On Thu, 2003-03-27 at 09:45, Binand Raj S. wrote: > On Wed, Mar 26, 2003 at 02:53:39PM +0530, Dinesh Gopinath wrote: > > If i want to share the internet connection, is IP Masquerading a must? > > Then what is proxying? I am confused abt these two. If IP masquerading > > works, then how can you control the access for each user (not based on > > ip of machines?) For that do i need both masq. and proxying? > > thanks in advance, > > Proxying - using a specialised software that acts as a relay point > between your client and the server elsewhere on the Internet. The most > popular proxy I guess is the HTTP proxy server, squid. There have been > half-hearted attempts to build proxies for other internet services (POP > proxies, FTP proxies etc.), but none as successful as squid. Apache too > has its implementation of a HTTP proxy via a DSO. > > IP Masquerading - Since routers on the Internet will not forward packets > from the RFC 1918 private netblocks (192.168.0.0/16, 172.l6.0.0/12, > 10.0.0.0/8), it is desirable to make these routers "think" that packets > are arising from an IP address that is not in the above blocks (even when > they are). This is achieved via Masquerading. You have a router under your > control rewrite TCP headers, so that the source address now looks like > a routable address. The rewriting router also maintains tables of what > it rewrote (so that it can send response packets to the correct hosts). > > IP Masquerading is a subtopic under a larger head, NAT (vol. II, SNAT). > > Now, to your questions. > > If your Internet usage is basically only (HTTP) proxy aware applications > (browsers, download accelerators, some FTP download clients, instant > messaging systems, certain other specialized software), then all you > need is a HTTP proxy server like squid. > > If you have other kind of TCP/IP based software (email clients, news > clients, and a few thousand network games...), you absolutely cannot > survive with only a HTTP proxy. You will either need proxies for each > individual protocol (not possible) or you should have IP masquerading. > > <shameless plug> > If you work in a Unix only shop, you can probably get away with a HTTP > proxy and transconnect (http://transconnect.sourceforge.net). Note that > it won't work for DNS packets and UDP traffic (Mirabilis ICQ?). If you are > really adventurous, you can try to port it to Windows. :) > </shameless plug> > > With squid or a HTTP proxy server, access control is of course, easy. Not > with IP Masquerading. Certain things are possible, though - combining > the masquerading and firewalling capabilities of ipchains - for example:
Thanks for the details, it definatly clear some concepts. What are the similar comands (as below in ipchains) for iptables in rhl 8.0 Arun > > # The Boss gets full access > ipchains -A forward -s boss.computer.ip.address -j MASQ > > # The developer team can use any CVS server anywhere > ipchains -A forward -s devel.team.ip.block/mask -p tcp --dport cvspserver -j MASQ > > # Everyone can ssh everywhere > ipchains -A forward -p tcp --dport ssh -j MASQ > > (and so on...) > > Binand > > -- > Russian Roulette with Unix: > while :; do kill $RANDOM &> /dev/null && break || sleep 1; done > > > ------------------------------------------------------- > This SF.net email is sponsored by: > The Definitive IT and Networking Event. Be There! > NetWorld+Interop Las Vegas 2003 -- Register today! > http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en > _______________________________________________ > linux-india-help mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/linux-india-help ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
