[SETUP ANSWER] IP forwarding and masquerading

From: Jeremy (jeremy@mail.visi.com)
Date: Wed Jun 30 1999 - 06:39:24 CEST

• Next message: Jeremy: "[security advisory?] netcat + mulinux oddities"
• Previous message: Ripcrd6: "Re: mulinux-6r4.tgz un-tar problem?"
• Next in thread: Michele Andreoli: "Re: [SETUP ANSWER] IP forwarding and masquerading"
• Reply: Michele Andreoli: "Re: [SETUP ANSWER] IP forwarding and masquerading"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi!

Earlier today I asked a question about how to get IP forwarding
and masquerading working.

Basically, diald works on demand--out of the box. Using the
setup menu which MuLinux provides on the first book, I
configured most of the system. It did not, however, give
me IP forwarding right away. To do so, I had to set up
custom ipfwadm rules, which I put in my rc.local.

The rules I put in (for network 192.168.2.0) are as follows:

ifconfig eth0 192.168.2.254
route add 192.168.2.0 eth0
ipfwadm -F -a masquerade -S 192.168.2.0/255.255.255.0 -D 0.0.0.0/0
ipfwadm -F -a deny -P udp -S 192.168.2.0/24 67:69
ipfwadm -F -a deny -P udp -S 192.168.2.0/24 111
ipfwadm -F -a deny -P tcp -S 192.168.2.0/24 111
ipfwadm -F -a deny -P tcp -S 192.168.2.0/24 137:139
ipfwadm -F -a deny -P udp -S 192.168.2.0/24 137:139
ipfwadm -F -a deny -P udp -S 192.168.2.0/24 161:162
ipfwadm -F -a deny -P udp -S 192.168.2.0/24 635:650
ipfwadm -F -a deny -P udp -S 192.168.2.0/24 2049

I had to manually config my eth0 card, because the cheapo Ethernet
NIC I'm using doesn't like to be configured automatically. I
also added in the route (for the same reason) manually.

First line sets up masquerading, while the remainder block
things which should never be masqueraded, such as NFS, tftp,
netbios, snmp, et al.

Replace 192.168.2.0/24 (or 192.168.2.0/255.255.255.0) with
your own network's IP, and your very own super-secret netmask.

Once you put the above lines in rc.local, MAKE SURE THAT YOU
have the word 'configure' in your local.cnf file in /setup/cnf,
and do a setup -s to save.

Thanks to Jose Nazario, who kept me from riddling the system
with various caliber weapons, and told me which services I
should never forward.

Any corrections and improvements are welcome, and encouraged.

MuLinux has to be the single most impressive linux dist
I have ever seen. Despite being, oh, about 1/300th the size
of a full Redhat install, MuLinux works better out of the
box and I find it to be more intuitive. Who needs inetd.conf
when you have init?

This config took us about 8 total hours to figure out, ~12
bottles of beer (Leinenkugel's Honey Weiss, Pete's Wicked
Strawberry Blonde, and Leinenkugel's Red), 1 Pizza Hut
New Yorker pizza (1/2 pepperoni, 1/2 sausage), 1 order of
bread sticks (also from Pizza hut), a total of 6 fingers of
Orkney Islands scotch, every profane word in English and Spanish
which we know, and many sneers and snide comments from my wife.

Enjoy!

Jeremy Anderson
jeremy@visi.com

-- 
"Do you expect me to talk?"
"No Mr. Bond, I expect you to _die_."
---------------------------------------------------------------------
To unsubscribe, e-mail: mulinux-unsubscribe@sunsite.auc.dk
For additional commands, e-mail: mulinux-help@sunsite.auc.dk

• Next message: Jeremy: "[security advisory?] netcat + mulinux oddities"
• Previous message: Ripcrd6: "Re: mulinux-6r4.tgz un-tar problem?"
• Next in thread: Michele Andreoli: "Re: [SETUP ANSWER] IP forwarding and masquerading"
• Reply: Michele Andreoli: "Re: [SETUP ANSWER] IP forwarding and masquerading"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.6 : Sat Feb 08 2003 - 15:27:12 CET