On Thu, January 3, 2008 8:18 am, Robert Moskowitz wrote: > Steven Haigh wrote: >> On 03/01/2008, at 3:34 PM, Robert Moskowitz wrote: >>> Christopher Chan wrote: >>>> >>>>> I spent much of the past 24 hours trying to find out how to set up >>>>> iptables for firewall routing WITHOUT NATing. Could not find >>>>> anything. >>>>> >>>> >>>> Eh? You just need to enable ip forwarding to enable routing. After >>>> that, it is put up the firewall rules as is necessary, build the >>>> appropriate routing tables on the firewall box and the boxes on the >>>> intranet(s). >>>> >>>> iptables does not handle routing. >>> No, but iptables controls what is allowed to route, >> >> I think this is where you are getting confused and causing yourself >> issues. iptables has ZERO effect on what is allowed to route. It is a >> simple YES or NO as to if it should be allowed to pass or be filtered. > I have been tested as having a significant language usage problem, and > am working on it. 'what is allowed to route', was a poor choice of > wording. What you wrote above is much closer to what I wanted to say. > > ip src/dest is used for routing decisions by the kernel. The IP state > machine (check the RFC or any decent TCP/IP textbook) is really quite > simple. But iptables sticks its nose into the center of that state > machine and can mangle addresses to change how packets flow through the > machine, or just simplely yank packets right out of the machine with a > simple NO (drop). > > So in my mind's eye of the IP state machine (my MSU CPS 410 prof was > death on state machines; turn in a perfectly executing assignment > without one and there went half your grade. See HIP for its state > machine) is dictated by iptables as to what it is allowed to route. >> >>> Those little words, "put up the firewall rules as necessary" are >>> equivalent to "and magic happens here." >> >> It's actually not magical at all... Work with the mindset of "I want >> to allow X, Y, and Z, then deny everything else". This translates >> easily into iptables rules -j ACCEPT and then your last rule (or >> policy) should be a deny/drop/reject. > That is exactly what I tried to do. I just used the wrong bit of pixie > dust (during some of the 'heated' IPsec meeting debates one fellow would > try to sneak up a speaker 'that just did not get it' and sprinkle some > glitter on them. He had labeled his tube of glitter as 'security pixie > dust'). If you are interested in learning how iptables work, I suggest reading this book: Linux Firewalls, Second Edition by Robert L. Ziegler ISBN 0-7357-1099-6 It covers everything from packet filtering concepts to practical examples. Marko