Just for reference this is what i use to connect to nfs drives on my server

via script, GalacticAC is defined in /etc/hosts with the ip of my server

#! /bin/bash 
# script to mount my files on webserver
sudo mount -t nfs GalacticAC:/mnt/sdb1/ /home/michael/server/sdb1

and via fstab (will mount automatically on boot)

GalacticAC:/mnt/sdb1/ /home/michael/server/sdb1 nfs defaults 0 0

I’m so dumb i was still using samba. If your using linux you really dont need samba ! You can set it up using nfs and have a easier more secure method. Its like the file was on your own machine.

This is what i used to do to mount my samba shares in ubuntu.

#!/bin/bash
#pass=$1
echo -n "Password: "
stty -echo
read password
#script to connect to samba drive on server.
smbmount //ip/dir /home/michael/server/ #-o username=zonemikel,password=$password
#example smbmount //192.168.1.200/WebFiles /home/michael/webserver/ -o username=zonemikel,password=$password
echo "connected"
read -p "Press any key to unmount drives. " -n1 -s
smbumount /home/michael/server/
smbumount /home/michael/webserver/
echo "unmounted"

I had to have it un mount or my pc would not shut down right … anyway thats the old way this is the new

sudo mount -t nfs serverName:/mnt/files /home/michael/server

No passwords, it allows only ip addresses from the network to connect. Since I’m using a direct connection from the server to this subnetwork there is no other place for someone to patch in and use that ip, so its relativly secure. If I were using it over a large network i think anyone could change their ip to a “trusted” (/etc/hosts.allow) ip and easily gain acess to your files, but on a home network such as mine with a trusted and un trusted subnetwork this is ok.

Here is the original Link to the instructions
This text below (the remainder of this article) is NOT my writing ! I just want to keep a copy here in case they move their site or something

While most things about Ubuntu work pretty much the way you want/expect the first time, one exception is sharing folders between two computers on the same LAN (”Local Area Network” — in this case, multiple computers in the same house sharing an internet connection via a router). Surprisingly, it’s easier/more intuitive to do this between an Ubuntu computer and a Windows computer! I wish Ubuntu would make a more intuitive, graphical way for non-technical users to do this — though I certainly have fun tinkering with these things and learning more about networking (or what-have-you) as I go.

Through some command-line magic, I’ve gotten my laptop to be able to access the music folder on my desktop — right now I’m playing music on my laptop that’s actually stored on my desktop’s much bigger hard drive. Sweet! How did I manage this?

Say you have two computers, both running Linux (in this case they’re both running Ubuntu and I can’t vouch that this will work on any other distro, but I suspect it would) — the server, which has the folder you want to share on its physical media, and the client, which will connect to the server and access its data.

On the client:
1. In a Terminal window, run

sudo apt-get install nfs-common

— this installs the software you’ll need.
2. Run

ifconfig

to find your IP on the local network; it should look something like

inet addr:192.168.1.101

(If you see more than one instance of “inet addr” in the output of ifconfig, choose the address that doesn’t begin with 127.)

On the server:
3. In a Terminal window, run

sudo apt-get install nfs-kernel-server

4. Edit the

/etc/hosts

file and add a line that looks like this:

neuron 192.168.1.101

where “neuron” is replaced with the hostname or a nickname for your client (in this case, “neuron” is the name of my laptop) and “192.168.1.101″ is replaced with the IP you found in step 2.
5. Test this — in a Terminal, run

ping -c 1 neuron

(or whatever name you used) and see if you get a response. If you get a response like “unknown host”, something is wrong — re-check your work from the previous steps (and check that the two computers are really on the same network!). If you get a response like “… 64 bytes from neuron… 1 packets transmitted, 1 received … ” then everything is hunky-dory so far and you are ready to move on!
6. Edit the

/etc/hosts.allow

file and add a line that looks like this:

ALL: 192.168.1.101

(again, use the IP that you found in Step 2).
7. Edit the

/etc/exports

file and add a line that looks like this:

/home/music 192.168.1.101(rw,sync,subtree_check,no_root_squash)

where again 192… is replaced with the IP from step 2, and “/home/music” is replaced with the full path to the folder you want to share. Note that for some reason it is important that the parenthesized arguments don’t have a space between them.
8. Run

sudo /etc/init.d/nfs-kernel-server restart

9. Run

ifconfig

and get the IP of your server, the same way that you found it for the client.

