Re: Masquerading

From: Jose Luis Saraiva Hime (jhime@synchro.com.br)
Date: Mon Jan 03 2000 - 08:39:46 EST

Next message: Joe Steele: "RE: Routing Problems"
Previous message: dschaible@balmar.com: "Re: ipmasqadm ?"
In reply to: Glynn Clements: "Re: Masquerading"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Grischa:

When you type "ipchains -A user_msq -s 0/0 -d 0/0 -j MASQ", you are saying
that all packets from any device should be masqueraded. The best for you
should be something like:

#First of all, flush the existing rules and deny forwarding by default
ipchains -F forward
ipchains -P forward DENY

#Then, accept trafic between LAN and WAN in a bidirectional mode
ipchains -A forward -b \
         -s 192.168.100.0/24 \
         -d x.y.z.t/m \
         -j ACCEPT

#The default for the LAN is masquerading.
#DO NOT ALLOW MASQ FROM OUTSIDE!!!
ipchains -A forward \
         -s 192.168.100.0/24 \
         -d 0.0.0.0/0 \
         -j MASQ

ipchains does something like this: it compares the source address with the
"-s" parameter. Then it compares the destination address with the "-d"
parameter. If both matches, then it sees the "-j" parameter to know what to
do with this packet.

If two or more rules match "-s and "-d" for the packet, then the first
rule typed will be used. So, you must think carefully about the order of
your "ipchains" rules.

Best regards,
Hime

At 14:06 02/01/00 +0100, Glynn Clements wrote:

>Ketil Froyn wrote:
>
> > > ipchains -F forward
> > > ipchains -A forward -s 192.168.100.0/24 -i eth0 -d x.x.x.x/x -j ACCEPT
> > > ipchains -A forward -s 192.168.100.0/24 -i eth0 -j MASQ
> > > ipchains -A forward -j DENY -l
> > >
> > > where x.x.x.x/x is the registered network.
> >
> > I've done something like this once, and I forgot to let the packets from
> > x.x.x.x/x back through, like I think you did here. Or am I still under
> > influence from the party last night? :)
>
>No, you are correct. I omitted the reverse rule for the
>non-masqueraded packets (you don't need one for replies to masqueraded
>packets; these are forwarded automatically).
>
> > ie. you need
> > ipchains -A forward -s x.x.x.x/x -i eth0 -d 192.168.100.0/24 -j ACCEPT
> > as well.
>
>Yep. Or add the "-b" switch to the original rule.
>
>--
>Glynn Clements <glynn@sensei.co.uk>
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-net" in
>the body of a message to majordomo@vger.rutgers.edu

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu

Next message: Joe Steele: "RE: Routing Problems"
Previous message: dschaible@balmar.com: "Re: ipmasqadm ?"
In reply to: Glynn Clements: "Re: Masquerading"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Fri Jan 07 2000 - 21:00:11 EST