l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2002 Mar 15 05:45

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Re: Masquerading
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Re: Masquerading

On Thu, 14 Mar 2002, Peter Jay Salzman wrote:

> martyn,
> it's been a long while since i've done masquerading by hand (how
> embarrasing!) but off the top of my head, do this:

Been awhile for me too... :)  scripts spoil me.... even ones I have

> on linux:
> point your DNS to your ISP's DNS servers (/etc/resolv.conf)
> # bring up the interfaces
> ifconfig eth0 external-ip up
> ifconfig eth1 up
> # set up routing
> route add default gateway your-ISP-gateway
> # set a default policy for the forwarding chain
> /sbin/ipchains -P forward DENY
> # enable the masquerading
> echo "1" > /proc/sys/net/ipv4/ip_forward

> # do the masquerading
> /sbin/ipchains -A forward -s -j MASQ -i eth0
> /sbin/ipchains -A forward -s -j MASQ -i eth0

This looks like it will work, but I'll throw in some comments

a) this masquerades exactly two internal machines out the door. To masq
   all computers on your internal network, use
     /sbin/ipchains -A forward -s -j MASQ -i eth0
   which says any ip beginning with 192.168.0 can get out.

b) note that each ipchains command is incremental... if you don't
   get it right the first time, you will need to remove your
   mistake from the ruleset.  I find the easiest way is to edit
   a script that clears the whole thing and builds the whole
   ruleset from scratch, so you know every rule is in the right

In a more general vein...

c) I highly recommend the use of a firewall script.  ADSL means
   you are subject to continuous bombardment.  I don't know
   anything about "Firestarter", but you need something.
   Seawall (kernel 2.2), Shorewall (kernel 2.3), and rcf (I think
   2.2) seem to be well regarded.  I use a custom one I modified off the

d) Don't ever let anyone telnet into your machine... disable
   all external access via telnet, because it can be
   sniffed.  Use ssh instead... preferably protocol version
   2 or better (OpenSSH 3.1p1 or better).  I actually think
   the telnet daemon should be turned off... ssh is more convenient
   even within your LAN.

e) Be sure to understand every service you allow the outside
   world to use.  In particular, be careful of any CGIs you
   allow to be enabled in a web server.

> on windows:
> point your DNS at your ISP's DNS servers
> use as your gateway.
> (i don't use windows, so i don't know how you do this)
> i've cc'd vox-tech just in case i screwed up.  i'm sure someone will
> correct me in minutes.   :-)
> btw, vox-techers, please cc this guy since he's not on the mailing list.
> if you use linux, please consider coming to our meetings.
> www.lugod.org.  we gladly accept donations to help fund demos,
> installfests and our lending library.
> pete
> begin Martyn R Whittaker <martyn.whittaker@virgin.net> 
> > Dear Root,
> > 
> > I wonder if any of your members would like to do a one or two hours
> > of consulting for me?
> > 
> > I have set up RedHat Linux 7.2 on my qateway machine at home which
> > contains 2 ethernet cards that seem to be loading up and working fine.  
> > Eth0 is connected to static IP address (ADSL) and Eth1( is
> > connected to my home network of 2 Windows PCS ( and
> >
> > 
> > I have tried using the Firestarter firewall and also setting up a
> > simple forwarding and masquerading firewall so that I can access the
> > Internet, email etc from my client PCs but without success.  Pinging
> > works fine.
> > 
> > I suspect someone who knows what they are doing could telnet on to
> > my machine or come round and sort this really quickly.
> > 
> > I wonder if you could ask your members if anyone would be interested?
> > 
> > Regards
> > 
> > Martyn R. Whittaker
> > 317 Encina Ave., Davis, CA 95616 USA
> > p. +1 530 756 2867  f. +1 253 498 9591  m. +1 916 813 7061

Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k

vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.