop with straight through cables
as you would do normally (not to an uplink hub port). Make sure the LEDs on
the cards are glowing, since if your cables (or hub) are no good,
nothing will work. Repeat after me: Check your cables first...
You know how it is with cables... They work until you touch them. So check
your LEDs first to see if you do not have problems.

One more thing... I have put my slower (3C509) card on external eth0 interface.
My thinking was that I cannot get more juice from cable modem than 10 Mbits/s
while with a LAN, I may use additional bandwidth (e.g., remote printing,
file transfer, NFS, or access via MS shares, SAMBA, etc.).

The /sbin/ifconfig on my Firewall/NAT Host produced:
eth0      Link encap:Ethernet  HWaddr 00:20:AF:14:68:FD  
          inet addr:204.210.237.7  Bcast:255.255.255.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7177 errors:0 dropped:0 overruns:0 frame:0
          TX packets:77 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          Interrupt:10 Base address:0x300 

eth1      Link encap:Ethernet  HWaddr 00:03:6D:11:42:F9  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3142 errors:134 dropped:0 overruns:0 frame:147
          TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          Interrupt:11 Base address:0xe000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 

==================

The /sbin/ifconfig on my laptop produced:

eth0      Link encap:Ethernet  HWaddr 00:10:A4:99:E1:5E  
          inet addr:192.168.0.5  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:2186 errors:0 dropped:0 overruns:0 frame:0
          TX packets:307 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          Interrupt:11 Base address:0x1800 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:66 errors:0 dropped:0 overruns:0 frame:0
          TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 

Both the laptop and the Firewall/NAT were running RH7.1, but laptop
just had the stock RH7.1 installed. I could ssh from laptop to Firewall/NAT as
  ssh -l root 192.168.0.1
and from Firewall/NAT to laptop as:
  ssh -l root 192.168.0.5

On the laptop I was running X-window (KDE to be exact) and I started
tcpdump in one of the xterms as:

tcpdump -a -R -v -i all

It produced a lot of gibberish, but I could see that packets are flying
back and forth when I ssh. You can also monitor the packets conveniently
by using iptables/netfilter itself (it write the packet info to syslog --
check the startfw scripts for comments  -- it is available from the index page.

Now... knowing that laptop talks to Firewall/NAT host and vice versa
is a critical step. You may want to wait a few minutes after boot
before machines exchange ARP packets. You can also check if they
know about each another by executing arp on them:

   arp -a

The complication is also that at this moment I do not run the DNS for these
babies. To avoid DNS at this stage, I added the following to the /etc/hosts
on both machines
------------
192.168.0.1	firewall.test.domain	firewall
192.168.0.5	lan1.test.domain	lan1
-----------

If you are on Windoz, The HOSTS file should be located in C:\WINDOWS\HOSTS 
(or in C:\WINNT\SYSTEM32\DRIVERS\ETC\HOSTS on Windows NT).

I am not sure if you need to reboot Windoz for new hosts to be recognized
in the host file. On Linux you do not need to reboot, AFAIK.

This way I could do 
  ping lan1
when on firewall and 
  ping firewall
when on lan1

I also check the connection with route
On the firewall machine:
route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
204.210.237.0   *               255.255.255.0   U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         204.210.237.1   0.0.0.0         UG    0      0        0 eth0

and on the lan1 machine:
route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         firewall.test.d 0.0.0.0         UG    0      0        0 eth0



At the same time, I was checking if I can get to the Internet outside
by logging into one of the computers at my job.

I could ssh from firewall to outside. But, of course, could not log in to
outside machine from lan1.
ssh -l jkl www.ccl.net
ssh www.ccl.net: Name or service not known

and
ssh -l jkl 192.153.40.39     (IP address of www.ccl.net)

sits there forever.

So, now is the time to learn and play with Netfilter.


Playing with Netfilter
======================

Here is my brain process (assuming that I have a brain) which led to
some understanding of Netfilter.

You can list all netfilter modules by:
ls -l  /lib/modules/2.4.9/kernel/net/ipv4/netfilter

I have some description below. I use the word "firewall" as a shortcut
to "host which runs the netfilter". As you read on, the firewall does not
need to do any firewalling (e.g., can only do network address translation).

I read Rusty Russell's:  Linux 2.4 NAT HOWTO 
(Revision 1.15/2001/07/29), Linux netfilter Hacking HOWTO
(Revision:1.10 2001/05/04) and Linux 2.4 Packet Filtering HOWTO (Revision 1.21.
 2001/08/15) available at http://netfilter.filewatcher.org/unreliable-guides/
and also many other pieces on the net. My conclusion is that there is
some naming confusion, at least for me. The so called historical reasons,
which keeps as chained to tables.

