mirror of https://github.com/tLDP/LDP
updated
This commit is contained in:
parent
55d35b5b20
commit
46a5ecf55f
|
@ -1624,7 +1624,7 @@ lists via a CGI script). </Para>
|
|||
Masquerading-Simple-HOWTO</ULink>,
|
||||
<CiteTitle>Masquerading Made Simple HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: February 2002</CiteTitle>.
|
||||
<CiteTitle>Updated: July 2002</CiteTitle>.
|
||||
Describes how to enable the Linux IP Masquerade feature on a given Linux host.
|
||||
Should be used as a complement to the
|
||||
the <ULINK URL="../IP-Masquerade-HOWTO/index.html">IP-Masquerade-HOWTO</ULink>. </Para>
|
||||
|
|
|
@ -898,7 +898,7 @@ How to enable the Linux IP Masquerade feature on a given Linux host. </Para>
|
|||
Masquerading-Simple-HOWTO</ULink>,
|
||||
<CiteTitle>Masquerading Made Simple HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: February 2002</CiteTitle>.
|
||||
<CiteTitle>Updated: July 2002</CiteTitle>.
|
||||
Describes how to enable the Linux IP Masquerade feature on a given Linux host.
|
||||
Should be used as a complement to the
|
||||
the <ULINK URL="../IP-Masquerade-HOWTO/index.html">IP-Masquerade-HOWTO</ULink>. </Para>
|
||||
|
|
|
@ -14,9 +14,9 @@
|
|||
<firstname>John</firstname>
|
||||
<surname>Tapsell</surname>
|
||||
<affiliation>
|
||||
<address>
|
||||
<email>tapselj0@cs.man.ac.uk</email>
|
||||
</address>
|
||||
<address>
|
||||
<email>tapselj0@cs.man.ac.uk</email>
|
||||
</address>
|
||||
</affiliation>
|
||||
</author>
|
||||
|
||||
|
@ -24,9 +24,9 @@
|
|||
<firstname>Thomas</firstname>
|
||||
<surname>Spellman</surname>
|
||||
<affiliation>
|
||||
<address>
|
||||
<email>thomas@resonance.org</email>
|
||||
</address>
|
||||
<address>
|
||||
<email>thomas@resonance.org</email>
|
||||
</address>
|
||||
</affiliation>
|
||||
</author>
|
||||
|
||||
|
@ -34,37 +34,42 @@
|
|||
<firstname>Matthias</firstname>
|
||||
<surname>Grimm</surname>
|
||||
<affiliation>
|
||||
<address>
|
||||
<email>DeadBull@gmx.net</email>
|
||||
</address>
|
||||
<address>
|
||||
<email>DeadBull@gmx.net</email>
|
||||
</address>
|
||||
</affiliation>
|
||||
</author>
|
||||
|
||||
<revhistory>
|
||||
<revision>
|
||||
<revnumber>0.07</revnumber>
|
||||
<date>2002-02-27</date>
|
||||
<authorinitials>jpt</authorinitials>
|
||||
<revnumber>0.08</revnumber>
|
||||
<date>2002-07-11</date>
|
||||
<authorinitials>jpt</authorinitials>
|
||||
</revision>
|
||||
<revision>
|
||||
<revnumber>0.06</revnumber>
|
||||
<date>2001-09-08</date>
|
||||
<authorinitials>jpt</authorinitials>
|
||||
<revnumber>0.07</revnumber>
|
||||
<date>2002-02-27</date>
|
||||
<authorinitials>jpt</authorinitials>
|
||||
</revision>
|
||||
<revision>
|
||||
<revnumber>0.05</revnumber>
|
||||
<date>2001-09-07</date>
|
||||
<authorinitials>jpt</authorinitials>
|
||||
<revnumber>0.06</revnumber>
|
||||
<date>2001-09-08</date>
|
||||
<authorinitials>jpt</authorinitials>
|
||||
</revision>
|
||||
<revision>
|
||||
<revnumber>0.04</revnumber>
|
||||
<date>2001-09-01</date>
|
||||
<authorinitials>jpt</authorinitials>
|
||||
<revnumber>0.05</revnumber>
|
||||
<date>2001-09-07</date>
|
||||
<authorinitials>jpt</authorinitials>
|
||||
</revision>
|
||||
<revision>
|
||||
<revnumber>0.03</revnumber>
|
||||
<date>2001-07-06</date>
|
||||
<authorinitials>jpt</authorinitials>
|
||||
<revnumber>0.04</revnumber>
|
||||
<date>2001-09-01</date>
|
||||
<authorinitials>jpt</authorinitials>
|
||||
</revision>
|
||||
<revision>
|
||||
<revnumber>0.03</revnumber>
|
||||
<date>2001-07-06</date>
|
||||
<authorinitials>jpt</authorinitials>
|
||||
</revision>
|
||||
|
||||
<!-- Additional (*earlier*) revision histories go here -->
