/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Pete B [mailto:[EMAIL PROTECTED]] wrote:
> I have a home network, and one of my boxes
> is a Linux 'gateway' box connected to the internet via
> DSL
> The 'gateway' box runs RedHAt 7.1 kerne 2.4.7, and
> iptables 1.2.2
> This 'gateway' box is my default gateway for the other
> boxes on my network.
>
>
> Following the IP MASQ HOWTO , I created the
> rudimentary rc.firewall script:
>
> depmod -a
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> iptables -P FORWARD DROP
> iptables -t nat -A POSTROUTING -o ppp0 -j
> MASQUERADE
>
> This script does NOT give my other computers access to
> the internet.
Nor, should it. The problem is with the FORWARD chain (of the filter table)
policy. For MASQ to work, you must allow some form of forwarding as your
traffic must travel from one network to another.
> But when I run this script..
>
>
> depmod -a
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> iptables -P FORWARD ACCEPT
>
> ALL my boxes on my network can see the internet.
This should not work unless one of the following conditions is true:
- your internal machines have internet routable ip addresses
- this second script is run after the first, but without removing the rules
created by the first.
> Quite frankly I'm confused by the difference between
> the two iptables rulesets above.
>
> Also I know that setting my forwarding policy to
> ACCEPT is insecure, but I don't understand why
> (???!!!).
A very basic definition of forwarding is that it allows traffic from one
network to another. With a default policy of accept you are doing just that
for everything that hits your box from either inside or outside.
Essentially, you left your front door standing wide open.
Masq'ing does something similiar but in doing so it rewrites portions of the
IP headers (source/destination) so they appear to have come from another
location. Normally, this is used to have internal private ip machines all
appear to come from one public ip address. It can also be used to rewrite
the destination of a packet to, in effect, allow specific traffic coming
into the public ip address to be sent into a private ip addressed machine.
I suggest you take a look at my iptables firewall script
(http://www.asgardsrealm.net/linux/firewall) as the current iptables
instructions in the HOWTO's that I've seen are woefully lacking.
Jamin W. Collins
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
