LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

updated

This commit is contained in:
gferg 2002-07-11 17:25:07 +00:00
parent 55d35b5b20
commit 46a5ecf55f
3 changed files with 145 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml
View File

@ -1624,7 +1624,7 @@ lists via a CGI script). </Para>
Masquerading-Simple-HOWTO</ULink>,
<CiteTitle>Masquerading Made Simple HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: February 2002</CiteTitle>.
<CiteTitle>Updated: July 2002</CiteTitle>.
Describes how to enable the Linux IP Masquerade feature on a given Linux host.
Should be used as a complement to the
the <ULINK URL="../IP-Masquerade-HOWTO/index.html">IP-Masquerade-HOWTO</ULink>. </Para>

2
LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml
View File

@ -898,7 +898,7 @@ How to enable the Linux IP Masquerade feature on a given Linux host. </Para>
Masquerading-Simple-HOWTO</ULink>,
<CiteTitle>Masquerading Made Simple HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: February 2002</CiteTitle>.
<CiteTitle>Updated: July 2002</CiteTitle>.
Describes how to enable the Linux IP Masquerade feature on a given Linux host.
Should be used as a complement to the
the <ULINK URL="../IP-Masquerade-HOWTO/index.html">IP-Masquerade-HOWTO</ULink>. </Para>

