I missed the part about the 2.0 kernel...I don't know if that complicates things or not. With 2.2 and ipchains, it doesn't matter if you've got one PPP interface or a thousand, if they're all assigned IP's encompased in a single network specification, it's one ipchain rule to masquerade them. Assuming all PPP interfaces are in the 10. private IP space:
ipchains -A forward -j MASQ -s 10.0.0.0/8 -d 0/0 -i <extern-if> I would presume something similar could be done with kernel 2.0.x Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > Oh, and Dave was using a 2.0.x box, so I would guess ipchains would not > be an option - I don't know if this matters or not in terms of the > forwarding rules. > - Jon > > Jonathan French wrote: > > > > Hi Charles, > > > > Um, my mindset was probably the old "if you have a hammer, every problem > > looks like a nail" situation. I have always required a proxy-arp > > situation, so I hadn't considered separate ppp "hosts". So you can drop > > the <local ip>:<ppp ip> (lets client specify) and proxyarp, and just get > > a ppp interface, which could have packets masq'd. I guess I am used to > > using network.conf to define the masquerading - I suppose you could use > > ppp0, ppp1, ppp2, etc in network.conf. It sounded like Dave had ~20 ppp > > connections, which at least in my warped mind would make a dummy > > interface with a single set of rules make sense. I guess I am also used > > to specifying the IPMASQing on a per interface basis rather than on the > > external interface. > > > > As one of my old professors used to say, "There's more than one way to > > skin a cat." > > > > - Jon > > > > Charles Steinkuehler wrote: > > > > > > > > > Since you are shy some "real" addresses for the PPP clients, would it > > > be > > > > > > ok to put the PPP clients on a masq'd subnet? > > > > > > > > > > That's what I was hoping for. > > > > > > > > > > > To do this, you could > > > > > > toss a cheap NIC into the box, assign it to a masq'd 192.168.x.x > > > subnet > > > > > > (don't attach it to anything), and then use its address as the first > > > > > > address in the options.ttySX line. > > > > > > > > > > Could I use the dummy (network) device for this purpose instead of a > > > > > cheap NIC? > > > > > > > > > > > The additional NIC allows you to establish a fake masq'd net, and > > > gives > > > > > > your PPP clients a little more security. You can drop the second > > > > > > address if you assign each client a unique 192.168.x.x address, or > > > with > > > > > > the options.ttySX, you can assign a unique internal IP address by > > > serial > > > > > > connection (or by phone #). > > > > > > > > > > I was thinking I'd do this: > > > > > > > > > > NIC: Internet-visible IP addr > > > > > PPP(24x): private IP range (10.x.x.x or 192.168.x.x) > > > > > > > > > > ...with the discussion you've given me, that adds: > > > > > > > > > > NIC #2: dummy interface > > > > > > > > > > ...would this work? > > > > > > Um...just wack me if I'm missing something obvious here, but what's with the > > > extra NIC and proxy arp stuff? > > > > > > As I understand it, David needs to connect some PPP users to the 'net, and > > > doesn't have 'real' IPs to assign, so he wants to use masquerading...fine. > > > > > > Masquerading happens in the forwarding chain of linux 2.2 kernels. The IP > > > packets will be forwarded as long as forwarding is enabled, and the system > > > has a route to the destination IP...pretty basic. The kernel knows about > > > the pppX devices when pppd creates and configures them once a connection > > > comes up. As soon as this happens, the kernel will start routing packets > > > between the new ppp interface and any other interfaces configured. If there > > > are masquerade rules in the forward chain, the pakets will be masqueraded. > > > > > > I'm confused about why you'd need an "internal net" ethernet card with > > > proxy-arp enable, unless you actually wanted to allow folks access to your > > > internal net (dialup users for a small business network would be a good > > > example...get access to the office net and piggyback off their 'net > > > connection with one phone call). > > > > > > Charles Steinkuehler > > > http://lrp.steinkuehler.net > > > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > > > > > _______________________________________________ > > > Leaf-user mailing list > > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > _______________________________________________ > > Leaf-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
