more exerpts from http://metalab.unc.edu/pub/Linux/docs/HOWTO/IPCHAINS-HOWTO
Anti-spoofing
Since we don't have any asymmetric routing, we can simply turn on
anti-spoofing for all interfaces.
# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f;
done
# "
then
"Set filtering rules to DENY all:
We still allow local loopback traffic, but deny anything else.
# ipchains -A input -i ! lo -j DENY
# ipchains -A output -i ! lo -j DENY
# ipchains -A forward -j DENY "
then
"Insert per-protocol masquerading modules.
We need to insert the masquerading module for FTP, so that active
and passive FTP `just work' from the internal network.
# insmod ip_masq_ftp
# "
then
Please someone correct me if i am wrong. This is an attempt:
ipchains -A forward -s x.x.199.194 23 -i eth0 -j 10.1.1.Y 23
i dont think this is right, because i believe what follows j needs
to be a policy, instead of a specific address. this is a stab in the dark
for me,
because i am so new.
>From: Glynn Clements <[EMAIL PROTECTED]>
>To: Lauri Tischler <[EMAIL PROTECTED]>
>CC: [EMAIL PROTECTED], [EMAIL PROTECTED],
>[EMAIL PROTECTED]
>Subject: Re: IP Chains and port forwarding
>Date: Fri, 27 Aug 1999 10:18:50 +0200 (GMT--1:00)
>
>
>Lauri Tischler wrote:
>
> > > Don't do that. Use:
> > >
> > > ipchains -A forward -s 10.1.1.1/24 -j MASQ
> > > or
> > > ipchains -A forward -i eth0 -j MASQ
> > >
> > > instead. You don't want to be masquerading *inbound* connections.
> >
> > Sorry for dumb question but how does ipchains know, to what ipaddress
> > should stuff from eth0 to be masqueraded to.
>
>Masqueraded packets always use the IP address of the interface from
>which they are sent.
>
>--
>Glynn Clements <[EMAIL PROTECTED]>
>
_______________________________________________________________
Get Free Email and Do More On The Web. Visit http://www.msn.com
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