247
LDP/howto/docbook/Masquerading-Simple-HOWTO/Masquerading-Simple-HOWTO.sgml
View File

@ -14,9 +14,9 @@
<firstname>John</firstname>
<surname>Tapsell</surname>
<affiliation>
<address>
<email>tapselj0@cs.man.ac.uk</email>
</address>
<address>
<email>tapselj0@cs.man.ac.uk</email>
</address>
</affiliation>
</author>
@ -24,9 +24,9 @@
<firstname>Thomas</firstname>
<surname>Spellman</surname>
<affiliation>
<address>
<email>thomas@resonance.org</email>
</address>
<address>
<email>thomas@resonance.org</email>
</address>
</affiliation>
</author>
@ -34,37 +34,42 @@
<firstname>Matthias</firstname>
<surname>Grimm</surname>
<affiliation>
<address>
<email>DeadBull@gmx.net</email>
</address>
<address>
<email>DeadBull@gmx.net</email>
</address>
</affiliation>
</author>
<revhistory>
<revision>
<revnumber>0.07</revnumber>
<date>2002-02-27</date>
<authorinitials>jpt</authorinitials>
<revnumber>0.08</revnumber>
<date>2002-07-11</date>
<authorinitials>jpt</authorinitials>
</revision>
<revision>
<revnumber>0.06</revnumber>
<date>2001-09-08</date>
<authorinitials>jpt</authorinitials>
<revnumber>0.07</revnumber>
<date>2002-02-27</date>
<authorinitials>jpt</authorinitials>
</revision>
<revision>
<revnumber>0.05</revnumber>
<date>2001-09-07</date>
<authorinitials>jpt</authorinitials>
<revnumber>0.06</revnumber>
<date>2001-09-08</date>
<authorinitials>jpt</authorinitials>
</revision>
<revision>
<revnumber>0.04</revnumber>
<date>2001-09-01</date>
<authorinitials>jpt</authorinitials>
<revnumber>0.05</revnumber>
<date>2001-09-07</date>
<authorinitials>jpt</authorinitials>
</revision>
<revision>
<revnumber>0.03</revnumber>
<date>2001-07-06</date>
<authorinitials>jpt</authorinitials>
<revnumber>0.04</revnumber>
<date>2001-09-01</date>
<authorinitials>jpt</authorinitials>
</revision>
<revision>
<revnumber>0.03</revnumber>
<date>2001-07-06</date>
<authorinitials>jpt</authorinitials>
</revision>
<!-- Additional (*earlier*) revision histories go here -->
@ -124,26 +129,26 @@
</para><para>
<mediaobject>
<imageobject>
<imagedata fileref="network.png">
<imagedata fileref="network.png">
</imageobject>
<textobject>
<literallayout>
<literallayout>
_____________
/ \ external IP _________ internal IP
| Internet | 123.12.23.43 | linux | 192.168.0.1
| google.com | <----[outside card]-| machine |-[internal card]
\_____________/ --------- |
|
_____________ ______|_______
| 192.168.0.2 | / \
| internal |-----------| 192.168.0.0 |
| machine | | Intranet |
------------- \______________/
|
_____________ ______|_______
| 192.168.0.2 | / \
| internal |-----------| 192.168.0.0 |
| machine | | Intranet |
------------- \______________/
</literallayout>
</literallayout>
</textobject>
<textobject>
<phrase>Picture of network</phrase>
<phrase>Picture of network</phrase>
</textobject>
</mediaobject>
</para>
@ -212,7 +217,7 @@
<itemizedlist>
<listitem>
<para>
Network packet filtering (CONFIG_NETFILTER)
Network packet filtering (CONFIG_NETFILTER)
</para>
</listitem>
</itemizedlist>
@ -224,61 +229,61 @@
<itemizedlist>
<listitem>
<para>
Connection tracking (CONFIG_IP_NF_CONNTRACK)
Connection tracking (CONFIG_IP_NF_CONNTRACK)
</para>
</listitem>
<listitem>
<para>
FTP Protocol support (CONFIG_IP_NF_FTP)
FTP Protocol support (CONFIG_IP_NF_FTP)
</para>
</listitem>
<listitem>
<para>
IP tables support (CONFIG_IP_NF_IPTABLES)
IP tables support (CONFIG_IP_NF_IPTABLES)
</para>
</listitem>
<listitem>
<para>
Connection state match support (CONFIG_IP_NF_MATCH_STATE)
<para>
Connection state match support (CONFIG_IP_NF_MATCH_STATE)
</para>
</listitem>
<listitem>
<para>
Packet filtering (CONFIG_IP_NF_FILTER)
Packet filtering (CONFIG_IP_NF_FILTER)
</para>
<itemizedlist>
<listitem>
<para>
<listitem>
<para>
REJECT target support (CONFIG_IP_NF_TARGET_REJECT)
</para>
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Full NAT (CONFIG_IP_NF_NAT)
Full NAT (CONFIG_IP_NF_NAT)
</para>
<itemizedlist>
<listitem>
<para>
MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE)
</para>
<listitem>
<para>
MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE)
</para>
</listitem>
<listitem>
<para>
REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT)
</para>
</listitem>
<listitem>
<para>
REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT)
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Packet mangling (CONFIG_IP_NF_MANGLE)
Packet mangling (CONFIG_IP_NF_MANGLE)
</para>
</listitem>
<listitem>
<para>
LOG target support (CONFIG_IP_NF_TARGET_LOG)
LOG target support (CONFIG_IP_NF_TARGET_LOG)
</para>
</listitem>
</itemizedlist>
@ -364,44 +369,60 @@
<itemizedlist>
<listitem>
<para>
Setup all the clients on the internal network to point to the Linux