|
||||
|
@ -124,26 +129,26 @@
|
|||
</para><para>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata fileref="network.png">
|
||||
<imagedata fileref="network.png">
|
||||
</imageobject>
|
||||
<textobject>
|
||||
<literallayout>
|
||||
<literallayout>
|
||||
_____________
|
||||
/ \ external IP _________ internal IP
|
||||
| Internet | 123.12.23.43 | linux | 192.168.0.1
|
||||
| google.com | <----[outside card]-| machine |-[internal card]
|
||||
\_____________/ --------- |
|
||||
|
|
||||
_____________ ______|_______
|
||||
| 192.168.0.2 | / \
|
||||
| internal |-----------| 192.168.0.0 |
|
||||
| machine | | Intranet |
|
||||
------------- \______________/
|
||||
|
|
||||
_____________ ______|_______
|
||||
| 192.168.0.2 | / \
|
||||
| internal |-----------| 192.168.0.0 |
|
||||
| machine | | Intranet |
|
||||
------------- \______________/
|
||||
|
||||
</literallayout>
|
||||
</literallayout>
|
||||
</textobject>
|
||||
<textobject>
|
||||
<phrase>Picture of network</phrase>
|
||||
<phrase>Picture of network</phrase>
|
||||
</textobject>
|
||||
</mediaobject>
|
||||
</para>
|
||||
|
@ -212,7 +217,7 @@
|
|||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
Network packet filtering (CONFIG_NETFILTER)
|
||||
Network packet filtering (CONFIG_NETFILTER)
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
@ -224,61 +229,61 @@
|
|||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
Connection tracking (CONFIG_IP_NF_CONNTRACK)
|
||||
Connection tracking (CONFIG_IP_NF_CONNTRACK)
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
FTP Protocol support (CONFIG_IP_NF_FTP)
|
||||
FTP Protocol support (CONFIG_IP_NF_FTP)
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
IP tables support (CONFIG_IP_NF_IPTABLES)
|
||||
IP tables support (CONFIG_IP_NF_IPTABLES)
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Connection state match support (CONFIG_IP_NF_MATCH_STATE)
|
||||
<para>
|
||||
Connection state match support (CONFIG_IP_NF_MATCH_STATE)
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Packet filtering (CONFIG_IP_NF_FILTER)
|
||||
Packet filtering (CONFIG_IP_NF_FILTER)
|
||||
</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
<listitem>
|
||||
<para>
|
||||
REJECT target support (CONFIG_IP_NF_TARGET_REJECT)
|
||||
</para>
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Full NAT (CONFIG_IP_NF_NAT)
|
||||
Full NAT (CONFIG_IP_NF_NAT)
|
||||
</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE)
|
||||
</para>
|
||||
<listitem>
|
||||
<para>
|
||||
MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE)
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT)
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT)
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Packet mangling (CONFIG_IP_NF_MANGLE)
|
||||
Packet mangling (CONFIG_IP_NF_MANGLE)
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
LOG target support (CONFIG_IP_NF_TARGET_LOG)
|
||||
LOG target support (CONFIG_IP_NF_TARGET_LOG)
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
@ -364,44 +369,60 @@
|
|||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
Setup all the clients on the internal network to point to the Linux
|
||||
internal IP address as their gateway.
|
||||
(In windows right-click network neighbourhood->properties->gateway
|
||||
then change it to the Linux gateway internal ip.)
|
||||
Setup all the clients on the internal network to point to the Linux
|
||||
internal IP address as their gateway.
|
||||
(In windows right-click network neighbourhood->properties->gateway
|
||||
then change it to the Linux gateway internal ip.)