Back on the client!
10. Edit

/etc/hosts

and add a line like

192.168.1.103 boffin

where “192.168.1.103″ is replaced with the IP of your server (from step 9) and “boffin” is replaced with the hostname/nickname of your server (”boffin” is the name of my desktop).
11.

ping -c 1 boffin

to check that this worked, just like in Step 5.
12. Make a mountpoint for your shared directory — in my case, I used

mkdir /media/boffin-music

13. Mount the shared directory at the mountpoint, like this:

sudo mount -t nfs boffin:/home/music /media/boffin-music

replacing “boffin” with your server’s name, “/home/music” with the location on the server of your shared folder, and “/media/boffin-music” with the mountpoint you created in step 12.
14. Now you should be able to browse to the mountpoint and see your shared files, and open them, and use them. Awesome!

This is a continuation of articles “using iptables on your linux router“  and “how to setup your slackware linux box as a router“. This is the script that im pretty much finished with and how it works.

Hardware Setup

This is a basic diagram of my network setup. Crossover cables are denoted with ‘C’. This does not represent the actual spacing between items at all, for instance PC 2 is about 100ft away from the hub, the hub is right on top of the server.

Eth1 Network (192.168.10.0)
Very Un-trusted !
Only allow ports 80, and 22
PC1 can be allowed samba ports also

Eth2 Network(192.168.1.0)
Very trusted
All Packets are passed directly through

Firewall Script Flow Chart

This is a flow chart that explains how the firewall handles packets.

After making all this i realized that everything goes differently, packets go to see if its pc3 then to see if eth1 then they go to the firewall table to see if established/related, that is of course if they made it that far. If they were eth1 then they would have gone to net two. So please realize this above diagram is not exactly like my script, but very similar.

For simplicity I don’t include the “firewall” table which just accepts all local loopback and then goes to the trusted table. Really I should eliminate the “firewall” table, feel free to. The “NETTWO” table is dedicated to the unsecure network, It only allows port 80, 22 and PC1. PC1 is also pretty restricted. The table “NETTWO” hooks into the wifi router, which I am VERY weary of, I do further security on that router, its just a old Linksys wireless router. Its actually the router that I replaced my linux box with.

Anyway without further a due here is the actual script.

#!/bin/bash
 
RETVAL=0
external_int="eth0"
external_ip="`ifconfig $external_int | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
 
# start the firewall
start() {
 
	# set all default behaviour to accept
	iptables -P INPUT ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD ACCEPT
 
	# create new chains for firewall and trusted filtering
	iptables -N FIREWALL
	iptables -N TRUSTED
	iptables -N NETTWO # temp? tables for subnetwork of wifi, luis and garage computer
 
	# Log chain
	iptables -N LOG_DROP
	iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
	iptables -A LOG_DROP -j DROP
 
	# allow established and related incoming connetions only
	iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
	# Allow self communication
	iptables -A FIREWALL -i lo -j ACCEPT
	iptables -A FIREWALL -o lo -j ACCEPT
	# send all package to the trusted chain
	iptables -A FIREWALL -j TRUSTED
	# drop all other packets
	iptables -A FIREWALL -j LOG_DROP
 
	############################
	# Prerouting, to speed up things
	############################
 
	# give the ubuntu pc a green light to do whatever, compleatly trusted ! (to firewall only)
	# ubuntu pc is connected to eth2 and has static ip of 192.168.1.11
	iptables -A INPUT   -j ACCEPT -p all -s 192.168.1.11 -i eth2
	iptables -A OUTPUT  -j ACCEPT -p all -d 192.168.1.11 -o eth2
	# for the subnetwork that has luis and wifi we send it to its own table
	iptables -A INPUT -i eth1 -j NETTWO
	# send all input packets to the firewall chain
	iptables -A INPUT -j FIREWALL
 
