IP tables / IP Masquerading

Official documentation

Netfilter Home -- The official home page for Netfilter

IP masquerading Home -- The official home page for IP Masquerading

Packet Filtering HOWTO -- The Official HOWTO

IP Masquerading HOWTO -- The Official HOWTO

Building the kernel for netfilter use

The instructions to compile the 2.4.x kernel for iptables support, can be found on the IP Masquerading home page. I have added a link to this site above. Use it...

iptables structure

iptables consists of 3 tables:
filter: This is the table used to implement the firewall
nat: This is the table used to implement IPmasquerading (=internet sharing)
mangle: This is the table used for specialized packet alteration
Each table has a number of chains (INPUT, OUTPUT, FORWARD,...). These chains contain rules which define the policy (ACCEPT, DROP, QUEUE, RETURN).

The filter table (the firewall)

filter table

First there are several things you need to know before proceeding:
The filter table consists of 3 chains:
INPUT: for traffic comming into your box
OUTPUT: for traffic going out of your box
FORWARD: for packets being routed through the box (= packets that aren't meant for you)

The module conntrax gives every packet a state:
NEW: for packets that have started a new connection
RELATED: for packets starting a new connection, but related to an existing one
ESTABLISHED: for packets associated with a known connection
INVALID: for all other packets

With this information in the back of our mind, we can start building our firewall. A good rule of thumb is to block all incoming traffic by default, and then start punching holes in the firewall to allow only the traffic we want. Below you can find a setup for 1 PC to go onto the internet, read mail, ftp,...

# Flush any rules that may still be configured
/sbin/iptables -t filter -F INPUT
/sbin/iptables -t filter -F OUTPUT
/sbin/iptables -t filter -F FORWARD

# Set the default policies for the chains
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P FORWARD DROP

# Allow all connections established by me
/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
/sbin/iptables -t filter -A INPUT -i ppp+ state --state RELATED,ESTABLISHED -j ACCEPT

The nat table (IP Masquerading)

The nat table consists of 3 chains:
PREROUTING: for altering traffic as soon as it comes in
POSTROUTING: for altering traffic locally-generated packages before routing
OUTPUT: for altering traffic as it's about to go out

In order to get your whole LAN on the Internet, the box that has the modem is set up as a gateway for the other boxes. I'll assume you are using a multihomed box to set up the gateway. In my setup, the NIC used for the Internal LAN is eth0, and the one used to connect to the Internet is eth1.
First off you will need to enable IP forwarding. And then you need to set up the MASQUERADE policy in the POSTROUTING chain (since the gateway will pretend that the requests from the LAN are made by himself).
Below you find the code for a script to use iptables/ipmasquerading. You can download it from here (just shift-click it).

LOOPBACK=lo
LAN=eth0
WAN=eth1

#Flush any rules that may still be configured
/sbin/iptables -t filter -F INPUT
/sbin/iptables -t filter -F OUTPUT
/sbin/iptables -t filter -F FORWARD
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT

# Set the default policies for the chains
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P FORWARD DROP
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT

# Set up the firewall rules
/sbin/iptables -t filter -A INPUT -i ${LOOPBACK} -j ACCEPT
/sbin/iptables -t filter -A INPUT -i ${LAN} -j ACCEPT
/sbin/iptables -t filter -A INPUT -i ${WAN} state --state RELATED,ESTABLISHED -j ACCEPT

# Set up the ip forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t filter -A FORWARD -i ${LAN} -o ${WAN} -j ACCEPT
/sbin/iptables -t filter -A FORWARD -i ${WAN} -o ${LAN} state --state RELATED,ESTABLISHED -j ACCEPT

# Set up ip masquerading
# Allow the boxes 192.168.0.2 and 192.168.0.3 on the Internet
/sbin/iptables -t nat -A POSTROUTING -o 192.168.0.2/32 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o 192.168.0.3/32 -j MASQUERADE

All you need to do now is set up the clients correctly (e.g. put your box as their default gateway, and set up DNS correctly). If all went well, you should now be able to browse, mail, ftp, ssh, ...

Have fun :o)
Lurch