Max Klohn wrote:
> > How do I setup network address translation under RedHat? Currently I am
> > using a Apache as a proxy for WWW trafic from my localnetwork to reach the
> > Internet, however I'd like for my local machines to be able to reach the
> > net through other services, such as, telnet ftp etc. I don't really want
> > to use a proxy for this because I do not want to have to worry about
> > modifying client software. If I understand network address translation
> > correctly, if I have it setup properly under RedHat I'll be able to use
> > stock software on Windows based systems and other Unix hosts to connect to
> > the net through Linux.
>
> make sure that your kernel has ip masquerading on (RH stock kernels do)
> replace 192.168.121 with your chosen class C net...
> this is supposed to be safe, and works for me:
>
> from my /etc/rc.d/rc.local (and from the masquerading FAQ):
>
> # My ip forwarding stuff
> echo "ip masquerading 192.168.121.0/24"
> /sbin/ipfwadm -F -p deny #this one is important
> /sbin/ipfwadm -F -a m -S 192.168.121.0/24 -D 0.0.0.0/0
> # End ip forwarding stuff
>
> now Glynn Clements just wrote something about applying this to just ONE
> interface...
You can change the second command to something like:
/sbin/ipfwadm -F -a m -S 192.168.121.0/24 -W ppp0
(assuming that your 'net connection is via ppp0). This will ensure
that packets are only masqueraded if they would have been sent via
ppp0, which will prevent spoofed packets from being masqueraded on the
way in.
Another approach is to use
/sbin/ipfwadm -I -a deny -S 192.168.121.0/24 -W ppp0 -o
which will discard (and log) any spoofed packets which are received
via ppp0.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