Picture below is based on the 
http://www.knowplace.org/netfilter/ipt_flow_mirror.html
or http://www.kalamazoolinux.org/presentations/20010417/iptflow.html
by John Davidson (original site: http://ods.dyndns.org/ipt_flow.html does not
respond do me).

        ------------                   ------------        ------------
eth0-->| PREROUTING |   \           \ | FORWARD    |   \  | POSTROUTING|-->eth1
eth1-->|1) contrack |---->[route]---->|1) "filter" |----> |1) "nat" (S)|-->eth0
ppp0-->|2) "mangle" |   /    |      / |            |   /  |2) "nat" (M)|-->ppp0
lo? -->|3) "nat" (D)|        |        |            |  A   |3) contrack |--> lo?
        ------------         |        ------------   /|\   ------------
                             |                        |
                             |                        |
                             |                     [route]
                             |                        A
                            \|/                      /|\
                             V                        |
                       ------------             ------------
                      | INPUT      |           | OUTPUT     |
                      |1) "filter" |           |1) contrack |
                      |2) contrack |           |2) "mangle" |
                      |            |           |3) "nat"(D)*|
                       ------------            |4) "filter" | 
                             |                  ------------
                             |                        A
                             |                       /|\
                             |                        |
                            \|/                       |
                             V                        |
                           ...............................
                          :     Local software            :
                          : telnet, RPC, NSF, FTP, ssh,   :
                          : HTTP, HTTPS, gopher, DNS, xfs :
                          : X-window, ping, chat, etc.,   : 
                           ...............................

(D) -- destination. (S) -- source. (M) -- Masquerade.
1), 2)... order of application
 
Definitions:
Packet -- a chunk of data formatted according to one of the TCP/IP protocols

Interface -- a gate by which packets enter or exit the firewall machine. For
            example through 1st ethernet card (eth0), second ethernet
            card (eth1), 1st modem (ppp0 or slip0), and so on. The interface
            may be specified for the rule with a -i (--in-interface) or
            -o (--out-interface). You can also specify all interfaces of
            the given type by replacing the number with a "+" sign. For
            example -i eth+ means all packets which entered the firewall
            via ethernet card. You can also precede interface name with a !
            which means NOT. For example, -o ! eth0  means, packets which
            are not designated to exit via the eth0 interface.
            
Application software, or software -- software package other than the netfilter
            and kernel itself. When I say" "packets intended for software
            running on the firewall", I mean software like web server, or
            telnet, or whatever, but not netfilter and not the kernel itself,
            By definition, all packets go to netfilter and go via kernel.

Incoming packets -- packets which are coming to the firewall
Outgoing packets -- packets which are sent by the firewall outside
Forwarded packets -- packets which are not intended for the firewall itself,
      but routed from one interface to another.

Rule -- a sentence(clause) saying:

          PACKET TYPE                       ACTION
     if [packet is such and such] then [do this and that].

     For example: if packet destination is port 20, drop it.
     Examples of actions are: DENY, ACCEPT, DROP. There are also
     actions which result in changing the packet itself. This is probably not
     what the framers of Netfilter and other firewalls understand the term
     rule, but it helps me to see it like this.

Chain -- is an "operation room" inside the kernel where the
         rules are applied. These "operation rooms" are located in strategic
         points on the path of the packet inside the kernel. So why is it
         called a chain. Probably, because it is a "chain of rules", i.e.,
         chain of decisions is applied to the packet in the "operation room". 
         This is confusing, since you can define your own chains and attach
         them (branch to them) from the built-in chains. I think that naming
         is messed up here, since we should have the stuff presented as
         "decision points" and associated "chains of rules". But...
         The decisions may result in sending the packet elsewhere, in
         rejecting the packet, in dropping the packet, or in changing
         the packet. There are following built-in chains:  
  
     INPUT -- every packet which comes to the firewall and is designated
              for the firewall itself goes to this chain. You should try to
              do as much work as possible in the PREROUTING room (e.g.,
              dropped spoofed packets [packet claiming they came from
              internal network], malformed packets, etc, so the INPUT chain
              has less work to do. Moreover, if you do masquerading (DNAT),
              you should filter as much stuff as possible in the PREROUTING,
              or you would have to repeat the rules in the FORWARD chain.
              In INPUT, the packet can be either killed or sent to some
              application program running within the firewall (say, Web server
              or telnet server). Note that rules for INPUT chain cannot have
              -o (or --out-interface) since they do not go to any physical
              device. They can only have -i (--in-interface) specified. 

