[rescue] RFA: firewall

[Patrick Finnegan]

On Monday 10 January 2005 00:18, Jonathan C. Patschke wrote:
> On Sun, 9 Jan 2005, Patrick Finnegan wrote:
> > I've never actually used OpenBSD, but from what I hear, pf is
> > "nice" to configure, but I've had no problems doing what I've
> > wanted to with iptables on Linux.
>
> The huge difference between iptables and pf is that in iptables, you
> essentially have a shell script where you form these long chains of
> packet processing by assigning packets of various jumps/targets, and
> netfilter uses this both to assign behavior and classification to a
> packet.
>
>    ext_if=eth0
>    ext_ip=`ifconfig $ext_if | grep 'inet addr' | sed -e 's/:/ /g' |
>            cut -d' ' -f 3`
>    IPTABLES=/usr/bin/iptables
>    $IPTABLES -F
>    $IPTABLES -A POSTROUTING -t nat -s 192.168.0.0/24 -o $ext_if -j
>              SNAT --to-source $ext_ip
>    $IPTABLES -t nat -A PREROUTING -p tcp -d $ext_ip --dport 80 -j
> DNAT \ --to-destination 192.168.0.2
>    $IPTABLES -t nat -A PREROUTING -p tcp -d $ext_ip --dport 443 -j
> DNAT \ --to-destination 192.168.0.2
>    $IPTABLES -t nat -A PREROUTING -p tcp -d $ext_ip --dport 25 -j
> DNAT \ --to-destination 192.168.0.3
>    $IPTABLES -t nat -A PREROUTING -p tcp -d $ext_ip --dport 22 -j
> DNAT \ --to-destination 192.168.0.4

You should try using iptables-save and iptables-restore; it's much 
easier (and probably more readable).

Pat
-- 
Purdue University ITAP/RCS        ---  http://www.itap.purdue.edu/rcs/
The Computer Refuge               ---  http://computer-refuge.org