Browsing Chinese (Simplified) translation

191.

-s 192.168.0.0/16 -- the rule applies to traffic originating from the specified address space

192.

-o ppp0 -- the rule applies to traffic scheduled to be routed through the specified network device

193.

-j MASQUERADE -- traffic matching this rule is to "jump" (-j) to the MASQUERADE target to be manipulated as described above

194.

This can be accomplished with a single iptables rule, which may differ slightly based on your network configuration: <screen>sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE</screen> The above command assumes that your private address space is 192.168.0.0/16 and that your Internet-facing device is ppp0. The syntax is broken down as follows: <placeholder-1/>

195.

Each chain in the filter table (the default table, and where most or all packet filtering occurs) has a default <emphasis>policy</emphasis> of ACCEPT, but if you are creating a firewall in addition to a gateway device, you may have set the policies to DROP or REJECT, in which case your masqueraded traffic needs to be allowed through the FORWARD chain for the above rule to work: <screen>sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT</screen> The above commands will allow all connections from your local network to the Internet and all traffic related to those connections to return to the machine that initiated them.

196.

Tools

197.

There are many tools available to help you construct a complete firewall without intimate knowledge of iptables. For the GUI-inclined, <application>Firestarter</application> is quite popular and easy to use, and <application>fwbuilder</application> is very powerful and will look familiar to an administrator who has used a commercial firewall utility such as Checkpoint FireWall-1. If you prefer a command-line tool with plain-text configuration files, <application>Shorewall</application> is a very powerful solution to help you configure an advanced firewall for any network. If your network is relatively simple, or if you don't have a network, <application>ipkungfu</application> should give you a working firewall "out of the box" with zero configuration, and will allow you to easily set up a more advanced firewall by editing simple, well-documented configuration files. Another interesting tool is <application>fireflier</application>, which is designed to be a desktop firewall application. It is made up of a server (fireflier-server) and your choice of GUI clients (GTK or QT), and behaves like many popular interactive firewall applications for Windows.

198.

Logs

199.

Firewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule (a rule with a target that decides the fate of the packet, such as ACCEPT, DROP, or REJECT). For example: <screen>sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: "</screen> A request on port 80 from the local machine, then, would generate a log in dmesg that looks like this:

200.

[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0