     OUTPUT -- every packet which is produced by the program running on the
               firewall itself and designated to go outside is entering this
               chain. From here it is either killed, or sent to POSTROUTING.
               Note that rules for the OUTPUT chain cannot have any
               -i (or --in-interface) since it does not come from the network
               device, but from the program running inside the firewall.

     PREROUTING -- every packet which comes to the firewall from outside
               goes first to this place before any other operations are made.
               The packet gets here before any routing decision is done.
               From this room, the packet can be sent to INPUT chain, or
               to the FORWARD chain, or killed.
                
     POSTROUTING -- every packet which is about to be sent out from the 
               firewall outside, comes to this chain. The packets which
               enter this chain, came either from the FORWARD chain, or
               from the OUTPUT chain. In here, the packet can be changed
               (or not) before being sent to the cloud, or killed.

     FORWARD -- Every packet which came to the firewall from outside on some
                interface, and is supposed to be send outside (on another or
                the same interface) comes to this room. The FORWARD chain
                is for packets which are not to be used by the application 
                software of the firewall itself, and were not created by the
                application software which runs on the firewall. Sometimes,
                decision may be to sent the packet out through the same
                interface it came from, but the key point is that the packet
                is not intended for the use of some program running on the
                firewall itself, and that the packet was not created from
                within the firewall. The rules for packets traversing
                FORWARD chain can have both -i (--in-interface) and 
                -o (--out-interface) specified.

     Note that in this topology packets coming to the firewall can traverse
     the following paths:
 
       outside --> PREROUTING --> FORWARD --> POSTROUTING --> outside
       outside --> PREROUTING --> INPUT --> internal program
       internal program --> OUTPUT --> POSTROUTING --> outside 

Built-in chains are locations in the path of processing packets. They
represent a collection of rules. The rules are applied to the packet in the
order in which they are placed in the chain. You can also define your own
chains (see examples section below) and jump to them from the current chain
in which packet is being processed. After you finished in your own chain,
the control comes back to the chain which called it just after the branching
rule (-j chain_name)..

Beside chains, there are "tables". Tables have names. They group the rules.
The rules in the table are executed as a group, but I am not sure about it
since I do not even think about looking up what actual code is doing..
See the diagram for the ordering in which the tables are executed in the
built-in chains (but I did not make this diagram, and I did not look in the
code). Table, as I see it, is a regime (a mode) under which the set of rules
is executed. Table is not just a collection of ordered elements which store 
rules, but rather a prescription how the rules of a given type should be
applied to the packet. A given rule (i.e., type of packet and action to take)
belongs only to one table. From this perspective, the table is just a type of
a rule and a prescription on how to deal with the rule. It is not just 
a placeholder for rules abut also an environment. You will not be able to
put some rules in some tables (e.g., "filter" table will not accept rules for
NAT, and "nat" table will not take the "-j REJECT", and, while I did not
test it, the packet mangling rules probably only work in the "mangle" table.
So you are putting rules to the table, but for a given chain (you can have
different rules in INPUT/filter table, and in OUTPUT/filter table).
Since chains have different roles and see different packets, they do not
have the same tables associated with them. So when you add your rule to
a chain, you actually add your rules to some table in this chain.
If you do not specify the table, the default is "filter". In two of
the decision rooms there is no filter table (POST and PREROUTING).
You have to specify the table in this case (usually -t nat)..
The same table in different chain has different rules but does a similar
thing. The built-in tables are associated with the chains. The same table
can be associated with more than one chain. Confused? Welcome to the club...
The tables are called tables probably for some historical reason.
I would call them modes, or regimes, or environments, or robots, or tracks
or manners or deportments. Below is the list of built-in tables:
   "filter"  -- table which collects rules which do not alter packets, but
                only filter them, i.e., either let them through, or stop
                them. The "filter" table is associated with FORWARD, INPUT,
                and OUTPUT chains. That is, every packet, either created
                inside the firewall or coming from outside goes through the
                "filter" table (i.e., rules of the filter table are applied
                to it). Note that the "filter" table is applied only once to
                the given packet, i.e., the packet can fall into the "decision
                room" where "filter" table is used only once on its travel
                through kernel. Look at the diagram. 

