indy317
03-16-2003, 05:26 PM
i am newbie, may anyone help me how to start to set up ip masquerade? what i want is to share connection linux box to my windows. i am using Redhat 8.0 and i have two nic card on the linux box. thankz u everyone
Click to See Complete Forum and Search --> : ip masquerade???
je_fro
03-16-2003, 05:41 PM
If you don't understand the following, post back.
I posted this last week................
OK, there's no easy way to explain this. iptables is just a list of rules telling the kernel what to do with each packet it recieves off of a network. It could either forward it, or drop it. I'm assuming your firewall/routers' eth0 is connected to internet, and its' eth1 is internal. Also, your internal (hidden) computer is set to have IP=192.168.10.2. eth0 (of the firewall) is DHCP and eth1 (also firewall) is 192.168.10.1. I don't know where Mandy keeps the iptables script. If it's like redHat (it should be...I think) You can do this:
1.copy the following to a text file (named firescript) in /home/you/firescript
2.make it executable by: chmod 700 firescript
3.Do: sh firescript
4.See if it was loaded by: iptables -L (this prints the rules)
5. If you see rules, do: iptables-save /etc/sysconfig/iptables
Now make sure that DHCP is good for eth0, IP=192.168.10.1 for eth1 (GW=255.255.255.0, etc...)
internal eth0 is 192.168.10.2 (same GW, etc...)
and you should be good to roll....
Be sure to check THIS out.
Here's the script: (check for typos...I did it by hand because my firewall is isolated)
#!/bin/sh
IPTABLES=/usr/sbin/iptables
EXT="eth0"
INT="eth1"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT -o $EXT -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat --A POSTROUTING -o $EXT -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
$IPTABLES -A FORWARD -s ! 192.168.10.0/24 -j DROP
$IPTABLES -A INPUT -p ALL -i $INT -s 192.168.10.0/8 -j ACCEPT
$IPTABLES -A INPUT -p ALL lo -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $INT -d 192.168.10.255 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXT -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXT -j ACCEPT
echo " Done loading iptables rules."
echo" Whew!"
I posted this last week................
OK, there's no easy way to explain this. iptables is just a list of rules telling the kernel what to do with each packet it recieves off of a network. It could either forward it, or drop it. I'm assuming your firewall/routers' eth0 is connected to internet, and its' eth1 is internal. Also, your internal (hidden) computer is set to have IP=192.168.10.2. eth0 (of the firewall) is DHCP and eth1 (also firewall) is 192.168.10.1. I don't know where Mandy keeps the iptables script. If it's like redHat (it should be...I think) You can do this:
1.copy the following to a text file (named firescript) in /home/you/firescript
2.make it executable by: chmod 700 firescript
3.Do: sh firescript
4.See if it was loaded by: iptables -L (this prints the rules)
5. If you see rules, do: iptables-save /etc/sysconfig/iptables
Now make sure that DHCP is good for eth0, IP=192.168.10.1 for eth1 (GW=255.255.255.0, etc...)
internal eth0 is 192.168.10.2 (same GW, etc...)
and you should be good to roll....
Be sure to check THIS out.
Here's the script: (check for typos...I did it by hand because my firewall is isolated)
#!/bin/sh
IPTABLES=/usr/sbin/iptables
EXT="eth0"
INT="eth1"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT -o $EXT -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat --A POSTROUTING -o $EXT -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
$IPTABLES -A FORWARD -s ! 192.168.10.0/24 -j DROP
$IPTABLES -A INPUT -p ALL -i $INT -s 192.168.10.0/8 -j ACCEPT
$IPTABLES -A INPUT -p ALL lo -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $INT -d 192.168.10.255 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXT -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXT -j ACCEPT
echo " Done loading iptables rules."
echo" Whew!"
bwkaz
03-16-2003, 09:15 PM
There is also a much simpler (i.e. no actual firewalling) masq'ing script at www.tldp.org in their Simple Masqerading Howto:
http://www.tldp.org/HOWTO/Masquerading-Simple-HOWTO/index.html
But use this masq'ing script instead; it's better on enough fronts that it makes it worth it if you understand it (one such front is that the default policy is DROP on everything; this means you must specifically allow things to go through the firewall).
http://www.tldp.org/HOWTO/Masquerading-Simple-HOWTO/index.html
But use this masq'ing script instead; it's better on enough fronts that it makes it worth it if you understand it (one such front is that the default policy is DROP on everything; this means you must specifically allow things to go through the firewall).
indy317
03-16-2003, 09:20 PM
thank you guys , i try to read all this
justlinux.com
Copyright Internet.com Inc. All Rights Reserved.
Copyright Internet.com Inc. All Rights Reserved.