# # CASE: # Configuration file for a home router with two Ethernet interfaces: # one connected to an ADSL modem (loop) # another for the local LAN (hub / switch) # # Traffic is routed through a PPP interface # # The PPP interface gets a static (fixed) IP address and the LAN works # with private IP addresses. # # The PCs on the local LAN are trusted. They can access all the services # this Linux box is running. # # This script can also setup a transparent cache for all the PCs on the # local LAN. version 5 # The Ethernet interface your Linux is connected to the ADSL device. adsl_interface="eth0" # The IP address of the above interface. # If empty, this script will try to find it by itself. adsl_interface_ip="" # The IP address of your ADSL device. # If empty, the generated iptables rules will match any source IP # which is highly discouraged. adsl_modem_ip="10.0.0.138" # The Ethernet interface your Linux talks with other PCs in your LAN. home_interface="eth1" # The IP address of the above interface. # If empty, this script will try to find it by itself. home_interface_ip="" # The Ethernet interface your Linux talks to the internet. # Note that ppp+ won't work when finding out the IP address itself. ppp_interface="ppp0" # The IP address of the above interface. # If empty, this script will try to find it by itself. ppp_interface_ip="" # add service MSN (actually my SSH on non-standard port) server_msn_ports="tcp/1863" client_msn_ports="default" # Public services for the Internet your linux box should allow. internet_services="http dns emule msn" # At what frequency to accept requests from the internet? internet_requests="100/sec" # The port of a squid proxy server on this Linux box. If you set this # you will get a transparent web cache. # If you don't have this, empty this field. proxy_port="" #3128" # ---------------------------------------------------------------------- # Normally, you don't have to edit anything bellow. # ---------------------------------------------------------------------- # Code to do add some optional arguments to the ADSL interface. adsl_params= # Find the IP address of the ADSL interface in case # the user did not gave it to us. if [ -z "${adsl_interface_ip}" ] then adsl_interface_ip=`ifconfig | grep -A 1 ${adsl_interface} | grep "inet addr:" | cut -d ':' -f 2 | cut -d ' ' -f 1` fi # Build the optional rule parameters, if we have the adsl_interface_ip if [ -z "${adsl_interface_ip}" ] then error "Please set 'adsl_interface_ip' in the configuration file." else adsl_params="${adsl_params} dst ${adsl_interface_ip}" fi # Find the IP address of the home interface if [ -z "${home_interface_ip}" ] then home_interface_ip=`ifconfig | grep -A 1 ${home_interface} | grep "inet addr:" | cut -d ':' -f 2 | cut -d ' ' -f 1` fi # Find the IP address of the ppp interface if [ -z "${ppp_interface_ip}" ] then ppp_interface_ip=`ifconfig | grep -A 1 ${ppp_interface} | grep "inet addr:" | cut -d ':' -f 2 | cut -d ' ' -f 1` fi # Build the optional rule parameters, if we have the adsl_modem_ip if [ ! -z "${adsl_modem_ip}" ] then adsl_params="${adsl_params} src ${adsl_modem_ip}" fi # ---------------------------------------------------------------------- # Setup a transparent proxy on this host. if [ ! -z "${proxy_port}" ] then iptables -t nat -A PREROUTING -i ${home_interface} -p tcp --dport 80 -j REDIRECT --to-port ${proxy_port} fi # set up SNAT/DNAT instead of MASQUERADE nat to-source "${ppp_interface_ip}" outface ppp+ nat to-destination "${home_interface_ip}" inface ppp+ # ADSL loop for connecting to the ADSL device interface "${adsl_interface}" loop ${adsl_params} # accept everything on the ADSL loop policy accept # Trusted LAN for local PCs interface "${home_interface}" home policy accept # ADSL ppp for internet traffic interface ppp+ internet src not "${UNROUTABLE_IPS}" protection strong ${internet_requests} # Public Services server "${internet_services}" accept # Speed up idents server ident reject with tcp-reset # This is a workstation client all accept # Route traffic for the clients on the LAN router myrouter inface ppp+ outface "${home_interface}" # masquerade on ppp+ (Slower than SNAT/DNAT, but needed for dynamic IP address) #masquerade reverse # route all client traffic client all accept