   "nat" --     table which changes the source or destination address/port and
                will alter where packets go. The "nat" table is applied
                in the PREROUTING and POSTROUTING chains. It can also be
                applied at the OUTPUT and INPUT chains if local NAT is 
                enabled. The "nat" table is special. When new connection
                is created, only the first packet traverses the table.
                The action resulting from this traversal is then applied to
                every packet in this connection. This is a place where SNAT
                (Source Network Address Translation), DNAT (Destination NAT),
                port forwarding, Masquerade, etc. are taking place. Note
                that "nat" table is applied in two places to each packet
                but the rules are different. In PREROUTING we do translation
                of destination address, i.e., we change the address/port of
                a packet which came from the outside (e.g., from address
                of a firewall to the address of the machine on local net).
                In the POSTROUTING we change the source address (e.g.,
                the packet going to the outside will carry the source
                address of the firewall, rather than the address of the 
                machine on the local LAN). Again, there are following NATs:
                DNAT -- destination address of the packet is modified. E.g.,
                    you have several web servers behind the firewall and you
                    want to spread the load. You can change the destination
                    IP address (which is the address of the firewall) of the
                    first SYN packet which wants to open the connection
                    to port 80 on the firewall to the address the webserver
                    which is behind the firewall. Then you want all
                    packets in the established TCP connection to go to this
                    machine until connection closes. 
                SNAT -- you have the internal network behind the firewall,
                    which you want to hide. Let us call it LAN. All
                    connections from LAN to the outside go via the firewall.
                    The firewall changes the source address in these packets 
                    (the address of host in the LAN) to its own address
                    (namely, the address it has on the interface facing
                    the outside network). This is a case of IP Masquerading.
                REDIRECT -- this is a specialized case of DNAT which changes
                    destination IP address of the packet intended for the
                    inside network to itself (like a reverse of DNAT described
                    above). It can be used, to redirect web traffic to a proxy
                    server.
            
   "mangle" --  table which changes actual packet information, usually the
                flags in the packet header. It is used mostly to change TOS
                (type of service) flags to change packet priority for the 
                router. It is also used to mark packets as special so then
                one recognize them in other chains (decision rooms) and give
		them a special treatment. It is applied at PREROUTING and
                OUTPUT chain.

The contrack is not a table, it is a module which tracks the connection,
i.e., assigns them the property of NEW, ESTABLISHED, RELATED, or INVALID.
The NEW packet is the one which is trying to establish a new connection
(e.g., the SYN packed from client to server in TCP connection). The connection
is NEW until a reply to it has been seen by contrack (note that contrack is
also called in POSTROUTING). The ESTABLISHED packet is a part of established
connection. The reply to the TCP request for connection (ACK) is considered
as ESTABLISHED packet (though formally, it is not yet an established connection
according to the three-prone handshake). All packets but first are considered
ESTABLISHED until connection is closed. RELATED is a packed which is in some
way related to existing connection. For example, the packets which are
exchanged on the 2 ports of FTP protocol are considered related. To detect that
packets are related, you really need a special module which understands the
protocol. There are many different modules for chats, video services, 
server push, etc. You need to get them and load them before the packets
belonging to these application protocols are recognized as RELATED.
For example: the DNS response is related to DNS request even if this was done
over UDP (which is connectionless protocol and does not have SYN/ACK/FIN/RST
flags like TCP). Some ICMP packets are also RELATED if they result from
a previous request or report the error to the request. INVALID packet is
a packed which cannot be classified. This may be an attempt to spoof your
machine. DROP all INVALID packets.

You can create your own chains and then jump to them from your built-in
chains. Look up examples.

The table name in iptables command is given via -t option. If omitted, the
"filter" table is assumed.

I am not really even trying to give the overview of iptables command. Do:
   man iptables
and also read all example scripts. Then you will have known...
   

Netfilter Examples from various Sources
=======================================
These examples are not in any order... Just when I found something, I added
it here.

Examples from: Iptables Basics NHF.
from: http://www.linuxnewbie.org/nhf/intel/security/iptables_basics.html

# Append the rule to INPUT chain to drop all packets coming from outside
#  on interface ppp0 and intended for the firewall's own telnet port
iptables -A INPUT -p tcp --destination-port telnet -p ppp0 -j DROP

# Append the rule to INPUT chain. It will drop packets coming from outside
# on interface eth0 and which want to start TCP connection with the firewall
iptables -A INPUT -o eth0 -p tcp --syn -j DROP 

# Append the rule to INPUT chain. Drop all packets coming from outside
# on interface eth0 which want to start TCP connection with the firewall
# except those address to port 80 (Web server).
iptables -A INPUT -o eth0 -p tcp --syn --destination-port ! 80 -j DROP