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Setup all the clients to use your ISP's HTTP proxy if they have one,
|
||||
use a transparent proxy (WARNING - I've heard reports of transparent
|
||||
proxying to be very slow on very big networks), or run squid on your
|
||||
new linux gateway. (This is optional, but preferrable for large networks)
|
||||
Setup all the clients to use your ISP's HTTP proxy if they have one,
|
||||
use a transparent proxy (WARNING - I've heard reports of transparent
|
||||
proxying to be very slow on very big networks), or run squid on your
|
||||
new linux gateway. (This is optional, but preferrable for large networks)
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Now you should start securing it! First turn off forwarding in general:
|
||||
"<command>iptables -P FORWARD DROP</command>", and then learn how to use
|
||||
iptables and <filename>/etc/hosts.allow</filename> and
|
||||
<filename>/etc/hosts.deny</filename> to secure your system. WARNING
|
||||
- Don't try this mentioned iptables rule until you have the masquerading
|
||||
working. You have to explicitely allow every packet through that you want
|
||||
if you are going to set the last rule to be DENY.
|
||||
(Undo with "<command>iptables -P FORWARD ACCEPT</command>")
|
||||
Be sure to specify a DNS when setting up your clients. Otherwise
|
||||
you will get errors on the clients saying 'cannot resolve address'
|
||||
etc. If DNS used to work (URL address worked) but doesn't after
|
||||
you setup Masquerading, this is because your ISP's/network's DHCP
|
||||
server can no longer tell you what the DNS address is.
|
||||
</para><para>
|
||||
[Offtopic] I wonder if you could simply send out a dhcp broadcast
|
||||
that just forwards on the dns server (and http_proxy while you're at
|
||||
it) without having to setup a dhcp server (or even if you do).
|
||||
Can someone mail me about this? :)
|
||||
</para><para>
|
||||
Thanks to Richard Atcheson for pointing this out.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Allow through any services you do want the internet to see.
|
||||
Now you should start securing it! First turn off forwarding in general:
|
||||
"<command>iptables -P FORWARD DROP</command>", and then learn how to use
|
||||
iptables and <filename>/etc/hosts.allow</filename> and
|
||||
<filename>/etc/hosts.deny</filename> to secure your system. WARNING
|
||||
- Don't try this mentioned iptables rule until you have the masquerading
|
||||
working. You have to explicitely allow every packet through that you want
|
||||
if you are going to set the last rule to be DENY.
|
||||
(Undo with "<command>iptables -P FORWARD ACCEPT</command>")
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Allow through any services you do want the internet to see.
|
||||
</para>
|
||||
<para>
|
||||
For an example, to allow access to your web server do:
|
||||
For an example, to allow access to your web server do:
|
||||
</para>
|
||||
<screen format="linespecific">
|
||||
<prompt moreinfo="none">$></prompt> <command>iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT</command>
|
||||
<prompt moreinfo="none">$></prompt> <command>iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT</command></screen>
|
||||
<para>
|
||||
To allow ident (For connecting to irc etc) do
|
||||
To allow ident (For connecting to irc etc) do
|
||||
</para>
|
||||
<screen format="linespecific">
|
||||
<prompt moreinfo="none">$></prompt> <command>iptables -A INPUT --protocol tcp --dport 113 -j ACCEPT</command></screen>
|
||||
|
@ -451,6 +472,13 @@
|
|||
<prompt moreinfo="none">$></prompt> <command>iptables -t nat -L</command></screen>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
It won't resolve IP's! I'm typing 'www.microsoft.com' in and it says
|
||||
it can't find it!
|
||||
</para><para>
|
||||
- Make sure you add the dns server ip to all the clients.
|
||||
</para>
|
||||
<listitem>
|
||||
<para>
|
||||
It don't work! It doesn't like iptables / NAT / SNAT / MASQ
|
||||
|
@ -486,7 +514,7 @@
|
|||
It still don't work!
|
||||
</para><para>
|
||||
- Hmm, does "<command>dmesg | tail</command>" give any errors?
|
||||
or "<command>cat /var/log/messages | tail</command>" ? Like I care tho...
|
||||
or "<command>cat /var/log/messages | tail</command>" ? Like I care tho...
