Setting IP-Masquerade via ipchains versus iptables

Sun, 23 Sep 2001 17:04:59 -0700 

Hi,

This is a bit of a newbee question - so please bear
with me.  I've been poking around David Ranch's "Linux
IP Masquerade HOW TO". His latest version covers some
2.4 information, however the rc firewall examples from
http://www.e-infomax.com/ipmasq/ cover only ipchains.

Consequently, I have followed the ipchains
instructions and in /etc/sysconfig/ipchains - I added
a masquerade line at the end - the ipchains file is as
follows:
# Firewall configuration written by lokkit
# Manual customization of this file is not
recommended.
# Note: ifup-post will punch the current nameservers
through the
#       firewall; such entries will *not* be listed
here.
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A forward -s 192.168.0.0/255.255.255.0 -d
0.0.0.0/0.0.0.0 -i eth0 -j MASQ
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j
ACCEPT
-A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j
ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT
-A input -s 28.9.207.181 53 -d 0/0 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT

The masquerading seems to work fine with a win98 box
that I'm hooking on the internal network.  Still - I
can't help but feel that my config is vulnerable to
masq type spoofing, etc...  Consequently, I was
wondering:

1.  Have I weakened the ipchains significantly by
adding the MASQ line?
2.  Is there a good iptables config HOWTO that would
include masquerading in it?
3.  My employer uses RSA's secureremote to allow
employees to VPN into the network - this doesn't work
anymore - how would I troubleshoot this - or are there
any good docs that cover this kind of thing.

I'd appreciate any and all info.

El





__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger. 
http://im.yahoo.com



_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list

Reply via email to