==========================================
Examples: from Paul Russel, Networking Security with Linux 2.4
from: http://www.linux-mag.com/2000-01/bestdefense_01.html

# limit log entries for packets coming from 192.168.0.1 to firewall to 
# one per hour.
iptables -A INPUT -s 192.168.0.1 -m limit -rate 1/hour -j LOG

----------------------

# log packets which came from FORWARD chain from ether card source
# 00:60.08:91:CC:B7 
iptables -A FORWARD -m mac -mac-source 00:60.08:91:CC:B7 -j LOG

----------------------

# append to FORWARD chain. Accept packets which are established or related
iptables -A FORWARD -m state -state ESTABLISHED, RELATED -j ACCEPT
   # append to FORWARD chain. DROP packets which are invalid
iptables -A FORWARD -m state -state INVALID -j DROP
   # if the 2 rules above were used, this rule will DROP all packets which
   # come from the external internet (ppp0) and try to establish NEW connection
   # this is a classic example of firewall which only allows connections to
   # be started from inside.
iptables -A FORWARD -i ppp0 -j DROP

-----------------

# Example of using user-defined chains.
  # create new chain named INVALID-DROP
iptables -N INVALID-DROP  
  # limit logging rate to 5 per hour and record only to first 3. Use log prefix
iptables -A INVALID-DROP -m limit -rate 5/hour -limit-burst 3 -j LOG \
    -log-prefix "FW:invalid: "
  # after logging the packet, drop it
iptables -A INVALID-DROP -j DROP
  # define new chain called NEW-DROP
iptables -N NEW-DROP
  #limit logging and define prefix
iptables -A NEW-DROP -m limit -rate 5/hour -limit-burst 3 -j LOG \
    -log-prefix "FW:new: "
  #drop the new connection packet from outside
iptables -A NEW-DROP -j DROP
  # accept established connection packets
iptables -A FORWARD -m state -state ESTABLISHED,RELATED -j ACCEPT
  # forward the INVALID packets to INVALID-DROP chain
iptables -A FORWARD -m state -state INVALID -j INVALID-DROP
  # forward the NEW packets from the outside network (ppp0) to chain NEW-DROP
iptables -A FORWARD -i ppp0 -j NEW-DROP

====================
Examples: from Linux Kernel 2.4 Firewalling Matures: netfilter
from: http://www.linuxsecurity.com/feature_stories/kernel-netfilter.html

# reject packets which have either ALL flags set, or SYN and ACK flag set
iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j DROP

# block telnet, ftp, and finger on packets which come to firewall itself.
iptables -A INPUT -t DENY -p tcp --destport telnet,ftp,finger

# redirect traffic coming from internal LAN 192.168.1.* and intended for
# the web server at 192.168.1.1 to a web server on machine 192.168.1.100
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.1 \
    -p tcp --dport 80 -j SNAT --to 192.168.1.100

# This will redirect traffic which comes to its eth0 interface (assuming it
# is the external interface to hosts 192.168.1.10, 192.168.1.11, 192.168.1.12. 
iptables -t nat -A POSTROUTING -i eth0 -j DNAT --to 192.168.1.10-192.168.1.12.

# log all packets which arrive to the IP address 192.168.1.1 and put
# the prefix ## ROUTER ## in front of log lines.
iptables -A INPUT -s 192.168.1.1 -j LOG --log-prefix '## ROUTER ##'

# log all ethernet packets which come from the MAC address 00:60:67:30:AC:E5
# and prefix them with ## My laptop ##.
iptables -I INPUT -m mac --mac-source 00:60:67:30:AC:E5 -j LOG \
      --log-prefix '## My laptop ##' 
==========================================================
Examples: from: Firewalling Using Netfilter
http://www.kalamazoolinux.org/presentations/20010417/

# script mylimit http://www.kalamazoolinux.org/presentations/20010417/mylimit
# which shows nested user-defined chains. Note the use of RETURN jump
# which takes you to the next line after the rule which contained call
# to the user-defined chain (in this case lines which contain -j mylimit).
/usr/local/sbin/iptables -N mylimit
/usr/local/sbin/iptables -A mylimit -m limit --limit 2/s --limit-burst 10 \
     -j RETURN

/usr/local/sbin/iptables -A mylimit -m limit --limit 6/m -j LOG \
      --log-level info --log-prefix 'limitthwart '