	############################
	# Begin Forward Table and Inet sharing
	############################
 
	# forward all traffic coming from eth1 to eth 0 ( make all eth1's stuff go to the net)
	iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
	# forward only established or related connections from eth0 to eth1 ( so only stuff a local lanputer has started)
	iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
	# same as above but for eth2 (gigabit connection)
	iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
	iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
	# forward all sof2mp test stuff to this computer (take all connections to server)
	iptables -A FORWARD -i eth0 -o eth2 -p udp -m udp --dport 20100:20112 -j ACCEPT
	# broadcast the sof2 mp test server
	iptables -A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 20100:20112 -j ACCEPT
	# any packets that get to this point are logged then dropped
	iptables -A FORWARD -j LOG_DROP
	# masquerade the ip's so they look like they are "all from one" machine
	iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
	# turn forwarding on "tell the kernel"
	echo 1 > /proc/sys/net/ipv4/ip_forward
 
	############################
	# network two routing table, for subnetwork with luis and wifi
	# only port 80 and 22 are allowed, the rest are logged/dropped
	############################
 
	iptables -A NETTWO -p tcp -m tcp --dport 80 -j ACCEPT
	iptables -A NETTWO -p tcp -m tcp --dport 22 -j ACCEPT
	#iptables -A NETTWO -m mac --mac-source "pc2's mac" -p tcp -m tcp --dport 137:139 -j ACCEPT
	#iptables -A NETTWO -m mac --mac-source "pc2's mac" -j ACCEPT
	iptables -A NETTWO -j LOG --log-prefix '[NETTWO DROP] : '
	iptables -A NETTWO -j DROP
 
	############################
	# Begin Trusted Table
	############################
 
	# Allow http, the eth+ defines "all" ethernet devices
	iptables -A TRUSTED -i eth+ -p tcp -m tcp --dport 80 -j ACCEPT
 
	# Allow http, the eth+ defines "all" ethernet devices
	iptables -A TRUSTED -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
 
	# Allow https
	iptables -A TRUSTED -o eth0 -p udp -m udp --dport 443 -j ACCEPT
	iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
 
	# Allow SSH
	iptables -A TRUSTED -i eth+ -p tcp -m tcp --dport 22 -j ACCEPT
 
	# sof II test
	iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 20100 -j ACCEPT
	iptables -A TRUSTED -i eth0 -p udp -m udp --dport 20100 -j ACCEPT
 
	# Nexuiz
	iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 26000 -j ACCEPT
	iptables -A TRUSTED -i eth0 -p udp -m udp --dport 26000 -j ACCEPT
 
	# teamspeak
	iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 8767  -j ACCEPT
	iptables -A TRUSTED -i eth0 -p udp -m udp --dport 8767 -j ACCEPT
 
	# allow samba server for print and files to local nics only
	iptables -A TRUSTED -i eth1 -p tcp -m tcp --dport 137:139 -j ACCEPT
	iptables -A TRUSTED -i eth2 -p tcp -m tcp --dport 137:139 -j ACCEPT
	iptables -A TRUSTED -i eth1 -p tcp -m tcp --dport 445 -j ACCEPT
	iptables -A TRUSTED -i eth2 -p tcp -m tcp --dport 445 -j ACCEPT
 
	# log and drop all packets going through the trusted chain that make it this far
	iptables -A TRUSTED -j LOG_DROP
 
	# end message
	echo "- Iptables Script ran, security enabled"
 
	RETVAL=0
}
# open everything and forward everything
dumb() {
	# set all default behaviour to accept
	iptables -P INPUT ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD ACCEPT
	# now forward everything
	# forward all traffic coming from eth2to eth 0 (all ubuntu's computer goes to net)
	iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT
	# forward all traffic from eth0 to eth2, all traffic from net to ubuntu computer
	iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
	# same as above but for eth1 (local lan slow)
	iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
	iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
 
	iptables -t nat -A PREROUTING -p udp -i eth0 -d $external_ip --dport 20100:20112 -j DNAT --to-destination 192.168.1.11
	iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip --dport 20100:20112 -j DNAT --to-destination 192.168.1.11
 
