I’m trying to accomplish what I believe should be a simple task with iptables—replace my DSL router with a linux box. The linux box also routes packets to other machines on the LAN based on destination IP address (the box receives packets for multiple IP addresses from the Internet) and port number, and blocks other packets based on originator IP and port number, but as I understand the firewalling and inbound routing chains are totally separate from the outbound NAT functionality. In any case, the inbound stuff works perfectly now.
It seems simple enough to set up a box, where eth0 faces the Internet and eth1 faces the LAN, to act as a gateway or proxy to the LAN:
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
And that actually works perfectly, except that a Windows box inside my LAN is unable to connect to a VPN outside the LAN, while it worked fine with the Buffalo router I had in place before. All other services are properly accessible through the gateway.
So I posted a description of my situation to comp.security.firewalls. I admit that I have, at best, a basic understanding of iptables, but I have read the manpage and documentation and gotten it to do 99% of what I need with the exception of this VPN issue.
In response, a “Wolfgang Kueter” called me clueless multiple times, said that I had no idea what I was doing, and that I “misunderstand almost everything,” and that I should pay a professional to do it for me and read books on TCP/IP and the IPSec protocol specification itself. Other newsgroup postings by this fellow have a similar tone, e.g. building a security suite (Q: What combination of software firewall, anti-virus, etc., are you using and have you noticed any discernable effect on performance? A: None, because they are useless crap. … I don’t use such crap, so how could I?).
Steve suggests that Web 2.0 should have some way to tag people like this as jerks, and their reputation would then follow them around on the web. Since that technology doesn’t yet exist, the next best thing, I suppose, is to just blog about it and hope this entry turns up in a search on the person’s name. Abrasive responses to legitimate requests for help from people hoping to learn something don’t do anything to advance the free software movement. I suppose this kind of person will always exist, but I wish they didn’t.
I don’t want to be petty about this sort of thing, but I actually don’t think I need to hire a professional or read books about TCP/IP and the IPSec protocol specification itself to configure a Linux box as a residential gateway. Does anyone disagree?