(would I just add: /sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ ###to the 5th stanza?)
------------------------------------------------------------------------
#!/bin/sh
/sbin/depmod -a # allows us to load modules into the kernel
#The following are custom modules, which allows us to use
# tricky protocols through the firewall. It's general rule
# to use only those that you really need.
/sbin/modprobe ip_masq_ftp # to FTP out
/sbin/modprobe ip_masq_raudio # enable RealAudio
/sbin/modprobe ip_masq_irc # enable IRC DCC
/sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960 # Quake
I/II/III
/sbin/modprobe ip_masq_cuseeme # CuSeeMe
/sbin/modprobe ip_masq_vdolive # VDO-live
echo "1" > /proc/sys/net/ipv4/ip_forward # Enables IP Forwarding! Important!
echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Do this if you are on a
dialup (ppp0)
/sbin/ipchains -M -S 7200 10 160 # Set timeouts on masquerading sessions.
# Here, 2 hours idle for TCP sessions
# 10 seconds after a TCP FIN is received
# 2 minutes for UDP packets
/sbin/ipchains -P forward DENY # By default, deny packet forwarding
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ #Enable IP masquerading
# 192.168.1.0/24 is the subnet
#of our internal network. This must be changed
# to reflect the proper subnet of your
# internal network, otherwise masq'ing
# will fail. Try Daryl's Subnet Calc.
# ipprimer.windsorcs.com/subnet.html
### I would need to change eth1 to ppp0 right?
/sbin/ipchains -N infilt # create a new "chain" named infilt
/sbin/ipchains -A input -i eth1 -j infilt # use infilt to check data
from eth1
/sbin/ipchains -A infilt -s 192.168.0.0/24 -l -j DENY
# deny anything from eth1 (the Internet
# interface) that says it's coming
# from the internal network. This will
# help prevent spoofing.
-- remove the obvious from my email address
