/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */ At 03:01 20/08/99 -0700, you wrote: > >Send Masq mailing list submissions to > [EMAIL PROTECTED] > >To subscribe or unsubscribe via the web, visit > http://tiffany.indyramp.com/mailman/listinfo/masq >or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] >You can reach the person managing the list at > [EMAIL PROTECTED] > >When replying, please edit your Subject line so it is more specific than >"Re: Contents of Masq digest..." > > >This is the Linux IP Masquerading mailing list digest. To unsubscribe, change to realtime distribution, or adjust your other list options, visit the web page at > >http://tiffany.indyramp.com/mailman/listinfo/masq > > > >Today's Topics: > > 1. Re: Masqing to/from multiple "real" IP addresses (Ron Watkins) > 2. Re: Masqing to/from multiple "real" IP addresses (John D. Hardin) > 3. Re: Secure Web site access (William R McLain) > >--__--__-- > >Message: 1 >From: "Ron Watkins" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Subject: Re: [Masq] Masqing to/from multiple "real" IP addresses >Date: Thu, 19 Aug 1999 20:26:29 -0700 > > >As long as we're on this subject, I have a related question. Is it >possible to do NAT from a *pool* of external addresses? I have five >external IPs, and I'd like to use my masqing firewall to allow multiple >people behind the firewall to connect to games that aren't necessarily all >that NAT-friendly. (many games require specific ports to be free.) If >the external masqing drew from a pool of available addresses, that would be >just about perfect. I don't need 1-1 mappings (though that would be nice >as an option), but having it use as many IPs as possible would tend to make >things work better for NAT... I think. > >However, in looking, I don't think this was in the spec at all, and, like >the poster below, I don't think this will work with Linux in its present >form. Maybe with 2.4. :-) > >I think Checkpoint's Firewall-1 will do this, but I don't really want to >spend five thousand dollars so I can play games properly. :) > >I really don't understand why someone doesn't come out with a friendly, >cheap firewall. Checkpoint could make a bloody killing selling to people >like me... techies with a clue but without five grand to spend on security. >I'd spend $250 for a stateful inspection, multiple-external-address NAT, >that dealt fairly well with games... and I bet I'm not the only one! > >I'd buy more than one, too -- I'd buy at least 10. We have lots of >employees that would like to telecommute. I'd be willing to settle for two >incidents of support, and would be willing to pay for anything past two. > >*sigh* Hopefully someone out there will get a clue. *hint hint* Maybe >Linux will grow into this area someday. sifi looks pretty cool, but it >doesn't do masq. > ><<RON>> > >----- Original Message ----- >From: Alan Izzo <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Thursday, August 19, 1999 10:26 AM >Subject: [Masq] Masqing to/from multiple "real" IP addresses > > >> >> Hi all - >> >> I have a question regarding the use of IPMASQ/PORTFW in a rather >> unconventional manner... I have not looked at the code or tried to play >> around with configuring it to do what I am trying to do as I don't >> really think it will work, so I wanted to bounce it off you all first >> and get your thoughts... >> >> I have made a feeble attempt at drawing what I want to do below. What I >> have is a masq box with 3 Ethernet interface (2 local and 1 to the >> Internet via a cable modem). With standard masq all of the traffic >> to/from the local networks gets translated into the single IP address of >> the interface that is connected to the cable modem (1.2.3.4 in my >> picture). >> >> However, in my perverse model I want to have each internal network >> (192.168.0.x and 192.168.1.x in the picture) masq'ed to it's own >> different global IP address that has been assigned by my cable modem ISP >> (say, in my picture below, the ISP provided me with a block of 3 "real" >> IP addresses 1.2.3.4, 1.2.3.5 and 1.2.3.6). I would like to masq all >> the traffic coming to/from the 192.168.0.x network masq'ed to the IP >> address 1.2.3.5 and all of the traffic coming to/from the 