Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IP Masq on Slackware 4.0



Thanks for the tip Kyle. I don't exactly grasp the sytax of some of ipchains.
All I really want to do is allow private network clients (192.168.1.*) to
connect through the gateway (192.168.1.100)  to the ppp0 connection which
assigns a dynamic IP address. At this point I have no security concerns, once
the connection and masquerading is up, I'll configure a firewall.

Would these be enough to accomplish this???:

ipchains -P forward
DENY
# default - deny everything
ipchains -A forward -j MASQ -s 192.168.0.0/24 -d
0.0.0.0/0                         # add - forward masqueraded packets into
the local network
 ipchains -A input -j ACCEPT -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0
# add - accept packets from the ethernet card

Am I missing any? It seems like I am.... God I hate being a newbie!!! I wish
I was home sick the day the picked someone to administer our little network
:(

TIA,
Phil Buckley


Kyle Rose wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Phil <1918 at 1918.com> writes:
>
> > Boy, what timing. I am having the exact same problem with RH6. I set up
> > a small LAN (with Glen Burkhardt's help) over the weekend. All of the PC
> > clients running Windows 9* can connect to the RH6 server to accomplish
> > file sharing and print sharing services. The linux box I have is
> > assigned the IP 192.168.1.100. All of the windows clients have
> > 192.168.1.100 in as their gateway for their TCP/IP settings, and the DNS
> > settings are set to use our ISP's nameservers.. I connect the linux box
> > via PPP to our local ISP. After the connection is established, if I run
> > ifconfig, I see eth0, lo, and ppp0, all seemingly up and running fine.
> >
> > The problem comes trying to use ipchains to allow packet forwarding. I
> > can't get it up and running. Is there anyone who has IPCHAINS actually
> > doing any work? I' beat my head against the wall all day yesterday
> > trying to get it to work. I have a feeling I;m missing something simple.
> >
> > One the ppp connection is up I use:
> >
> > ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
> > and
> > ipchains -A input -j ACCEPT -i ppp0 -s 192.168.1.0/24 -d 0.0.0.0/0
>
> This last one seems to be saying that you are accepting packets on
> interface ppp0 from 192.168.1.x for any desination.  As far as I can
> tell, you would never get a packet from 192.168.1.x over ppp.
> Your IP chains rules should be simply
>
> ipchains -P forward DENY
> (to deny packets as the default forward rule)
>
> ipchains -A forward -s 192.168.1.0/24 -j MASQ
> (to override the default when seeing packets from the 192.168.1.x
> subnet)
>
> You might want to add -i eth0 to the second rule to limit forwarded
> packets to those from eth0; I'm not sure what kind of spoofing is
> possible here.  Make sure you echo 1 > /proc/sys/net/ipv4/ip_forward
> to turn on IP forwarding and, of course, make sure you're running
> 2.3.x, 2.2.x, or late 2.1.x to use ipchains; otherwise, use ipfwadm.
>
> Kyle
>
> - --
> Kyle R. Rose                      "They can try to bind our arms,
> Laboratory for Computer Science    But they cannot chain our minds
> MIT NE43-309, 617-253-5883             or hearts..."
> http://web.mit.edu/krr/www/                           Stratovarius
> krose at theory.lcs.mit.edu                              Forever Free
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v0.9.5 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE3e5Va66jzSko6g9wRAj7tAJ9egXF4L2dSE9RPbQlX82IIhluLLACeLdV/
> gEPy6nqvjs+eGHHsf/Q5SYU=
> =lbp8
> -----END PGP SIGNATURE-----

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org