/usr/local/sbin/iptables -A mylimit -j DROP
#
# set up a new chain to accept the good connections
# block incoming connections from ppp on ports other than desired
#
/usr/local/sbin/iptables -N myaccept
# Ping flood
/usr/local/sbin/iptables -A myaccept -p icmp --icmp-type echo-request \
   -j mylimit
# Syn-flood protection
/usr/local/sbin/iptables -A myaccept -p tcp --syn -j mylimit
# Furtive port scanner
/usr/local/sbin/iptables -A myaccept -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
         -j mylimit

========================
Example from http://www.kalamazoolinux.org/presentations/20010417/flush
There are several examples which you can reach from the page:
http://www.kalamazoolinux.org/presentations/20010417/myrecommend.html

   # Set all of the Policies on the filter table to accept
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
   #
   # Flush all of the existing chains on the filter table
/sbin/iptables -F
   # Remove all of the user defined chains on the filter table
/sbin/iptables -X
   #
   # 
   # Set all of the Policies on the nat table to accept
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
   #
   # Flush all of the existing chains on the nat table
/sbin/iptables -t nat -F
   # Remove all of the user defined chains on the nat table
/sbin/iptables -t nat -X
   #
   # 
   # Set all of the Policies on the mangle table to accept
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
   # Flush all of the existing chains on the mangle table
/sbin/iptables -t mangle -F
   # Remove all of the user defined chains on the mangle table
/sbin/iptables -t mangle -X
   #
   # Not required:
   #       Stop forwarding and
   #       Remove all the iptables modules
   #
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/rmmod `lsmod | awk '{print $1}' | grep '^ip'`

====================
Example from: http://www.kalamazoolinux.org/presentations/20010417/list

# list all tables
echo
echo '                                   FILTER TABLE'
echo
iptables -t filter -L -v --line-numbers
echo
echo '                                   NAT TABLE'
echo
iptables -t nat -L -v --line-numbers
echo
echo '                                  MANGLE TABLE'
echo

===================
Example from: http://www.kalamazoolinux.org/presentations/20010417/conn

   # Create a user defined chain
/sbin/iptables -N myaccept
   # If it is established or related, It's OK by me 
/sbin/iptables -A myaccept -m state --state ESTABLISHED,RELATED -j ACCEPT
   # If a connection attempt comes from localhost or eth0 It may pass the chain
/sbin/iptables -A myaccept -i ! ppp0 -m state --state NEW -j ACCEPT
   # If the connection comes from ppp0 log it.  With no more accepts after
   # this, it will be dropped
/sbin/iptables -A myaccept -i ppp0 -m state --state NEW,INVALID \
         -j LOG --log-level emerg --log-prefix 'newconthwart '
/sbin/iptables -A myaccept -j LOG --log-level emerg \
         --log-prefix 'idunnothwart '
=====================
Example from: http://www.kalamazoolinux.org/presentations/20010417/wwwdomain

  # translate the incoming traffic for the webserver on the gateway
  # to the internal webserver 192.168.0.1
  # this one works on a dynamically assigned connection
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i ppp0 \
    -j DNAT --to 192.168.0.1:80
  # translate the incoming traffic for the nameserver on the gateway to
  # the internal DNS server 192.168.0.6:53
  # this will work for statically assigned ip addresses (replace w.x.y.z)
/sbin/iptables -t nat -A PREROUTING -d w.x.y.z -p tcp --dport 53 \
     -i eth1 -j DNAT --to 192.168.0.6:53

-------------------

Examples from Linux 2.4 Packet Filtering HOWTO By Rusty Russel.
http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc.html
# 5 DROPs packets which want to start connection from outside.
# Lets packets which were initiated from inside through. 
  # Insert connection-tracking modules (not needed if built into kernel).
insmod ip_conntrack
insmod ip_conntrack_ftp

  # Create chain which blocks new connections, except if coming from inside.
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP

  # Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block

-----------------------------------
# 9 Mixing NAT and Packet Filtering

  # masquerade out ppp0 (packets which came from the LAN behind the firewall
  # will have their source addresses changed to the address of the
  #  ppp0 interface



 (so external word things it is firewall talking to it
  # directly)
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
  # Disallow NEW and INVALID incoming packets from ppp0 interface
iptables -A INPUT -i ppp0 -m state -- state NEW,INVALID -j DROP
  # Disallow NEW and INVALID incoming packets from ppp0 interface
iptables -A FORWARD -i ppp0 -m state -- state NEW,INVALID -j DROP
  #  Turn on the IP Forwarding
echo 1 > /proc/sys/net/ipvv4/ip_forward

--------------------------
# 11 Remove packets with your internal subnet addresses from coming from
  # outside
echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter

