IP Masq on Slackware 4.0

Kyle Rose krose at theory.lcs.mit.edu
Thu Jul 1 12:49:10 EDT 1999 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Phil <1918 at 1918.com> writes:

> Thanks for the tip Kyle. I don't exactly grasp the sytax of some of ipchains.
> All I really want to do is allow private network clients (192.168.1.*) to
> connect through the gateway (192.168.1.100)  to the ppp0 connection which
> assigns a dynamic IP address. At this point I have no security concerns, once
> the connection and masquerading is up, I'll configure a firewall.
> 
> Would these be enough to accomplish this???:
> 
> ipchains -P forward
> DENY
> # default - deny everything
> ipchains -A forward -j MASQ -s 192.168.0.0/24 -d
> 0.0.0.0/0                         # add - forward masqueraded packets into
> the local network
>  ipchains -A input -j ACCEPT -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0
> # add - accept packets from the ethernet card

The last one should not be necessary -- you already accept packets
from the ethernet card, by default.  The second rule should also be
either "-s 192.168.1.0/24" or "-s 192.168.0.0/16". since your local
subnet is 192.168.1.x, not 192.168.0.x.  Otherwise good.

However, your interpretation of the second rule is not really right:
you should think of it like this:

- -A foward
"Add a rule to the forward chain..."

- -s 192.168.1.0/24
"...that, for packets from the 192.168.1.x subnet..."

- -d 0.0.0.0/0
"...going to any destination..."

- -j MASQ
"...causes them to be masqueraded."

This is why I generally put the -j MASQ at the end of the line: it's
the conclusion reached when the antecedents are matched.

Kyle


- - -- 
Kyle R. Rose                      "They can try to bind our arms,
Laboratory for Computer Science    But they cannot chain our minds
MIT NE43-309, 617-253-5883             or hearts..."
http://web.mit.edu/krr/www/                           Stratovarius
krose at theory.lcs.mit.edu                              Forever Free
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE3e5wE66jzSko6g9wRAkZtAKCIm5xEUs75dHZhQL7Gs5QbXYcq7gCg2laY
i28Ke/9elsGGa77vlDAKqwQ=
=5p7T
-----END PGP SIGNATURE-----
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).

More information about the Discuss mailing list