ipchains

[Derek Martin]

On Fri, 20 Aug 1999, Jerry Feldman {75562} wrote:

> Derek Martin wrote:
> 
> > 3.1 Rusty's Three-Line Guide To Masquerading
> > 
> > This assumes that your external interface is called `ppp0'. Use ifconfig
> > to find out, and adjust to taste.
> > 
> >       # ipchains -P forward DENY
> >       # ipchains -A forward -i ppp0 -j MASQ
> >       # echo 1 > /proc/sys/net/ipv4/ip_forward

> Actually, SuSE sets this up through YaST. There are some variables that one
> needs to set in rc.config. In Tony's case, he has M1X, so he has 2 ethernet
> cards. I'll send my SuSE config when I get home. 

I have no idea what M1X is, but the same principal applies.  I have
mediaone cable modem connected to my eth1 interface and my lan is on my
eth0, so I would substitute eth1 (Forward chain rules use the destination
interface, not the source interface) for ppp0... except that I'm doing a
whole lot more filtering than that.  I also use a rule to deny stuff
instead of setting the policy, because it seems you can't log packets that
are denied by the policy. So, briefly, I would do:

ipchains -A forward -i eth1 -p all -j MASQ
ipchains -lA forward -p all -j DENY

The -p all is optional, and indicates all protocols (TCP, UDP, ICMP).
The -l logs the matching packets to syslog. THIS CAN GET MESSY! It's
probably not too bad here though.

I actually prefer to use source addresses, since I find it less ambiguous.
For example, if you are using private address space of 192.168.1.X for
your lan, the command would look like this:

ipchains -A forward -s 192.168.1.0/24 -p all -j MASQ


Derek D. Martin   |  UNIX System Administrator
derek at netria.com  |  dmartin at lancity.com

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).