  # You can also do it for all interfaces:
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
  echo 1 > $f
done

------------------------
# 11
  # Script where all connections which wanted to be initiated from
  # outside (ppp0) are junked

  # make a new chain no-conns-from-ppp0
iptables -N no-conns-from-ppp0

  # append the rule that packet which is ESTABLISHED or RELATED
  # should be accepted   
iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

  # append the rule that allows new connections to be created from
  # interfaces other than ppp0 (packets starting connection locally are fine)
iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT

  # since after the rules above only bad packet can be left, log them
iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG \
     --log-prefix "Bad packet from ppp0:"

  # if some bad packets are formed internally, log them
iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG \
     --log-prefix "Bad packet not from ppp0:"
  # DROP all packets which got to this point
iptables -A no-conns-from-ppp0 -j DROP

  # branch to no-conn-ppp0 from INPUT chain
iptables -A INPUT -j no-conns-from-ppp0

  # drop off all the packets which got that far.
iptables -A FORWARD -j no-conns-from-ppp0
--------------------------------

Some examples which are to big to be included here:

http://www.kalamazoolinux.org/presentations/20010417/myfinal
http://www.cs.princeton.edu/~jns/security/iptables/index.html
http://people.unix-fu.org:8080/andreasson/rc.firewall.txt
http://www-106.ibm.com/developerworks/linux/library/l-fw/dynfw-1.0.tar.gz


=======================================================
From the index page were you got this page, you can get the:
   iptables-jkl -- a script which starts the iptables/netfilter on boot
           I put this script in the /etc/rc.d/init.d directory and do:
              cp .../iptables-jkl /etc/rc.d/init.d
              cd /etc/rc.d/init.d
              chmod 744 iptables-jkl
              chkconfig --add iptables-jkl
           so it starts the firewall/masquerading on boot

   startfw -- a LONG script which I use to set up firewall/masquerading 
            I put this script into /usr/sbin directory (if you want it
            elsewhere, you need to change iptables-jkl, since it expects it
            there. This loads all the necessary modules I use and sets the
            chains. You read the LONG comments there to see what it does.
            The startfw does not flush the chains on startup. To start with
            a clean slate, you need to use the flushfw script below.
            Remember about 
                   chmod 744 startfw
            after you copied it to /usr/sbin.

   flushfw -- flushes all the chains, deletes modules, and resets the kernel
            flags in /proc. It should reside in /usr/sbin (or if you want it
            elsewhere, change the iptables-jkl script, since it calls it).
            You need to use it before you run the startfw, or you will end up
            with messed up machine (you can always run it again, and then
            run startfw)..
            Remember about 
                   chmod 744 flushfw
            after you copied it to /usr/sbin.

   iplisting -- lists your chains and tables and tells you if the stuff is
            running. I keep it in /usr/sbin. Remember about 744 for it.


Assuming your firewall is up and running, you are ready to connect the local
network to the other site. I did few tests before this. I have a laptop
dual book with windows and linux on it. I had to modify my Linux and
Windows networking on them. They were configured originally to get their
IP addresses and nameserver info using DHCP client. Now, they will use
static addresses.

First, you will need some information for them which is on your firewall.
You need to see the file /etc/resolv.conf and see what is there. My has:
  cat /etc/resolv.conf

search columbus.rr.com rr.com
nameserver 65.24.0.166
nameserver 65.24.0.167

You will need the nameservers. 

If you have linux PC, and one card on it, it is easy:

netconfig

and it displays you the questions, and you use your TAB key and arrow keys
to enter what it needs:
First, it asks you if you want to config the networking.You say yes.

Then the screen looked in my case like:

   [ ] Use dynamic IP configuration (BOOTP/DHCP)
       IP address:         192.168.0.5
       Netmask   :         255.255.255.0
       Default gateway IP: 192.168.0.1
       Primary Nameserver: 65.24.0.166

This stuff should end up in the file /etc/sysconfig/network-scripts/ifcfg-eth0
which in may case was:

DEVICE=eth0
INBOOT=tes
BOOTPROTO=static
IPADDR=192.168.0.5
NETMASK=255.255.255.0
GATEWAY=192.168.0.1

Of course, you do not have to use netconfig GUI, you can enter the values
yourself, since this is what it does.

In the file /etc/resolv.conf should be your nameserver (i.e., addresses
of machines which change some hostname like www.something.big.com to 
IP address like 196.132.251.5).
In my case, there was only primary nameserver there,  65.24.0.166
so I added another one, and it looked like:

search test.domain
nameserver 65.24.0.166
nameserver 65.24.0.167

Then I rebooted the machine.

