Ipchans on Linux
Got DSL with one IP address?
Wanted to give your neighbors internet access?
If you want to read, go to IPCHAINS-HOWTOO
If you want to do it quick, these notes are for that purpose.
A longer explanation of what to block can be located here.
  1. Get the Latest IPChains.
  2. Identify the version on your system.
      /sbin/ipchains --version
  3. See what chains are currently loaded.
      /sbin/ipchains -L -n
  4. Delete the top rule on the input chain
      /sbin/ipchains -D input 1
  5. Enable a rule (ip masquerading as an example):
      /sbin/ipchains -A forward -s 10.1.0.0/24 -j MASQ
  6. List of current masqueraded connections.
      /sbin/ipchains -L
  7. List the rules curently in effect.
      /sbin/ipchains -L
      Chain input (policy ACCEPT):
      Chain forward (policy DENY):
        target    prot      opt      source         destination    ports
        MASQ      all      ------    10.1.0.0/24    anywhere       n/a
        Chain output (policy ACCEPT):
  8. Look at the files controling ipchains:
      cat /etc/rc.d/rc.firewall
         ll - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using IPCHAINS

         /sbin/depmod -a
         /sbin/modprobe ip_masq_ftp
         /sbin/modprobe ip_masq_irc
         /sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960
         echo "1" > /proc/sys/net/ipv4/ip_forward
         /sbin/ipchains -M -S 7200 10 160
         /sbin/ipchains -P forward DENY
         /sbin/ipchains -A forward -s 10.1.0.0/24 -j MASQ
  9. Add an entery so it starts when you boot.
      vi /etc/rc.d/rc.firewall
        /sbin/ipchains -P forward DENY
        /sbin/ipchains -A forward -s 10.1.0.0/24 -j MASQ
  10. Look at your active connections, and listening ports as you connect
      /usr/sbin/lsof -i TCP
      COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
      sshd 549 root 3u IPv4 493 TCP *:ssh (LISTEN)
      inetd 528 root 10u IPv4 459 TCP *:pop3 (LISTEN)
      sshd 2320 root 5u IPv4 3722 TCP server.mydomain.com:ssh->host.remote.com:1022 (ESTABLISHED)
  11. Hide you webserver behind the firewall with a proxy:

      ipforforwarding built into the kernel too and then you add ipmasqadm
      then the rules you write into your rc.firewall script at the end...
        ipmasqadm portfw -a -P tcp -L (outside IP) 80 -R (inside IP) 80
  12. iptables: sharing a PPP connection with other servers on the Lan
    - Enables packet forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward
    - Flush all the rules in filter and nat tables
        iptables --flush
        iptables --table nat --flush
    - Delete all chains that are not in default filter and nat table
        iptables --delete-chain
        iptables --table nat --delete-chain
    - Set up IP FORWARDing and Masquerading
        iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
    - Assuming one NIC to local LAN
        iptables --append FORWARD --in-interface eth0 -j ACCEPT
  13. iptables: Linux connected via DSL, Cable, T1
    - Enables packet forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward
    - Prevents spoofing attacks against your internal networks
        echo 1 >/proc/sys/net/ipv4/conf/eth0/rp_filter
    - Flush all the rules in filter and nat tables
        iptables --flush
        iptables --table nat --flush
    - Delete all chains that are not in default filter and nat table
        iptables --delete-chain
        iptables --table nat --delete-chain
    - Set up IP FORWARDing and Masquerading
        iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
        iptables --append FORWARD --in-interface eth1 -j ACCEPT
  14. iptables: Block Trafic that should not be routed
    - Allow loopback access
        iptables -A INPUT -i lo -p all -j ACCEPT
    - Block NFS
       iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
       iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
    - Block X-Windows and X-Windows font server
       iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
       iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP
    - Block printer port
       iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP
       iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP
    - Block Sun rpc/NFS
       iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP
       iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP
    - Block Loopback spoofing
        iptables -A INPUT -p all -s localhost -i eth0 -j DROP
  15. iptables: debugging
    -
        iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
        iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
Also check out the iproute2 rpm. It supplies the commands ip, rtacct, rtmon, tc,