[Techtalk] DNS and IP masquerading

Conor Daly conor.daly at oceanfree.net
Wed Mar 12 23:59:54 EST 2003 

On Wed, Mar 12, 2003 at 04:26:50AM -0800 or so it is rumoured hereabouts, 
Arashi thought:
> 
> > On Tue, Mar 11, 2003 at 07:39:08PM -0800, Arashi wrote:
> > I've been looking over a IPtables firewall script (kindly
> > supplied by Conor - thanks) and noticed that it includes DNS  
> > addresses.  ATM all I know about DNS is that it maps machine names
> > to IP addresses. Do I need a DNS server for my situation (2 
> > computers on a home network sharing a dial-up internet connection)?

That's likely a legacy of my learning stages of setting up a HAN[0].  I
set up a caching nameserver[1].  I drilled holes in my firewall then
mainly 'cos I didn't know how to set up the nameserver properly (I'm not
entirely sure that I know now either!).  As Jenny said, you probably don't
need them.  In fact, AFAIR, the iptables commands using those DNS addys
are commented out.

> >  
> > cheers
> > Berenice
>
> --- jennyw <jennyw at dangerousideas.com> wrote:
> > No, you shouldn't need to.  If you use private IPs and want to
> > resolve addresses on your network, you can install DNS (but it 
> > wouldn't need to be accessed from the outside), or you could use 
> > host files.
> > 
> > Jen
> 
> My main problem now is putting together a proper script. What
> essential things should be included in a well-written script?

Whadda ya mean a "proper script"!?  Ya don't think mine is a proper
script? <pout>  :-)

> I've been comparing various scripts with a basic one from the tldp
> IPmasq howto and getting very confused.  Eg: 1. commands in one
> script end with "&& \", similar ones in another script don't. 

The "&&" says "if the last command was successful, do the next one.  Vopy
handy for all sorts of "do things in sequence" stuff especially if one of
the later things would break stuff if an earlier command fails.

The "\" says "There's more to this command but it's on another line".

The effect of "&& \" is to say "if the previous command worked, run the
command on the next line.  

# Load NAT and connection tracking modules
modprobe iptable_nat && \
modprobe ip_nat_ftp && \
modprobe ip_conntrack && \
modprobe ip_conntrack_ftp && \

So, as each module successfully loads, the next module load is attempted.


> 2. The
> tldp script says that IPtables options are modular or compiled into
> the kernel. Since I'm using the kernel that comes with the RH8, how
> can I find out if the options I need have been compiled into the
> kernel?  And if not, where can I get the modules from? 

They'll be there as modules under RH.  Try a "modprobe iptable_nat" and
see if you get an error.

Here's a brief synopsis of the supplied script.

################
# It's a bash script so we specify the interpreter
#!/bin/bash
#
# iptables firewall script
#
###############################
# The chkconfig program allows you to control program startup and shutdown
# at boot and stuff.  Try "chkconfig --list"
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with iptables.
#
#########################################
# Stuff here is used by most invocations so it goes here at the start so
# it's always available.  Setting up variables for IP addresses and stuff
# is handy 'cos changes happen in only one place.  eg. when you change
# from dialup internet to DSL, you only have to change $EXT_IFACE to
# "eth1".
#
# Internal network stuff
#
# This is all "trusted" stuff
LOOP=127.0.0.1
LOCAL_IP=192.168.50.1
LOCAL_NET=192.168.50.0/24
LOCAL_IFACE=eth0
#
# End Internal network stuff
#########################################


#########################################
# External Network Stuff
#
# Anything here is connected via an "untrusted" 
# network and, as such must be treated with caution
#########################################
# This is the interface that the internet appears on
EXT_IFACE=ppp0

#########################################
# Here is where the firewall starts
# 
# "start" is the name of a function.  This will be called in a switch
# statement.  You'll see how this is helpful later.
start() { # start of function
echo -n "Starting iptables firewall..."
#########################################
# Load NAT and connection tracking modules
modprobe iptable_nat && \
modprobe ip_nat_ftp && \
:
: # more firewall code here
:
} # end of function

#########################################
# This is where the firewall is stopped
#
# Another function
stop() {
echo -n "Turning off the firewall..."
:
: # more firewall code here
:
} # end of function

####################################
# This is the "switch" statement already mentioned.
#
# Here you can easily see what the script does.  It looks at the first
# argument on the commandline "$1" and decides how to proceed...

case "$1" in
  start)
        # We got "start" on the commandline so run the function "start"
	start
	;;
  stop)
        # We got "stop" on the commandline so run the function "stop"
	stop
	;;
 restart)
        # "restart" is really just "start" as this isn't a daemon,
        #  and "start" clears any pre-defined rules anyway.
        #  This is really only here to make those who expect it happy
	stop
        start
        ;;
  status)
        echo $"Table: filter"
        iptables --list -n
        ;;

  panic)
        # We got "panic" on the commandline so run the function "panic"
	panic
	;;
  *)
        # We don't understand what we got on the commandline so tell the
        # user how to ask properly
        echo $"Usage: $0 {start|stop|restart|status|panic}"
        exit 1
esac

exit 0

################## end of script ########################

The use of functions makes the _logic_ of the script easier to follow
since that bit is contained in quite few lines.  The script is based on
the standard sysV init script style which uses 
<scriptname> {start|stop|restart|status}
command format.

Conor

[0] HAN: Home Area Network...

[1] A caching nameserver has no zones of its own but remembers the results
    of queries already made and saves time the next time.
-- 
Conor Daly <conor.daly at oceanfree.net>

Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
 10:19pm  up 4 days, 23:34,  0 users,  load average: 0.00, 0.00, 0.00
Hobbiton.cod.ie
 10:20pm  up 5 days, 21:50,  2 users,  load average: 0.09, 0.02, 0.01

More information about the Techtalk mailing list