I have nat set up already but I need to set up a simple but good firewall. Im getting DSL tommorow and would like to keep it on 24/7 but I need a good firewall in place. I know how to block protocols but not sure what to do. Any help would be appreciated.

INFO: Mandrake 8.2 P100 machine with 64mg ram.
3 NICS and a modem

Thanks again.

OK, there's no easy way to explain this. iptables is just a list of rules telling the kernel what to do with each packet it recieves off of a network. It could either forward it, or drop it. I'm assuming your firewall/routers' eth0 is connected to internet, and its' eth1 is internal. Also, your internal (hidden) computer is set to have IP=192.168.10.2. eth0 (of the firewall) is DHCP and eth1 (also firewall) is 192.168.10.1. I don't know where Mandy keeps the iptables script. If it's like redHat (it should be...I think) You can do this:
1.copy the following to a text file (named firescript) in /home/you/firescript
2.make it executable by: chmod 700 firescript
3.Do: sh firescript
4.See if it was loaded by: iptables -L (this prints the rules)
5. If you see rules, do: iptables-save /etc/sysconfig/iptables

Now make sure that DHCP is good for eth0, IP=192.168.10.1 for eth1 (GW=255.255.255.0, etc...)
internal eth0 is 192.168.10.2 (same GW, etc...)
and you should be good to roll....
Be sure to check THIS (http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/IP-Masquerade-HOWTO.html) out.

Here's the script: (check for typos...I did it by hand because my firewall is isolated)

#!/bin/sh
IPTABLES=/usr/sbin/iptables

EXT="eth0"
INT="eth1"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT -o $EXT -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat --A POSTROUTING -o $EXT -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
$IPTABLES -A FORWARD -s ! 192.168.10.0/24 -j DROP
$IPTABLES -A INPUT -p ALL -i $INT -s 192.168.10.0/8 -j ACCEPT
$IPTABLES -A INPUT -p ALL lo -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $INT -d 192.168.10.255 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXT -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXT -j ACCEPT
echo " Done loading iptables rules."
echo" Whew!"

If I interpret your question correctly, you already know how to work with iptables but you're not sure how the firewall should be setup. The safest is to deny everything, and then allow only the ports and ip addresses that you need. The iptables above are pretty good, I would just go with the script above.

Joe

je_fro, good post! Without inspecting every line, that looks good. The way I did things was to deny all access, much like that script does. Then, I opened up ports as I found the need.

My firewall box is a freakin' black hole...:)
Let me know if you see a way to make it tighter,
Thanks!

$IPTABLES -A INPUT -p ALL -i $INT -s 192.168.10.0/8 -j ACCEPT


Did you mean 192.168.10.0/24

Magueta, I have a vage understanding of IPTABLES but not enough to create a decent firewall. I know how to masquerade and how to block all protocols from entering the machine. Above and betond that I just have a vauge understanding of what needs to be done.

Thanks for the help je_fro. That will work great. ITs going to help out alot. DSL service should be hooked up by the time i get home. Now i just need to isntall mandrake on my routing machine and hope it doenst take to long. I have been on dial up waaaayyyy to long.

Thanks again.

Using the Firewall in place and with some help from a friend and some modifications to the fire wall I am up and running. Its so nice not to have to use dial up and share it.

Thanks so much for all the help