	# masquerade the ip's so they look like they are "all from one" machine
	iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
	# turn forwarding on "tell the kernel"
	echo 1 > /proc/sys/net/ipv4/ip_forward
	echo "+ everything accepted, everything forwarded";
}
 
# stop the firewall (everything is open !)
stop() {
	# set the default policy
	iptables -P INPUT ACCEPT	# accept all incoming packets
	iptables -P FORWARD ACCEPT	# forward all packets to other puters (flood)
	iptables -P OUTPUT ACCEPT	# accept all outgoing packets and send them
 
	# set default policy for the NAT table
	iptables -t nat -P PREROUTING ACCEPT
	iptables -t nat -P POSTROUTING ACCEPT
	iptables -t nat -P OUTPUT ACCEPT
 
	# delete all old rules
	iptables -F 			# flush
	iptables -t nat -F		# flust nat table
 
	# delete all chains
	iptables -X
	iptables -t nat -X
 
	echo "+ All tables flushed"
	RETVAL=0
}
lockdown() {
	echo "locking down everything"
	iptables -t nat -P PREROUTING DROP
	iptables -t nat -P POSTROUTING DROP
	iptables -t nat -P OUTPUT DROP
	iptables -t nat -P PREROUTING DROP
	iptables -t nat -P POSTROUTING DROP
	iptables -t nat -P OUTPUT DROP
	echo "itz locked down"
}
# case statement to call the correct function, exept status which is in the case
case $1 in
   start)
     start
     ;;
   dumb)
	 stop
     dumb
     ;;
   stop)
     stop
     ;;
   restart)
     stop
     start
     ;;
   status)
     iptables -L
     iptables -t nat -L
     RETVAL=0
     ;;
   lockdown)
	stop
	lockdown
	;;
   *)
echo "Usage: Firewall (start|stop|restart|status)"
esac
 
exit

Thats pretty much it. I’m still kinda dumb when it comes to the forwarding part, so be careful of that part. Also when i allow pc2 to connect to samba ports i use its mac addres so replace “pc2 mac” with the mac address without quotes. Like this 00:00:00:00:00

Im dropping packets like there is no tommorrow. I’ve found that pc1 has something on it that is always sending packets to weird ports/ip’s they are all getting blocked.

Please comment if you know how i can improve this, or can point out any errors.

Another note, if you have email coming out from your server be sure to enable port 25, or whatever port you use. I just did that to mine.

This goes along with my other article on how to setup a router/gateway in slackware. After you have setup that router you will need to be able to open up ports. I found small quick fixes for this, but i didnt really make anything that i understood till a few days later and lots of reading. That is why i’m totally rewriting this article.

The best way to think of iptables/chains is kinda like chains (go figure) the packets go from link to link until they reach their destination or are dropped/rejected. One chain link can have several links atached to it so the packet could go out several different ways, lenghts of chain can be short or long.

Iptables in two paragraphs

So just for a example lets say we have a router that just accepts http or ssh traffic (which mine does). The chain would start at the first link, it would say “is it http?” if no, next link “is it ssh” if no next link. If there is no other link the “default policy” will take effect. The default policy can be drop or accept. So if we had a policy of accept the packet would get accepted if it was not a http or ssh packet, if we had a default drop policy it would get dropped. To avoid confusion we would have another link that would “drop” the packet if its not what we want.

There are 3 main sections of chain that you can mess with, INPUT, OUTPUT and FORWARD. The input chain/table is for packets coming in, the output for packets going out and the forward for packets getting forwarded. Really hard huh ? We are mostly concerned with packets coming in, the packets we send out should not be limited in most cases, and forwarding is its own thing.

