>IF I UNDERSTAND YOU RIGHT YOU WANT TO MASQUERADE THE INTERNET ON YOUR LAN
>
>FOR THAT you have to allow masquerading
>BUT
>you also have to use your linux box as a gateway for your network address
>( destination)
>
>this is called source routing and any sain admin especially big isp 's are
>for security reasons configured to drop source routed frames
>so for this to work you most likely have to be 0 hops away from the linux
>box
>
>thats all if you have private ips on you local lan .
>
> otherwise if they are public then you dont need masq you can use
>firewalling features just fine
>
No, this isn't source routing. Masquerade simply lets a Linux box
handle all the conversations with the internet in a very legal, secure
manner, just as a company might have a few public numbers and
lots of private extensions. All traffic going to the internet carries
the Masq Linux box's ID, and it's up to that Linux box to pass the
return traffic on to the correct internal destination, by keeping track
of port assignments.
You can run various routing protocols internally, including gated,
rip, or just static routes, and you don't have to be within 0 hops
of the Linux box. The Linux box just has to know how to get to
you.
You should be able to set up rules on the masq box to pass
certain IP ranges on both sides through without doing masquerading.
However, the external machines will then need to know the route
to the internal machine addresses, something that's not needed
if traffic is Masq'ed.
>
>> Hi all,
>> i'm looking for some solutions to this problem with IPFWADM.
>> i have two nic on a linux machine that act as routr and firewall.
>> eth0 is internal on the network 128.1.1.1 for example, eth1 is
>> external 10.1.1.1.
>> Well when i try to reach from a pc on to the external network an ip
>> on the internal , and in this case i do not need the masqeade, it act as
>> for the internet masquerding the ip of any pc on the eth1.
>> Is it possible to masquerade all the internet 0.0.0.0/0 less than
>> 128.1.1.1, i do not want to reject or deny to this adddress, it is only
>> need to have a connection direct, without masqerade.The table routing is
>> correct for than ip the router is not the ppp0 interface but a real gw
>> on the internet.
>> Now i'm trying with the reject but like i say it is not for me purpose.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
