Re: Masquerading

Mon, 3 Jan 2000 07:14:54 -0800 

Hello Grischa:

When you type "ipchains -A user_msq -s 0/0 -d 0/0 -j MASQ", you are saying 
that all packets from any device should be masqueraded. The best for you 
should be something like:

#First of all, flush the existing rules and deny forwarding by default
ipchains -F forward
ipchains -P forward DENY

#Then, accept trafic between LAN and WAN in a bidirectional mode
ipchains -A forward -b \
         -s 192.168.100.0/24 \
         -d x.y.z.t/m \
         -j ACCEPT

#The default for the LAN is masquerading.
#DO NOT ALLOW MASQ FROM OUTSIDE!!!
ipchains -A forward \
         -s 192.168.100.0/24 \
         -d 0.0.0.0/0 \
         -j MASQ

ipchains does something like this: it compares the source address with the 
"-s" parameter. Then it compares the destination address with the "-d" 
parameter. If both matches, then it sees the "-j" parameter to know what to 
do with this packet.

If two or more rules match "-s  and "-d" for the packet, then the first 
rule typed will be used. So, you must think carefully about the order of 
your "ipchains" rules.

Best regards,
Hime



At 14:06 02/01/00 +0100, Glynn Clements wrote:

>Ketil Froyn wrote:
>
> > > ipchains -F forward
> > > ipchains -A forward -s 192.168.100.0/24 -i eth0 -d x.x.x.x/x -j ACCEPT
> > > ipchains -A forward -s 192.168.100.0/24 -i eth0 -j MASQ
> > > ipchains -A forward -j DENY -l
> > >
> > > where x.x.x.x/x is the registered network.
> >
> > I've done something like this once, and I forgot to let the packets from
> > x.x.x.x/x back through, like I think you did here. Or am I still under
> > influence from the party last night? :)
>
>No, you are correct. I omitted the reverse rule for the
>non-masqueraded packets (you don't need one for replies to masqueraded
>packets; these are forwarded automatically).
>
> > ie. you need
> > ipchains -A forward -s x.x.x.x/x -i eth0 -d 192.168.100.0/24 -j ACCEPT
> > as well.
>
>Yep. Or add the "-b" switch to the original rule.
>
>--
>Glynn Clements <[EMAIL PROTECTED]>
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-net" in
>the body of a message to [EMAIL PROTECTED]

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]

Reply via email to