[olug] Routing and IPchains and IPmasquerading

Phil Brutsche phil at giedi.obix.com
Thu Sep 6 17:10:38 UTC 2001 

A long time ago, in a galaxy far, far way, someone said...

> Hey guys, I was wondering if anyone could give me a tad bit of advice on
> this.  Basically I got an old i586 i'm setting up as a router/firewall
> between my cable modem and my regular machine.  I'm using ipchains (should i
> be using ipchains with 2.4 kernel or should I go for iptables?)

The best for 2.4.x is iptables - ipchains will still work but leads to
performance problems.

> I hooked them together ok, they can ping eachother, andn i can SSH into the
> gateway from work, then ssh again into the internal pc so the connection is
> ok.

Ok

> My problem is that I can't get the router to masquerade packets from the
> other pc without setting the forward policy to MASQ:
> /sbin/ipchains -P forward MASQ
> If i do that command, everything works fine, but I don't want to just set
> the forward policy to masq and then let it run, I want to just it up so that
> it will only masq stuff from eth1 but when I try this:
> /sbin/ipchains -A forward -j MASQ -i eth1 -s 192.168.0.0/24
> then it doesn't work.  Any insight on what I'm doing wrong here?  I suppose
> I can just set up the default forward chain to MASQ, but that just doesn't
> sound very secure.

You're right it's not.  If the forward policy isn't "DENY" or "DROP" then
anyone can get to your private LAN with the right entry in their routing
table.

> I'd rather set it to DENY and then only MASQ packets coming from my
> regular internal machine.

Yes that's what most people do.

> clues, hints, anyone?

If you use these (and only these) lines everything should work fine:

sysctl -w net.ipv4.ip_forward=1
ipchains -A input ACCEPT
ipchains -P forward DROP
ipchians -A forward -s 192.168.0.0/24 -j MASQ

Or, if you're like me and use iptables these lines will work:

sysctl -w net.ipv4.ip_forward=1
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -s 192.168.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE


Phil


-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at bstc.net - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at bstc.net
or `mail olug-unsubscribe at bstc.net < /dev/null`
(c)2001 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

More information about the OLUG mailing list