I'm sorting out my home router this weekend (I need something with more than 4 network points so I can plug in my Raspberry Pi when it turns up), and I currently have a Debian Squeeze machine with two interfaces (eth0, a standard network port, and eth1, which is connected to a PPPoE modem which is connected directly to the ADSL line) with the following in /etc/rc.local:
Originally Posted by RabbieBurns
The above works, I currently have a working Internet connection, and I'm planning to add a rule to forward HTTP traffic through a Squid proxy running on a virtual machine. The above has been put together largly by trial and error over several years and seems to work, although it might need some refining.
# Start from scratch - flush any previous IPTables rules.
# To test IPTables rules we can simply re-run this script,
# we don't have to reboot the whole machine.
iptables -t filter --flush
iptables -t nat --flush
# Make sure that IP forwarding is enabled. I /think/ this is needed to get
# the FORWARD rules below working. No, I don't know why either...
echo "1" > /proc/sys/net/ipv4/ip_forward
# Network connections:
# eth0 - 10.0.0.9, the internal connection.
# ppp0 - 220.127.116.11, the external connection. Connected to eth1 in some
# myserious fashion that I'm not too clear on.
# Note: ppp0 is a PPPoE connection, an ethernet connection connected directly
# to The Internet, it's not an IP connection to another NAT-ing router.
# Forward all established and related connections - i.e. if an HTTPS connection
# has been initiated from inside the firewall, then traffic coming the other
# way in reply to it is okay. This is a feature of stateful packet filtering,
# seemingly. NOTE: You might want to remove this bit, it simply allows everything
# through from your internal network.
iptables -t filter -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Forward incoming traffic on various ports to specific internal locations.
# This is the port forwading part of your average router.
# Forward HTTP (web - SquirrelMail) to DHEMAIL001:
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 80 -j DNAT --to 10.0.0.7:80
iptables -A FORWARD -p tcp -m state --state NEW -d 10.0.0.7 --dport 80 -j ACCEPT
# Important bit: this line handles getting the return traffic from all the above
# rules back to the initiating request.
iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0
# Forward any internal traffic on port 443 (HTTPS) to the Internet, i.e. any
# HTTPS request from our internal network gets passed out to the Internet
# with no questions asked. Add further outgoing ports here. You might also
# need to add specific websites here - some websites that use cookie-based
# authetication for user accounts don't handle being cached/filtered very
# well, so simply add them (or their IP address) in here. Bear in mind that
# this misses out the filtering for that specific website, so make sure that
# the whole website is okay before you set this.
# NOTE: Added HTTP just for the moment, remove here and add redirect rule below.
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT
# Deal with data coming in from the Internet - shove it through NAT so it knows
# where to go in our internal network.
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source 18.104.22.168