[plug] IP Chains

Michael Hunt Michael.J.Hunt at usa.net
Thu Dec 23 23:06:31 WST 1999


> Michael Hunt wrote:
> > Mikes Quick and dirty quide to IP masquerading
> >
> > 1. Turn on IP forwarding. You can do this through most distro's control
> > panel app (at least under RedHat) or by echo an 1 to the
> relevant proc file
> > (the name surpasses me at the moment).
>
> It's been posted to the list before in this thread. :)

Yeap seen it and would have said the same but I think everyone on this list
knows how to use the mail list search feature that Tony has done *grin*

> > 2. Putting the following in your rc.local file *changing your internal
> > network numbers where appropriate. This also adds some extra
> modules for a
> > couple of other services. On most distro's you don't need to
> recompile your
> > kernel as most already have the support in (at lets most of the
> RedHat based
> > ones do)
>
> In Debian you could put these in /etc/rc.boot/ipmasq (or appropriate
> name) or you could just set it up properly to execute at the appropriate
> runlevel which might be wise if you were setting up proper firewall
> rules to protect the machine in which case you might want to run these
> before bringing up the appropriate interface(s).

I actually created a file called rc.firewall but rc.local is just as good

> > ipchains -F
> > ipchains -P forward DENY
> > ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0
> > modprobe ip_masq_ftp
> > modprobe ip_masq_irc
> > modprobe ip_masq_raudio
> > modprobe ip_masq_quake
>
> Loading all those modules is unnecessary.  For example, a lot of people
> don't use irc, real audio, quake...  Better to let the kernel load them
> automatically as appropriate.

I use them so that why they are there. Also the machine has 96 meg of RAM
and only manages my isp connection so I don't really see kernel bloat being
an issue.

> > 3. Restart your computer if you want to confirm that these
> changes will take
> > affect after a reboot.
> > (Anyone who wants to flame more for the above read my
> qualification first
> > OK).
>
> Well, I don't really see a reason for it but in some *rare*
> circumstances a reboot *might* be appropriate.  I suppose if it makes
> Windows people feel happier about things then it's worth it. :-)

Like I said, read my qualification. You don't need to reboot to make this
happen, only if you want to confirm that the commands you placed in you
relevant rc file will work after a reboot. Most of us are only human and do
make typos in files and other mistakes etc. The only way to make sure
something is going to work after a reboot is to do one.

My reasonong also is that most "home users" aren't like techs who consider
days of uptime to be something very important. Rather they shutdown and
restart there computers in order to save power costs etc. Testing the
machine by rebooting is only going to be of benifit to them brccause there
next obvious question would otherwise be something like:

	I rebooted my machine and now abc doesn't work.

> > It seems weird that they did not put the ipcahains/ipfwadm lines in. I
> > suppose firewalling doesn't require you to have any rules, but
> then is it
> > really firewalling if you don't ????
>
> I don't think what's listed on that web page will work... as far as I'm
> aware you *do* need to explicitly request the machine to starting NATing
> packets from a given address/interface. If anyone can confirm there is a
> situation where it does happen automatically then that would be
> interesting to hear about...
>
> As for Bret's question, IP forwarding is forwarding of IP packets --
> which I'm sure is properly explained in the appropriate HOWTOs.
>
> Regards,
>
> Christian.
>
>



More information about the plug mailing list