Marko A. Jennings wrote: > On Thu, January 3, 2008 8:18 am, Robert Moskowitz wrote: > >> Steven Haigh wrote: >> >>> On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote: >>> >>>> Christopher Chan wrote: >>>> >>>>>> I spent much of the past 24 hours trying to find out how to set up >>>>>> iptables for firewall routing WITHOUT NATing. Could not find >>>>>> anything. >>>>>> >>>>>> >>>>> Eh? You just need to enable ip forwarding to enable routing. After >>>>> that, it is put up the firewall rules as is necessary, build the >>>>> appropriate routing tables on the firewall box and the boxes on the >>>>> intranet(s). >>>>> >>>>> iptables does not handle routing. >>>>> >>>> No, but iptables controls what is allowed to route, >>>> >>> I think this is where you are getting confused and causing yourself >>> issues. iptables has ZERO effect on what is allowed to route. It is a >>> simple YES or NO as to if it should be allowed to pass or be filtered. >>> >> I have been tested as having a significant language usage problem, and >> am working on it. 'what is allowed to route', was a poor choice of >> wording. What you wrote above is much closer to what I wanted to say. >> >> ip src/dest is used for routing decisions by the kernel. The IP state >> machine (check the RFC or any decent TCP/IP textbook) is really quite >> simple. But iptables sticks its nose into the center of that state >> machine and can mangle addresses to change how packets flow through the >> machine, or just simplely yank packets right out of the machine with a >> simple NO (drop). >> >> So in my mind's eye of the IP state machine (my MSU CPS 410 prof was >> death on state machines; turn in a perfectly executing assignment >> without one and there went half your grade. See HIP for its state >> machine) is dictated by iptables as to what it is allowed to route. >> >>>> Those little words, "put up the firewall rules as necessary" are >>>> equivalent to "and magic happens here." >>>> >>> It's actually not magical at all... Work with the mindset of "I want >>> to allow X, Y, and Z, then deny everything else". This translates >>> easily into iptables rules -j ACCEPT and then your last rule (or >>> policy) should be a deny/drop/reject. >>> >> That is exactly what I tried to do. I just used the wrong bit of pixie >> dust (during some of the 'heated' IPsec meeting debates one fellow would >> try to sneak up a speaker 'that just did not get it' and sprinkle some >> glitter on them. He had labeled his tube of glitter as 'security pixie >> dust'). >> > > If you are interested in learning how iptables work, I suggest reading > this book: > > Linux Firewalls, Second Edition > by Robert L. Ziegler > ISBN 0-7357-1099-6 > > It covers everything from packet filtering concepts to practical examples. > > Now here is a recommendation to follow up on. Thanks!