[plug] IP Chains

Christian christian at global.net.au
Thu Dec 23 09:15:24 WST 1999


Michael Hunt wrote:
> Mikes Quick and dirty quide to IP masquerading
> 
> 1. Turn on IP forwarding. You can do this through most distro's control
> panel app (at least under RedHat) or by echo an 1 to the relevant proc file
> (the name surpasses me at the moment).

It's been posted to the list before in this thread. :)

> 2. Putting the following in your rc.local file *changing your internal
> network numbers where appropriate. This also adds some extra modules for a
> couple of other services. On most distro's you don't need to recompile your
> kernel as most already have the support in (at lets most of the RedHat based
> ones do)

In Debian you could put these in /etc/rc.boot/ipmasq (or appropriate
name) or you could just set it up properly to execute at the appropriate
runlevel which might be wise if you were setting up proper firewall
rules to protect the machine in which case you might want to run these
before bringing up the appropriate interface(s).

> ipchains -F
> ipchains -P forward DENY
> ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0
> modprobe ip_masq_ftp
> modprobe ip_masq_irc
> modprobe ip_masq_raudio
> modprobe ip_masq_quake

Loading all those modules is unnecessary.  For example, a lot of people
don't use irc, real audio, quake...  Better to let the kernel load them
automatically as appropriate.

> 3. Restart your computer if you want to confirm that these changes will take
> affect after a reboot.
> (Anyone who wants to flame more for the above read my qualification first
> OK).

Well, I don't really see a reason for it but in some *rare*
circumstances a reboot *might* be appropriate.  I suppose if it makes
Windows people feel happier about things then it's worth it. :-)

> It seems weird that they did not put the ipcahains/ipfwadm lines in. I
> suppose firewalling doesn't require you to have any rules, but then is it
> really firewalling if you don't ????

I don't think what's listed on that web page will work... as far as I'm
aware you *do* need to explicitly request the machine to starting NATing
packets from a given address/interface. If anyone can confirm there is a
situation where it does happen automatically then that would be
interesting to hear about...

As for Bret's question, IP forwarding is forwarding of IP packets --
which I'm sure is properly explained in the appropriate HOWTOs.

Regards,

Christian.


More information about the plug mailing list