pass-through iptables

My linux box can dial my ISP and it is connected to a hub (eth0).
There are two Windows computers connected to the hub.
How can I change the Linux firewall (temporarily)? IE, what are the
iptables syntax to do this?

The only thing I got working is the Windows machine can ping an
internet address. No surf, no email, no newsgroups, etc. At this
point I really don't care if my Linux box is attacked by hackers, I'm
ready to reformat the disk anyway.

I'm running squid (do I really need this?). I set it up for
transparent proxy.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

If anyone would like to explain the above command without using
network jargon, I'd appreciate it. It makes little sense to me, but
the HOWTO says I need to execute it. Personally, I find programming
in assembler easier (and more fun) than iptables.

Phisherman <(E-Mail Removed)> wrote:
> My linux box can dial my ISP and it is connected to a hub (eth0).
> There are two Windows computers connected to the hub.
> How can I change the Linux firewall (temporarily)? IE, what are the
> iptables syntax to do this?

To do what?

> The only thing I got working is the Windows machine can ping an
> internet address. No surf, no email, no newsgroups, etc. At this
> point I really don't care if my Linux box is attacked by hackers, I'm
> ready to reformat the disk anyway.

That seems a bit odd. What is your firewall currently set to?

iptables -L
iptables -t nat -L

> I'm running squid (do I really need this?). I set it up for
> transparent proxy.

Running squid is quite useful. Even for dynamic sites, you can save a
considerable amount of bandwidth from the images it caches (although
this is only useful if you have multiple browsers viewing the site, as
the browser will do its own caching also.)

> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128

OK, what this means is that before the packet gets routed (hence the
PREROUTING chain), if it comes in eth0, and is a TCP packet destined to
port 80 (to anywhere on the internet, as there is no destination IP
address/network specified, then instead of forwarding it, cause it to be
delivered to port 3128 on 127.0.0.1.

Because this a form of NAT (port-forwarding to the local machine), we
need to specify the 'nat' table, where these rules are carried out.

> If anyone would like to explain the above command without using
> network jargon, I'd appreciate it. It makes little sense to me, but
> the HOWTO says I need to execute it. Personally, I find programming
> in assembler easier (and more fun) than iptables.

Once you've written your first firewall, it too can be fun.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

"Phisherman" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> My linux box can dial my ISP and it is connected to a hub (eth0).
> There are two Windows computers connected to the hub.
> How can I change the Linux firewall (temporarily)? IE, what are the
> iptables syntax to do this?
>
> The only thing I got working is the Windows machine can ping an
> internet address. No surf, no email, no newsgroups, etc. At this
> point I really don't care if my Linux box is attacked by hackers, I'm
> ready to reformat the disk anyway.
>
> I'm running squid (do I really need this?). I set it up for
> transparent proxy.
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> If anyone would like to explain the above command without using
> network jargon, I'd appreciate it. It makes little sense to me, but
> the HOWTO says I need to execute it. Personally, I find programming
> in assembler easier (and more fun) than iptables.

Well, I'm making a WAG that you've got a dialup adapter on one
end of the Linux box and eth0 on the other, such that it's
a gateway. If that's the case, then it sounds like you're
looking for IP masquerading:
http://www.tldp.org/HOWTO/Masqueradi...WTO/index.html
I just copied his example, with my own IPs, and it worked
first try!

Good Luck!
Rich

On 1 Mar 2004 19:50:06 +1300, Cameron Kerr
<(E-Mail Removed)> wrote:

>Phisherman <(E-Mail Removed)> wrote:
>> My linux box can dial my ISP and it is connected to a hub (eth0).
>> There are two Windows computers connected to the hub.
>> How can I change the Linux firewall (temporarily)? IE, what are the
>> iptables syntax to do this?
>
>To do what?
>
>> The only thing I got working is the Windows machine can ping an
>> internet address. No surf, no email, no newsgroups, etc. At this
>> point I really don't care if my Linux box is attacked by hackers, I'm
>> ready to reformat the disk anyway.
>
>That seems a bit odd. What is your firewall currently set to?
>
>iptables -L
>iptables -t nat -L
>
>> I'm running squid (do I really need this?). I set it up for
>> transparent proxy.
>
>Running squid is quite useful. Even for dynamic sites, you can save a
>considerable amount of bandwidth from the images it caches (although
>this is only useful if you have multiple browsers viewing the site, as
>the browser will do its own caching also.)
>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>
>OK, what this means is that before the packet gets routed (hence the
>PREROUTING chain), if it comes in eth0, and is a TCP packet destined to
>port 80 (to anywhere on the internet, as there is no destination IP
>address/network specified, then instead of forwarding it, cause it to be
>delivered to port 3128 on 127.0.0.1.
>
>Because this a form of NAT (port-forwarding to the local machine), we
>need to specify the 'nat' table, where these rules are carried out.
>
>> If anyone would like to explain the above command without using
>> network jargon, I'd appreciate it. It makes little sense to me, but
>> the HOWTO says I need to execute it. Personally, I find programming
>> in assembler easier (and more fun) than iptables.
>
>Once you've written your first firewall, it too can be fun.


Thanks Cameron! I got Jay's Firewall working (!!!) and now all
machines can surf, email, Usenet works, RealAudio streaming, etc. The
iptables -L command spewed out a lot of stuff that I need to study.
Occasionally, the newsgroups stop working (every couple hours), then
work again when I restart (stop/start) the firewall. I went to
www.grc.com and Stealth shows all ports are in stealth mode but the
Linux box can be pinged from the internet (not sure how to prevent
this vulnerability yet). At least now, my family members are off my
back!