/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Hmm, thinking further on this. Why is it that the firewall script needs
to be re-run every time the PPP interface changes its IP? Is it really
necessary for the IP of the firewall to be coded into its ruleset?
For normal forwarding rules, the interfaces are generally all you need
in order to determine which direction traffic is flowing. Instead of
using
iptables -s $UNIVERSE -d $MY_IP -p udp --dport 53 -j ACCEPT
one could simply use an interface name, such as
iptables -i ppp0 -p udp --dport 53 -j ACCEPT
The fact that the packet came in the ppp0 interface tells you that it's
external traffic. There's no need to actually check the IP.
In fact, in my own script, I only have one instance where my IP
absolutely must appear: In the section where I source-nat connections
out of my internal network.
In that case alone, the IP address must be given in the "--to <IP>"
section of the command. However, if you have a dynamic IP, you can use
the "MASQUERADE" target instead of the "SNAT" target, and thus avoid
having to specify the IP at all.
In my current configuration, the SNAT target makes more sense, because I
have a static IP. However, in the case of a dynamic IP it seems to make
more sense to use the MASQ target instead.
So I think it behooves you to determine, why does your script contain
the IP of your external interface, and why is it required at all?
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience.
sometimes known as David DeSimone || Experience comes from bad judgment."
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
