Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IP Masq



Thanks a million everyone - it's working !!! Yee-hah, now I can do some actual
work!!!

You guys are the best,
Phil
the happy newbie systems guy


Kyle Rose wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Phil <1918 at 1918.com> writes:
>
> > Thanks for the tip Kyle. I don't exactly grasp the sytax of some of ipchains.
> > All I really want to do is allow private network clients (192.168.1.*) to
> > connect through the gateway (192.168.1.100)  to the ppp0 connection which
> > assigns a dynamic IP address. At this point I have no security concerns, once
> > the connection and masquerading is up, I'll configure a firewall.
> >
> > Would these be enough to accomplish this???:
> >
> > ipchains -P forward
> > DENY
> > # default - deny everything
> > ipchains -A forward -j MASQ -s 192.168.0.0/24 -d
> > 0.0.0.0/0                         # add - forward masqueraded packets into
> > the local network
> >  ipchains -A input -j ACCEPT -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0
> > # add - accept packets from the ethernet card
>
> The last one should not be necessary -- you already accept packets
> from the ethernet card, by default.  The second rule should also be
> either "-s 192.168.1.0/24" or "-s 192.168.0.0/16". since your local
> subnet is 192.168.1.x, not 192.168.0.x.  Otherwise good.
>
> However, your interpretation of the second rule is not really right:
> you should think of it like this:
>
> - -A foward
> "Add a rule to the forward chain..."
>
> - -s 192.168.1.0/24
> "...that, for packets from the 192.168.1.x subnet..."
>
> - -d 0.0.0.0/0
> "...going to any destination..."
>
> - -j MASQ
> "...causes them to be masqueraded."
>
> This is why I generally put the -j MASQ at the end of the line: it's
> the conclusion reached when the antecedents are matched.
>
> Kyle
>
> - - --
> Kyle R. Rose                      "They can try to bind our arms,
> Laboratory for Computer Science    But they cannot chain our minds
> MIT NE43-309, 617-253-5883             or hearts..."
> http://web.mit.edu/krr/www/                           Stratovarius
> krose at theory.lcs.mit.edu                              Forever Free
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v0.9.5 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE3e5wE66jzSko6g9wRAkZtAKCIm5xEUs75dHZhQL7Gs5QbXYcq7gCg2laY
> i28Ke/9elsGGa77vlDAKqwQ=
> =5p7T
> -----END PGP SIGNATURE-----

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org