At 10:40 AM 2/17/00 -0600, Tetlow Charles MSgt 12CS/SCBBN wrote:
>Once the gateway and forwarding is turned on, you simply have to turn on NAT
>using IP Masquerading. To do this, you use the IPChains rule set. The
>command is:
>ipchains -A forward -s 0/0 -d 0/0 -j MASQ
>This tells IPChains to add this rule to the forwarding chain, from any
>source (0/0 is the same as 0.0.0.0/0.0.0.0), to any destination, jump to
>MASQ which is the masquerading.
This has the potential of allowing anyone who can force packets to your
machine, say by loose source routing, to use your machine as their gateway,
and make their packets seem to come from you.
However, I've done exactly this sort of thing. I have a DSL setup where I
have 4 ip addresses out of a class C, but they are bridged, so my netmask
is 255.255.255.0. I use the Linux box as a firewall, and proxy-arp on the
outside adapter for the inside servers, while proxy arping on the inside
for the rest of the net (that I care about, mostly the router, although
I'll fix that if I have to). On the gateway box, I do host routing to get
the packets to the correct physical net. I run both nets on the inside.
Many boxes can now deal with the fact that there are two networks on the
inside wire, for the others, I use the linux gateway as a router, where it
accepts the packet and sends it back out the same interface. (Because of
this I'm more sensitive to the stolen masquerade business - with a simple
rule like the one above someone else on the class C in some other location
could name my machine as their router and masquerade their packets through
me, except that I reject them, and also refuse to route from outside to
outside. You may not care as much if you trust the net you are connected to.)
I also stop spoofing by limiting the source addresses I'm willing to
masquerade for and making sure that those addresses are not spoofed on the
outside net with filters. The routing rules make sure I do not distribute
martians, because those are all masqueraded. I wrote a little utility, see
http://scifi.squawk.com/masquerade.html which runs all of the time and
reports new masquerades to syslog. (It will only run with the older
kernels - it will require a small mod for the new kernels to deal with the
change in the format of the /proc masquerade file, but I've tested it with
Redhat 6.0). I find it essential because I feel like I need to be able to
relate a particular source port masquerade at a particular time to a
workstation, and log it together wth other messages so that I can correlate
activity.
The inside adapter has an address on the inside net and is also proxying
the address of the outside router, as noted above. The machines on the
inside with the inside net addresses use the inside adapter private address
as their default route, and the machines on the inside with outside
addresses (only contactable on certain ports - you need to put the ipchains
commands that allow those packets to get through unmasqueraded (inide and
out) ahead of the masquerade rulesets on your forward chain, or your
response packets will be masqueraded and the outside machines won't know
what the hell to do with them.
I've never tried to use more than one outside address to do the masquerade.
In any case, I think that a combination of proxy-arp, host routing, and
masquerading will do exactly what you need under Linux. It works for me.
--
If we aren't supposed to eat animals, why are they made of meat?
Nick Simicich mailto:[EMAIL PROTECTED]
http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