An Example

The most basic configuration of my server allows only two ports open, I believe this to be secure, or at least better than the dozen that were open before I did this. The two ports that are open are ssh (22) and http (80). This way i can remote admin my server and allow my webserver to go through (which is on the same machine).

So that all has to do with packets coming in, lets add links to the INPUT table

# (link 1) Allow http, the eth+ defines "all" ethernet devices
iptables -A INPUT -i eth+ -p tcp -m tcp --dport 80 -j ACCEPT
# (link 2) Allow SSH
iptables -A INPUT -i eth+ -p tcp -m tcp --dport 22 -j ACCEPT
# (link 3) throw everything else away
iptables -A INPUT -j DROP

The comments are preceded by # so they are just saying whats going on. Basically we added three links “-A” for “append”. Ill leave the rest of the syntax up to you to figure out, but this is the main syntax that is used in most of the statements for iptables, these are very common lines.

The first link checks all eth nics (eg. eth+) and if they are passing port 80 data (http) we Accept it. Same goes for link two, except we are using port 22. Then link three just drops everything, this makes it like “stealth” mode, they cant figure out if its closed or open. Our server returns no response on “drop” if you want to report the port as closed use “REJECT”.

You should note that ORDER MATTERS, if we were to put the drop link in first it would drop all packets first. So add all the ports you want to allow before you put your Drop portion.

Another Example

I’ve just done this to my home network. Since i have wifi and my bro-in law hooked up to my subnetwork 192.168.10.0 im very weary of that connection. I’m almost positive that my bro in law has spyware or something that is trying to communicate with god knows what at all hours of the day. I know this by looking at the log files.

This subnetwork is hooked up to eth1, so simple enough only traffic on port 80 is allowed on that interface. To accomplish this i send all the traffic from that port to its own chain. The chain is very short it just allows port 80 and logs/drops everything else.

    iptables -N NETTWO  # create table
    iptables -A NETTWO -p tcp -m tcp --dport 80 -j ACCEPT    # is it port 80 ?
    iptables -A NETTWO -j LOG --log-prefix '[NETTWO DROP] : '   #if no log/drop
    iptables -A NETTWO -j DROP

and then add it as one of the first lines of your input table for eth1. So if anything is coming to/from eth1 we send it to this table. That way if you have another table with more complicated checking for tons of ports it does not have to check all of them before dumping the stuff on odd ports.

#first line of my input table, if eth1 jmp nettwo
 
iptables -i eth1 -j NETTWO

I know this works well because i was editing the script in windows over the samba share on the wifi. When i clicked back over to copy my code for the page it was froze because i closed the samba ports.

Also this provides a nice way to see all the stuff being dropped by differnet parts of the network, because looking through the log files is very difficult.

Links to other links of chain

A great way of doing this is to have a list/links/chain that you make yourself, then you can add that like a link into the input chain. For instance I made a “TRUSTED” chain/table and append all the ports i want to accept into it. Then my “input” table first sends the packet to the “trusted” table and then drops it. But, first i also do a little preliminary checking and send it to another table called firewall. So its INPUT -> FIREWALL -> TRUSTED -> DROP

# create two chains, one for fw other is trusted (for clean script?)
iptables -N FIREWALL
iptables -N TRUSTED
# allow established and related incoming connections only
iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow self communication
iptables -A FIREWALL -i lo -j ACCEPT
iptables -A FIREWALL -o lo -j ACCEPT
# send all package to the trusted chain
iptables -A FIREWALL -j TRUSTED
# drop all other packets
iptables -A FIREWALL -j DROP

The -N makes a new table, then i use state matching “-m” to see if its a established or related packet, then i automatically accept local loopback, from there i append the trusted chain then append the drop link. So, basically instead of having one long chain we have one chain link that connects to several chains, but they are all pretty short. I’m sure this helps speed up things a lot. Like for instance if you know 90% of your packets are going to one machine you can filter them out in your first link before your server even starts to think about it. Thats what the “established, related” does, I’ve we’ve already established a link to a webpage or game server there is no need to check every single packet after that, its the “new” connections that we want to worry about.