Testing
============
Of course you can play with things.
Assuming that you ran the combination of
  /usr/sbin/flushfw
  /usr/sbin/startfw
on the firewall machine you can try pings outside on your laptop (local
network), For example:

  ping www.ccl.net

and it worked for me.
I even looked at the OSU page with netscape: http://www.ccl.net

So I tried a nasty stuff, Like ftp by using netscape with an URL

ftp://ftp.ccl.net

Worked... So I now tried using manual ftp in the xterm window:

ftp ftp.ccl.net
Name: anonymous
Password: guest@guest

Worked in passive mode like charm.

Now, I wanted to start the Web server on the laptop and get to it through
the firewall.

On the laptop, I had the Apache installed with RH 7.1 distribution.

I started it by doing:
/etc/rc.d/init.d/httpd start
Then, I checked on the laptop if my Apache runs by giving an URL:

http://localhost:80/

It gave me the test page.

I also tried the HTTPS
http://localhost:443/
and it asked me for accepting certificate, and again showed the test page.

The httpd (Apache) was not running on the Firewall, which I checked by doing
ps -ef | grep httpd

Now, I wanted to fool the world that my web server is actually running on
the firewall machine, but I wanted to use Destination NAT and forward HTTP
and HTTPS request to the laptop.

I did the following:

1) Logged in to firewall as root

2) logged in  stopped my running "production" firewall:
   /usr/sbin/flushfw

3) Wrote a small script, chmoded it to 755 and ran it:

#!/bin/bash

/sbin/modprobe ip_tables
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_unclean
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT \
  --to 192.168.0.5:80
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 443 -j DNAT \
--to 192.168.0.5:443

4) I ran the hostname on the firewall to learn what is my actual name.
   It was at the time: dhcp237007.columbus.rr.com
   (you need a fully qualified name)

5) I learned that its IP address assigned by DHCP:
      nslookup dhcp237007.columbus.rr.com
   It was:  204.210.237.7
   (You can also get this by running:
    /sbin/ifconfig
   )

6) I logged in from firewall to my office machines using ssh) and 
   I fired lynx (a text web browser --  you do not want netscape,
   since it will take a year to pass these pixels back to your firewall 
   machine) using the firewall machine name:

      lynx http://dhcp237007.columbus.rr.com

      lynx https://dhcp237007.columbus.rr.com
   You remember, that there is no Apache running on firewall, but one is
   running on laptop. Worked like charm. The tcpdump on the laptop was
   showing tons of packet with right ports going back and forth.
   This was the magic of Destination NAT.

7) Then I killed the  server on the laptop, and when I wanted to reach it
   again, it said: "No way, Jose". 

8) Then I restarted the "production" netfilter script on the firewall machine:
      /etc/rc.d/init.d/iptables-jkl restart

Configuring Windows to work behind the firewall
================================================

Double Clicked on "My computer"
Double Clicked on "Control Panel"
Double clicked on "Network"
Clicked on "Configuration Tab"
Clicked on TCP/IP -> Whatever-Ether-Card-You-Have-At-The-Bottom 
Clicked on "Properties"
Clicked on "IP address" Tab
   Chose "Specify and IP address"

        IP Address: 192.168.0.5
        Subnet Mask: 255.255.255.0

Clicked on "DNS Configuration" Tab
    Chose: "Enable DNS"
    Host: lan5
    Domain: test.domain
    DNS Server Search Order
       65.24.0.166    Add
       65.24.0.167    Add

Clicked on "Gateway" Tab
    192.168.0.1       Add


Then clicked OK and OK and OK and it rebooted the PC

Then, Start->Run->winipcfg 
and chosen the Ether Card (It will often show PPP, if you also have a modem).

For the time being, this is it. I plan to install proxy server, squid,
Web server, dns server, and whatever on the firewall machine.
While the firewall machine SHOULD NOT HAVE UNNECESSARY SERVICES RUNNING ON IT,
in my case, it is just my home PC, and I only have a single IP address,
so it more like giving me a way to have many computers at home with one
IP address on the exit, rather than the BIG SECURITY of my network.
But of course, if you are security conscious, you should make a DMZ setup,
and you will need 3 ether cards in your PC. Search www.google.com for
DMZ iptables
and you will learn things.


Modified: Sat Nov 24 22:15:37 2001 GMT
Page accessed 11996 times since Tue Dec 11 21:34:19 2001 GMT