I hope you will forgive me. This is not an answer to your question but simply a
restatement of a fact that caused me to lose a lot of time. Most of that time was
learning how to configure kernels and run ipchains, which is worth while and good to
know. Only it wasn't needed for what I was trying to accomplish when I started.
If you simply want to provide web access through a proxy-server you don't need to
masquerade! Unless you are very careful and know what you're doing masquerading is
less secure than letting the proxy server handle it.
Let's say squid is running on a machine with address 198.198.198.198 (this is a made
up valid address - but I didn't want to use a vpn address). Then lets say you also
have 220 machines using 192.168.1.2 to 192.168.1.222. As long as they can see the
proxy server and the proxyserver can go out you don't need to masquerade.
If you want security, don't masquerade. If you don't masquerade the only way to go out
is through the proxy server, which logs what happens. If you do masquerade then anyone
taking over a machine not only takes over the machine but can get out on the Internet
while you're masquerading their packets. It is hard to telnet to port 25 on a distant
machine through squid, but easy through most masquerades setups where someone just
typed in the samples from the how-to.
At 08:23 AM 3/18/99 -0800, you wrote:
>I work for a school district. I have a few Linux machines in high
>schools using IP masquerading to increase the number of internet
>accesses available. I've now just set up a Squid-Linux for http-ftp
>cacheing at one site. I'd like to use one cpu to do both Squid and IP
>masquerading. It seems that that could work but I'd love to hear
>back from someone who has it working and any tips he/she maight
>send along. Thanks in advance, Ashe Coutts
--
Josh Kuperman Saratoga Springs Public Library
[EMAIL PROTECTED] 49 Henry St
518.584.7860x211 Saratoga Springs, NY 12866
http://www.library.saratoga.ny.us