internal IP address as their gateway.
(In windows right-click network neighbourhood->properties->gateway
then change it to the Linux gateway internal ip.)
Setup all the clients on the internal network to point to the Linux
internal IP address as their gateway.
(In windows right-click network neighbourhood->properties->gateway
then change it to the Linux gateway internal ip.)
</para>
</listitem>
<listitem>
<para>
Setup all the clients to use your ISP's HTTP proxy if they have one,
use a transparent proxy (WARNING - I've heard reports of transparent
proxying to be very slow on very big networks), or run squid on your
new linux gateway. (This is optional, but preferrable for large networks)
Setup all the clients to use your ISP's HTTP proxy if they have one,
use a transparent proxy (WARNING - I've heard reports of transparent
proxying to be very slow on very big networks), or run squid on your
new linux gateway. (This is optional, but preferrable for large networks)
</para>
</listitem>
<listitem>
<para>
Now you should start securing it! First turn off forwarding in general:
"<command>iptables -P FORWARD DROP</command>", and then learn how to use
iptables and <filename>/etc/hosts.allow</filename> and
<filename>/etc/hosts.deny</filename> to secure your system. WARNING
- Don't try this mentioned iptables rule until you have the masquerading
working. You have to explicitely allow every packet through that you want
if you are going to set the last rule to be DENY.
(Undo with "<command>iptables -P FORWARD ACCEPT</command>")
Be sure to specify a DNS when setting up your clients. Otherwise
you will get errors on the clients saying 'cannot resolve address'
etc. If DNS used to work (URL address worked) but doesn't after
you setup Masquerading, this is because your ISP's/network's DHCP
server can no longer tell you what the DNS address is.
</para><para>
[Offtopic] I wonder if you could simply send out a dhcp broadcast
that just forwards on the dns server (and http_proxy while you're at
it) without having to setup a dhcp server (or even if you do).
Can someone mail me about this? :)
</para><para>
Thanks to Richard Atcheson for pointing this out.
</para>
</listitem>
<listitem>
<para>
Allow through any services you do want the internet to see.
Now you should start securing it! First turn off forwarding in general:
"<command>iptables -P FORWARD DROP</command>", and then learn how to use
iptables and <filename>/etc/hosts.allow</filename> and
<filename>/etc/hosts.deny</filename> to secure your system. WARNING
- Don't try this mentioned iptables rule until you have the masquerading
working. You have to explicitely allow every packet through that you want
if you are going to set the last rule to be DENY.
(Undo with "<command>iptables -P FORWARD ACCEPT</command>")
</para>
</listitem>
<listitem>
<para>
Allow through any services you do want the internet to see.
</para>
<para>
For an example, to allow access to your web server do:
For an example, to allow access to your web server do:
</para>
<screen format="linespecific">
<prompt moreinfo="none">$&gt;</prompt> <command>iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT</command>
<prompt moreinfo="none">$&gt;</prompt> <command>iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT</command></screen>
<para>
To allow ident (For connecting to irc etc) do
To allow ident (For connecting to irc etc) do
</para>
<screen format="linespecific">
<prompt moreinfo="none">$&gt;</prompt> <command>iptables -A INPUT --protocol tcp --dport 113 -j ACCEPT</command></screen>
@ -451,6 +472,13 @@
<prompt moreinfo="none">$&gt;</prompt> <command>iptables -t nat -L</command></screen>
</para>
</listitem>
<listitem>
<para>
It won't resolve IP's! I'm typing 'www.microsoft.com' in and it says
it can't find it!
</para><para>
- Make sure you add the dns server ip to all the clients.
</para>
<listitem>
<para>
It don't work! It doesn't like iptables / NAT / SNAT / MASQ
@ -486,7 +514,7 @@
It still don't work!
</para><para>
- Hmm, does "<command>dmesg | tail</command>" give any errors?
or "<command>cat /var/log/messages | tail</command>" ? Like I care tho...
or "<command>cat /var/log/messages | tail</command>" ? Like I care tho...
</para>
</listitem>
<listitem>
@ -495,9 +523,9 @@
</para><para>
- I dunno.. but you should be able to:
</para><screen format="linespecific">
1) From the gateway machine, ping the outside
2) From the gateway ping your internal machines
3) From the internal machines ping the gateway</screen>
1) From the gateway machine, ping the outside
2) From the gateway ping your internal machines