All the stuff we want to keep out we append to the firewall table before the appending of the “trusted” table. This way we see if its somone we dont like, if so we drop them if not we see if its somone we do like if so let them pass if not drop them. Pretty simple stuff, but it takes a while to get used to the syntax and such.

There is no one script for everyone

This stuff is unique to every machine, if you dont wanna learn iptables get firestarter, firewallbuilder, guarddog or any of the other gui tools out there. I only tried one, and it was just as complicated as learning this, except when you learn iptables it allows you to do everything you want. But there is no copy/paste script that you can use (that i know of) belive me i tried a lot of them, they didnt work for me and i had no idea what i was doing. If you want good security thats in your hands read the material and practice with your iptables. You can use webpages like this one to see which ports you have open, close them open them and such and make sure you have iptables down.

I got most of this information from a really good tutorial i found, you might wanna check it out. http://ubuntuforums.org/showthread.php?t=159661&highlight=iptables

I barley feel comfortable with my iptables now, and i can write it from scratch. Until you get to the point where you KNOW what is going on and can write your iptables syntax, I would not feel secure.

Checking IPTABLES -L (use “iptables -L -v” instead)

This was confusing me forever, you type “iptables -L” and it shows you the rules but all the source and destination are anywhere anywhere. So, it looks like everything is going trough. What we need is a better way of seeing whats going on. If you want the best way to see whats going on try tcpdump, but for our purposes the command “iptables -L -v” works great. That “-v” part makes it print out alot more detail. The most useful part of that command is that it shows you how many packets it has sent to each part, so you can easily test ports and see where everything is going. For example, check it then go do something on that port and then check it again, if the number of packets through that port has not changed something is wrong, or right

Other Stuff

There is of course much more to it than this, there is the “forwarding” part. How do you want to handle the forwarding of your internet access to the machines on your local lan. That part is still pretty fuzzy for me, the main thing im wondering is do i need to filter out stuff for the forwarding part or is that already handled by the input part. Im pretty sure the input table filters stuff before it even gets to your forwarding table, but you might want to check up on that. Anyway this is what i do to forward to all my other machines, straight simple,

# enable port forwarding
iptables -A FORWARD -j ACCEPT
# hide computers behind the firewall
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

I was messing with that for a while trying to get it to just forward stuff on port 80 but i think the filtering stuff does not work the same in the forward table. I recommend having a basic firewall on the other systems on your lan to ensure safety.

Script ?

The best thing about all this is you can make it into one big script. I made mine into a executable in my /etc/rc.d/ folder i can access it like most of the other executables in that folder with ./firewall start or ./firewall restart and such. For instance when I know ill be playing games or hosting a server i can have special functions inside the script just for that like ./firewall gamenight or something. You could even use this to turn on/off interenet connections like if you have kids or something and you want your inet to turn off at a certain time you can just call the script ./firewall stop or ./firewall start at certain times. The possiblilites are endless, as they should be with linux. Here is the core of my bash script so you can make your own

# case statement to call the correct function, exept status which is in the case
case $1 in
   start)
     start
     ;;
   stop)
     stop
     ;;
   restart)
     stop
     start
     ;;
   status)
     iptables -L
     iptables -t nat -L
     RETVAL=0
     ;;
   lockdown)
	stop
	lockdown
	;;
   *)
echo "Usage: Firewall (start|stop|restart|status)"
esac
 
exit

Then above that you just need to make your fucntions like this is my “stop” function, you should note it calls the stop function before it resets. This pretty much opens my firewall up and enables forwarding. It illustrates the use of functions in bash, this should be above the code i have above, just like in C you cant call functions unless they are above the thing that is calling them.

# stop the firewall (everything is open !)
stop() {
	echo "Remvoing all Iptables rules: "
	echo "Everything on the network will be open !!!"
 
