I'm setting up a firewall on a 3 NIC box (Debian potato--kernel 2.2.17), and I'm confused about how the kernel handles ip masquerading. When a rule jumps a packet to the MASQ chain, does it reassign the port as well as masquerade the ip address? The reason I ask is I'm trying to understand the "Serious Example" in the IPCHAINS-HOWTO (http://metalab.unc.edu/mdw/HOWTO/IPCHAINS-HOWTO-7.html#ss7.4). This example sets up a three-network firewall (External, Internal, and DMZ) which is what I want to do. The Internal network is masqueraded to External via a chain (good-bad) jumped to from the FORWARD chain: <--snip--> Good (internal) to Bad (external). ipchains -A good-bad -p tcp --dport www -j MASQ ipchains -A good-bad -p tcp --dport ssh -j MASQ ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ ipchains -A good-bad -p tcp --dport ftp -j MASQ ipchains -A good-bad -p icmp --icmp-type ping -j MASQ ipchains -A good-bad -j REJECT -l <--snip--> Then in the rules for the External interface chain (bad-if, jumped to from the input chain), only certain ports appear to be let back in. I presume that the second and third rules with destination ports 61000:65095 are for returning masqueraded packets, eh? <--snip--> Bad (external) interface. ipchains -A bad-if -i ! ppp0 -j DENY -l ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT ipchains -A bad-if -j icmp-acc ipchains -A bad-if -j DENY <--snip--> This example doesn't make clear to me what happens to packets from the Internal network when they're jumped to MASQ. Do they get a new port (in the range 61000:65095) in addition to the masqueraded ip address so that when they come back they get past the Bad interface to get demasqueraded? Is this port range critical to how this works or does it have another purpose? Or do the packets just go around the Bad interface because in some other fashion they're identified as masqueraded packets through something MASQ does? Just trying to grok what goes on here. TIA for any help! Stan - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