192.168.1.x >> network masq'ed to 1.2.3.6. Can I do this with the current masq code (I >> am running on RedHat 5.2, Linux 2.0.36)? If so, how do I configure it >> and can the port forwarding code handle this configuration as well (i.e. >> can I forward port 80 on IP address 1.2.3.5 to 192.168.0.2 port 80 AND >> forward port 80 on 1.2.3.6 to 192.168.1.2 port 80)? >> >> If masq/portfw can not do what I am trying to accomplish, do you all >> know of a way I can do it (i.e. another Linux feature like masq but >> different) that would allow me to accomplish this? >> >> >> >> +----------+ >> | | Ethernet >> | A0-box |:::::: 192.168.0.x >> | |.2 : >> +----------+ : >> : +----------+ >> : .1 | Linux | Ethernet +-------+ >> :::::::| Masq-Gate|:::::::::::| Cable |::: Internet >> +----------+ : | | | Modem | >> | | : +----------+ +-------+ >> | B0-box |:::::: : .1 1.2.3.4 >> | |.3 : >> +----------+ : >> : Ethernet >> : 192.168.1.x >> : >> : >> :::::::::::::::::::::::::::::: >> : : >> : .2 : .3 >> +----------+ +----------+ >> | | | | >> | A1-box | | B1-box | >> | | | | >> +----------+ +----------+ >> >> >> Thanks a lot for any help, ideas, comments etc.! >> >> Alan >> >> -- >> Alan Izzo >> High Beam Software, Inc. >> >> E-Mail: [EMAIL PROTECTED] >> >> > > > >--__--__-- > >Message: 2 >Date: Thu, 19 Aug 1999 21:32:17 -0700 (PDT) >From: "John D. Hardin" <[EMAIL PROTECTED]> >To: Ron Watkins <[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED] >Subject: Re: [Masq] Masqing to/from multiple "real" IP addresses >m> > > >On Thu, 19 Aug 1999, Ron Watkins wrote: > >> As long as we're on this subject, I have a related question. Is it >> possible to do NAT from a *pool* of external addresses? I have five >> external IPs, and I'd like to use my masqing firewall to allow >> multiple people behind the firewall to connect to games that aren't >> necessarily all that NAT-friendly. (many games require specific >> ports to be free.) If the external masqing drew from a pool of >> available addresses, that would be just about perfect. I don't need >> 1-1 mappings (though that would be nice as an option), but having it >> use as many IPs as possible would tend to make things work better >> for NAT... I think. > >You should be able to do this if you get the source-routing hack >(sorry, no pointers - try the Shaper HOWTO) and preassign traffic from >certain masqueraded hosts to go out specific interfaces. Normal masq >would work, the difficult part is telling the kernel which interface >to use to route particular traffic. > >-- > John Hardin KA7OHZ [EMAIL PROTECTED] > pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 > PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 >----------------------------------------------------------------------- > Monty Python's Star Trek Voyager: > A successful trans-warp experiment turns Paris and Janeway into > newts, but they get better. > ...wait a minute... It's already been done... >----------------------------------------------------------------------- > Tomorrow: A Civil Conflict is released > > > >--__--__-- > >Message: 3 >Date: Thu, 19 Aug 1999 23:09:09 -0700 >To: [EMAIL PROTECTED] >From: William R McLain <[EMAIL PROTECTED]> >Subject: [Masq] Re: Secure Web site access > > >Thanks, that worked. I added https port 443 to my etc/services and added > > >https > > >protocol to my firewall scripts. Everything seems to work now. > > > > > >At 08:08 PM 8/19/99 -0700, [EMAIL PROTECTED], wrote.. > > > > > >>Message: 13 > > >>From: "Ron Watkins" <[EMAIL PROTECTED]> > > >>To: <[EMAIL PROTECTED]> > > >>Subject: Re: [Masq]� Secure Web site access > > >>Date: Thu, 19 Aug 1999 20:08:28 -0700 > > >> > > >> > > >>I believe the http secure port (https) is 443. You can check your > > >>/etc/services file to confirm this.� Are you allowing both inbound and > > >>outbound 443?�� If your firewall isn't explictly allowing this port, https > > >>transfers will fail, AFAIK. > > >> > > > > > > > > > > > >--__--__-- > >_______________________________________________ >Masq maillist - [EMAIL PROTECTED] >http://tiffany.indyramp.com/mailman/listinfo/masq >Admin requests handled at the above URL or [EMAIL PROTECTED] > >End of Masq Digest > > _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
