-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antoine wrote: > Thanks for that... but I hope you are joking! You mean there is no > gui/wizard for setting up nat?!? > Cheers > Antoine no, not really. Unless you install third-party software to control it, the default graphical firewall config tools on FC don't do NAT. Welcome to our world. :) Command-line utilities also allow you to make incremental changes to firewall settings. Graphical tools (In my experience) tend to be all-or-nothing a few additional points and a brief walkthrough: std_disclaimer: This is fairly simplistic and may not cover any or all of your security requirements. Particularly as they do not include any access rules at all, just NAT stuff. You should realise that netfilter rules applied using the 'iptables' command take immediate effect. Applying badly written rules over a network login can severely compromise your connectivity (and stress levels) For this reason I can't see why you would need to restart the entire connection after creating NAT rules. on your router you would need to do a few simple things: 1) put NAT rules in place 2) possibly put other restrictions on the traffic you wish to allow through your box (particularly from the outside world) 3) permit packet forwarding through your box 4) save the rules 5) make sure the 'iptables' service runs at boot time ( although, technically it is not a traditional 'service', all it does is load rules into memory ) I am going to ignore any standard firewall rules you have on the system (you can set these up through the standard graphical interface. DO not do this after the NAT setup, you will break it.) to control NAT you'll need to run a few shell commands. A shell script is not necessary. Although it simplifies taking rules from one system to another. Setting up iptables rules in rc.local is a *bad* idea (IMHO) - this means that on boot your interfaces are up and unprotected *before* the firewall rules are in place. as root: iptables -nvL will show you the rules that are currently in place for normal traffic. iptables -t nat -nvL will shoe you any nat rules you already have in place to nat all outgoing traffic: assume your internal interface is eth0 and external is ppp0 a) clear any existing rules (if needed): iptables -t nat -F POSTROUTING b) add a rule natting traffic from your boxes to the outside world. this is all one line (I've just separated the arguments) iptables -t nat - -I POSTROUTING - -s your_internal_network - -d ! your_internal_network - -i eth0 - -o ppp0 - -j MASQUERADE c) save your rules and make sure they will apply on next boot: service iptables save chkconfig iptables on d) allow packets to route through your system: edit /etc/sysctl.conf so that it has a line like this: net.ipv4.ip_forward = 1 e) apply that change immediately sysctl -p voila! you are routing packets through your box. these rules should then be permanently in place *unless* you run system-config-securitylevel to set up others... (bad design, I know.) Regards Stuart - -- Stuart Sears RHCA RHCX To err is human, to forgive is Not Company Policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFEbvhmamPtx1brPQ4RApTXAJ9+gMjFng2DkA1TElnPR/OX5k63agCfVXyi dTF1IGDRJpMhMO0s6ca86yY= =oJXa -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
