/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ I'll be away from Aug. 7 to Aug. 17. If you require some work to be done, please send it to [EMAIL PROTECTED] I'll be answering my emails when I get back from my vacation. Mauro =-=-= ----------- Your original message is below ---------- Send Masq mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the web, visit http://home.indyramp.com/mailman/listinfo/masq or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Masq digest..." This is the Linux IP Masquerading mailing list digest. To unsubscribe, change to realtime distribution, or adjust your other list options, visit the web page at http://home.indyramp.com/mailman/listinfo/masq PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list. Today's Topics: 1. Virtual IP address (Marcos Moura) 2. RE: Virtual IP address (Jamin Collins) 3. Does FORWARDING = MASQUERADING? (Pete B) 4. RE: Does FORWARDING = MASQUERADING? (Jamin Collins) 5. non-masquerading router ([EMAIL PROTECTED]) --__--__-- Message: 1 Date: Tue, 07 Aug 2001 17:24:55 -0300 To: [EMAIL PROTECTED] From: Marcos Moura <[EMAIL PROTECTED]> Subject: [Masq] Virtual IP address Hi, I have a machine running RedHat 7.1 using NAT in order to hide my internal workstations from the outside world. Now I would like this machine to administer virtual IP addresses for a group of internal machine. For instance, this server4s IP address is 200.xxx.yyy.10 but it should also receive all IP traffic addressed to 200.xxx.yyy.15, 200.xxx.yyy.20 and 200.xxx.yyy.25 and forward them to three different internal machines within my LAN, for example, 172.16.30.1, 172.16.30.2 and 172.16.30.3, respectively. Could someone help me with this stuff? Thanks in advance, Marcos Moura --- O e-mail enviado nco possui nenhum vmrus. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.265 / Virus Database: 137 - Release Date: 18/07/01 --__--__-- Message: 2 From: Jamin Collins <[EMAIL PROTECTED]> To: "'Marcos Moura'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: RE: [Masq] Virtual IP address Date: Tue, 7 Aug 2001 15:40:44 -0500 Marcos Moura [mailto:[EMAIL PROTECTED]] wrote: > For > instance, this server4s IP address is 200.xxx.yyy.10 but it > should also receive all IP traffic addressed to > 200.xxx.yyy.15, 200.xxx.yyy.20 and 200.xxx.yyy.25 and > forward them to three different internal machines within > my LAN, for example, 172.16.30.1, 172.16.30.2 and 172.16.30.3, > respectively. Could someone help me with this stuff? Provided that these IP addresses are routed to this machine by your ISP then this is a simple matter of setting up the proper rules. As you are running RH 7.1 you have the option of using either ipchains or iptables for basic firewalling and/or routing. However, for what you are now looking for you will need to use iptables. Ipchains can provide this functionality, but the ipchains support provided with 2.4.x kernels is not a complete ipchains implimentation, it's actually a wrapper. My iptables firewall script will do everything you listed in your original posting. You can get my script from http://www.asgardsrealm.net/linux/firewall. Jamin W. Collins --__--__-- Message: 3 Date: Tue, 7 Aug 2001 20:45:56 -0700 (PDT) From: Pete B <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [Masq] Does FORWARDING = MASQUERADING? Hello, I'm a 'Maquerading' amateur who needs help. I have a home network, and one of my boxes is a Linux 'gateway' box connected to the internet via DSL The 'gateway' box runs RedHAt 7.1 kerne 2.4.7, and iptables 1.2.2 This 'gateway' box is my default gateway for the other boxes on my network. Following the IP MASQ HOWTO , I created the rudimentary rc.firewall script: depmod -a echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr iptables -P FORWARD DROP iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE This script does NOT give my other computers access to the internet. But when I run this script.. depmod -a echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr iptables -P FORWARD ACCEPT ALL my boxes on my network can see the internet. Quite frankly I'm confused by the difference between the two iptables rulesets above. Also I know that setting my forwarding policy to ACCEPT is insecure, but I don't understand why (???!!!). THanks for any help Pete B. __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ --__--__-- Message: 4 From: Jamin Collins <[EMAIL PROTECTED]> To: "'Pete B'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: RE: [Masq] Does FORWARDING = MASQUERADING? Date: Wed, 8 Aug 2001 06:49:07 -0500 Pete B [mailto:[EMAIL PROTECTED]] wrote: > I have a home network, and one of my boxes > is a Linux 'gateway' box connected to the internet via > DSL > The 'gateway' box runs RedHAt 7.1 kerne 2.4.7, and > iptables 1.2.2 > This 'gateway' box is my default gateway for the other > boxes on my network. > > > Following the IP MASQ HOWTO , I created the > rudimentary rc.firewall script: > > depmod -a > echo "1" > /proc/sys/net/ipv4/ip_forward > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > iptables -P FORWARD DROP > iptables -t nat -A POSTROUTING -o ppp0 -j > MASQUERADE > > This script does NOT give my other computers access to > the internet. Nor, should it. The problem is with the FORWARD chain (of the filter table) policy. For MASQ to work, you must allow some form of forwarding as your traffic must travel from one network to another. > But when I run this script.. > > > depmod -a > echo "1" > /proc/sys/net/ipv4/ip_forward > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > iptables -P FORWARD ACCEPT > > ALL my boxes on my network can see the internet. This should not work unless one of the following conditions is true: - your internal machines have internet routable ip addresses - this second script is run after the first, but without removing the rules created by the first. > Quite frankly I'm confused by the difference between > the two iptables rulesets above. > > Also I know that setting my forwarding policy to > ACCEPT is insecure, but I don't understand why > (???!!!). A very basic definition of forwarding is that it allows traffic from one network to another. With a default policy of accept you are doing just that for everything that hits your box from either inside or outside. Essentially, you left your front door standing wide open. Masq'ing does something similiar but in doing so it rewrites portions of the IP headers (source/destination) so they appear to have come from another location. Normally, this is used to have internal private ip machines all appear to come from one public ip address. It can also be used to rewrite the destination of a packet to, in effect, allow specific traffic coming into the public ip address to be sent into a private ip addressed machine. I suggest you take a look at my iptables firewall script (http://www.asgardsrealm.net/linux/firewall) as the current iptables instructions in the HOWTO's that I've seen are woefully lacking. Jamin W. Collins --__--__-- Message: 5 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Wed, 8 Aug 2001 08:35:51 -0400 Subject: [Masq] non-masquerading router I currently have a machine running Red Hat 6.2 with 3 NIC cards. eth0 and eth1 are connected to two separate internal networks, while eth2 has an Internet-reachable IP address. I have successfully implemented masquerading with ipchains to allow Internet access to both internal networks. However, I would now like to allow communications between the internal networks (they are two different subnets, 192.168.0.0/24 and 192.168.1.0/24). How can I use this machine as a non-masquerading router? Thanks! Bob --__--__-- _______________________________________________ Masq maillist - [EMAIL PROTECTED] http://home.indyramp.com/mailman/listinfo/masq Admin requests handled at the above URL or [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list. End of Masq Digest _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