3) From the internal machines ping the gateway</screen>
<para>
And this is <emphasis>before</emphasis> you play with masq'ing
</para>
@ -508,7 +536,7 @@
</para>
<para>
- In the <filename>/etc/network/interfaces</filename> file, or
firewall.rc. If you put it in the interfaces file, then put
firewall.rc. If you put it in the interfaces file, then put
it as a pre-up to the external interface, and have
"<command>iptables -t nat -F</command>" as the post-down.
</para>
@ -518,24 +546,24 @@
How do I get it to only bring the ppp up on demand?
</para><para>
- Assuming your ISP gateway IP is say 23.43.12.43 for arguments sake, then
append a line like this:
append a line like this:
</para><para>
<command>:23.43.12.43</command>
<command>:23.43.12.43</command>
</para><para>
to <filename>/etc/ppp/peers/provider</filename> at the end.
(this is for dynamic IP - static IP would be
my.<command>external.ip.number:23.43.12.43</command> )
to <filename>/etc/ppp/peers/provider</filename> at the end.
(this is for dynamic IP - static IP would be
my.<command>external.ip.number:23.43.12.43</command> )
</para><para>
Then at the end of that file add on a newline:
Then at the end of that file add on a newline:
</para><para>
<command>demand</command>
<command>demand</command>
</para><para>
Pppd will remain in the background to redial the connection on demand
if it's dropped until you do an "<command>ifdown ppp0</command>" or
a "<command>poff</command>", unless you add
a "<command>nopersist</command>" option, in which case pppd will exit after the connection
is up. You can also add on a new line "<command>idle 600</command>" to disconnect after 10
mins of idleness.
Pppd will remain in the background to redial the connection on demand
if it's dropped until you do an "<command>ifdown ppp0</command>" or
a "<command>poff</command>", unless you add
a "<command>nopersist</command>" option, in which case pppd will exit after the connection
is up. You can also add on a new line "<command>idle 600</command>" to disconnect after 10
mins of idleness.
</para><para>
</para>
</listitem>
@ -544,13 +572,13 @@
The connection keeps dropping!
</para><para>
- First, do you have demand dialing? Is it just doing what it is supposed
to?
Check <filename>/etc/ppp/peers/provider</filename>, and make sure your dial up works fine
before attempting masq'ing.
to?
Check <filename>/etc/ppp/peers/provider</filename>, and make sure your dial up works fine
before attempting masq'ing.
</para><para>
- Secondly, if not, then perhaps, like me, something is going weird, and
you need to fall back to Linux 2.4.3 and see if that works instead.. dunno
why.
you need to fall back to Linux 2.4.3 and see if that works instead.. dunno
why.
</para>
</listitem>
<listitem>
@ -558,7 +586,7 @@
I hate doing this myself! I want a pre-made script and GUI and stuff.
</para><para>
- Sure: <ulink url="http://shorewall.sourceforge.net/">
http://shorewall.sourceforge.net/</ulink>
http://shorewall.sourceforge.net/</ulink>
</para><para>
Eat your heart out!
</para>
@ -582,7 +610,7 @@
How do I handle incomming services?
</para><para>
- Try forwarding or redirecting the IP ports - again make
sure you firewall this if needed.
sure you firewall this if needed.
</para>
</listitem>
<listitem>
@ -591,10 +619,10 @@
address, but can't access the internet.
</para><para>
- Okay, try doing "<command>rmmod iptable_filter</command>" - more
info on this as I get it.
info on this as I get it.
</para><para>
- Make sure your not running <emphasis>routed</emphasis> or
<emphasis>gated</emphasis> - to check run
<emphasis>gated</emphasis> - to check run
"<command>ps aux | grep -e routed -e gated</command>".
</para><para>
- Look at <ulink url="http://ipmasq.cjb.net">http://ipmasq.cjb.net</ulink>
@ -612,13 +640,15 @@
I need more squid info and routing and stuff!
</para><para>
- Try the Advanced Routing HOWTO
http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html
http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html
</para>
</listitem>
<listitem>
<para>
This howto is crap! How do I yell at the guys who wrote this?
</para><para>
- Go to #debian on irc.opensource.net and find and locate JohnFlux.
- Mail me (JohnFlux) at tapselj0@cs.man.ac.uk
</para>
</listitem>
<listitem>
@ -629,7 +659,16 @@
</para><para>
- Consult the LDP Masq-HOWTO.
</para>
</listitem>
</listitem>
<listitem>
<para>
What else are you working on?
</para><para>
Currently I'm writing a guide on linux on anti-missile-missiles-made-simple.
There's no good guides on protecting your system from nuclear attacks
for newbies. People seem to think its rocket science or something..
</para>
</listitem>
</itemizedlist>
</sect1>