	# set the default policy
	iptables -P INPUT ACCEPT	# accept all incoming packets
	iptables -P FORWARD ACCEPT	# forward all packets to other puters (flood)
	iptables -P OUTPUT ACCEPT	# accept all outgoing packets and send them
 
	# set default policy for the NAT table
	iptables -t nat -P PREROUTING ACCEPT
	iptables -t nat -P POSTROUTING ACCEPT
	iptables -t nat -P OUTPUT ACCEPT
 
	# delete all old rules
	iptables -F 			# flush
	iptables -t nat -F		# flust nat table
 
	# delete all chains
	iptables -X
	iptables -t nat -X
 
	# setup port forwarding
	echo "Enabling forwarding from eth0 to everyone"
	iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
	echo "All tables flushed, all connections accepted/forwarded"
	RETVAL=0
}

If your interested in more of that look at this tutorial, almost everything in this article was adapted from that tutorial and the advanced one linked to on that page.

Helpful links

http://www.speedguide.net/analyzer.php? (Analize your internet connection)

https://www.grc.com/x/ne.dll?bh0bkyd2 (tests what ports are open on your computer)

http://www.speedtest.net/ ( a fast internet speed tester)

http://linux.die.net/man/8/iptables (excellent quick reference, when you already know how)

Slackware Router/Nat/Fileserver/Webhost etc.

Get rid of your router and use a linux webserver instead. My server has always been up but it was just a webhosting server before, with some files on it. I’m using a old version of slackware on my server and xp or ubuntu on my clients.

The diagram explains a lot but my main goals were

• Use gigabit Ethernet without having to buy a router (pc to pc)
• Give the slackware box more control over my internet ip and such
• Separate low speed and high speed networks
• Learn stuff

(all cables are straight through except the one that says crossover)

Stuff you will need !

If you are setting up a gateway as I am you will need your isp’s gateway and your isp’s dns servers. You can find this info on your current router by looking in the status page. If worst comes to worse just call your isp and ask them. You need this info and cannot make a nat/gateway without it. If your not worried about internet then don’t worry about this.

To find your isp’s dns servers just connect your linux box and when your modem assigns it a ip it will edit the /etc/resolv.conf and add your dns’s. To get your ISP gateway the only way i know is plug in your router and look at the status page. You can also do all this by plugging your cable modem directly into a windows pc then when it connects to your modem go to the connections->status and the dns’s will be in there along with the gateway. Write all this info somewhere for future reference.

If you are connecting “like devices” such as pc to pc or hub to hub you will need a crossover cable. You can easily make a adapter for your current cables. See “further reading” for links on how crossover cables are setup.

Setting up the Server

Ip Forwarding and Masquerading

This stuff is way beyond me. In a nutshell what I gather we are doing is setting eth0 to forward all packets to eth1 and eth2, and eth1 and eth2’s packets are forwarded out to the net. I may be wrong about this though. The full tutorial (and where I got all my info for this part) was at http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html , it is a very good tutorial, read the whole thing. Since I had two Ethernet cards I had a extra line but aside from that the iptables is the same one on that site for the dsl/cable router.

How to do it ?

Setting up your iptables script

1. Log into your slackware server as root
2. create a file in your /etc/rc.d/ folder called rc.iptables like this “vi /etc/rc.d/rc.iptables” or you can use gedit or kedit if your in a gui.
3. Add these lines to it, in my config eth0 goes to the internet and eth1 and eth2 goes to the local network that I am providing with internet. Add the below script and save it.

   # Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated.
   iptables --flush
   iptables --table nat --flush
   iptables --delete-chain
   iptables --table nat --delete-chain
    
   # Set up IP FORWARDing and Masquerading
   iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
   iptables --append FORWARD --in-interface eth2 -j ACCEPT
   iptables --append FORWARD --in-interface eth1 -j ACCEPT
   echo 1 > /proc/sys/net/ipv4/ip_forward

4. Now make it executable “chmod +x /etc/rc.d/rc.iptables”
   NOTE: that should make it run every time on startup; however, mine never does I have to run it manually every time I restart my server. I don’t mind though, your server should not restart often. You can run it by going to the rc.d directory and typing “./rc.iptables”