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
|
@ -495,9 +523,9 @@
|
|||
</para><para>
|
||||
- I dunno.. but you should be able to:
|
||||
</para><screen format="linespecific">
|
||||
1) From the gateway machine, ping the outside
|
||||
2) From the gateway ping your internal machines
|
||||
3) From the internal machines ping the gateway</screen>
|
||||
1) From the gateway machine, ping the outside
|
||||
2) From the gateway ping your internal machines
|
||||
3) From the internal machines ping the gateway</screen>
|
||||
<para>
|
||||
And this is <emphasis>before</emphasis> you play with masq'ing
|
||||
</para>
|
||||
|
@ -508,7 +536,7 @@
|
|||
</para>
|
||||
<para>
|
||||
- In the <filename>/etc/network/interfaces</filename> file, or
|
||||
firewall.rc. If you put it in the interfaces file, then put
|
||||
firewall.rc. If you put it in the interfaces file, then put
|
||||
it as a pre-up to the external interface, and have
|
||||
"<command>iptables -t nat -F</command>" as the post-down.
|
||||
</para>
|
||||
|
@ -518,24 +546,24 @@
|
|||
How do I get it to only bring the ppp up on demand?
|
||||
</para><para>
|
||||
- Assuming your ISP gateway IP is say 23.43.12.43 for arguments sake, then
|
||||
append a line like this:
|
||||
append a line like this:
|
||||
</para><para>
|
||||
<command>:23.43.12.43</command>
|
||||
<command>:23.43.12.43</command>
|
||||
</para><para>
|
||||
to <filename>/etc/ppp/peers/provider</filename> at the end.
|
||||
(this is for dynamic IP - static IP would be
|
||||
my.<command>external.ip.number:23.43.12.43</command> )
|
||||
to <filename>/etc/ppp/peers/provider</filename> at the end.
|
||||
(this is for dynamic IP - static IP would be
|
||||
my.<command>external.ip.number:23.43.12.43</command> )
|
||||
</para><para>
|
||||
Then at the end of that file add on a newline:
|
||||
Then at the end of that file add on a newline:
|
||||
</para><para>
|
||||
<command>demand</command>
|
||||
<command>demand</command>
|
||||
</para><para>
|
||||
Pppd will remain in the background to redial the connection on demand
|
||||
if it's dropped until you do an "<command>ifdown ppp0</command>" or
|
||||
a "<command>poff</command>", unless you add
|
||||
a "<command>nopersist</command>" option, in which case pppd will exit after the connection
|
||||
is up. You can also add on a new line "<command>idle 600</command>" to disconnect after 10
|
||||
mins of idleness.
|
||||
Pppd will remain in the background to redial the connection on demand
|
||||
if it's dropped until you do an "<command>ifdown ppp0</command>" or
|
||||
a "<command>poff</command>", unless you add
|
||||
a "<command>nopersist</command>" option, in which case pppd will exit after the connection
|
||||
is up. You can also add on a new line "<command>idle 600</command>" to disconnect after 10
|
||||
mins of idleness.
|
||||
</para><para>
|
||||
</para>
|
||||
</listitem>
|
||||
|
@ -544,13 +572,13 @@
|
|||
The connection keeps dropping!
|
||||
</para><para>
|
||||
- First, do you have demand dialing? Is it just doing what it is supposed
|
||||
to?
|
||||
Check <filename>/etc/ppp/peers/provider</filename>, and make sure your dial up works fine
|
||||
before attempting masq'ing.
|
||||
to?
|
||||
Check <filename>/etc/ppp/peers/provider</filename>, and make sure your dial up works fine
|
||||
before attempting masq'ing.
|
||||
</para><para>
|
||||
- Secondly, if not, then perhaps, like me, something is going weird, and
|
||||
you need to fall back to Linux 2.4.3 and see if that works instead.. dunno
|
||||
why.
|
||||
you need to fall back to Linux 2.4.3 and see if that works instead.. dunno
|
||||
why.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
|
@ -558,7 +586,7 @@
|
|||
I hate doing this myself! I want a pre-made script and GUI and stuff.
|
||||
</para><para>
|
||||
- Sure: <ulink url="http://shorewall.sourceforge.net/">
|
||||
http://shorewall.sourceforge.net/</ulink>
|
||||
http://shorewall.sourceforge.net/</ulink>
|
||||
</para><para>
|
||||
Eat your heart out!
|
||||
</para>
|
||||
|
@ -582,7 +610,7 @@
|
|||
How do I handle incomming services?
|
||||
</para><para>
|
||||
- Try forwarding or redirecting the IP ports - again make
|
||||
sure you firewall this if needed.
|
||||
sure you firewall this if needed.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
|
@ -591,10 +619,10 @@
|
|||
address, but can't access the internet.
|
||||
</para><para>
|
||||
- Okay, try doing "<command>rmmod iptable_filter</command>" - more
|
||||
info on this as I get it.
|
||||
info on this as I get it.
|
||||
</para><para>
|
||||
- Make sure your not running <emphasis>routed</emphasis> or
|
||||
<emphasis>gated</emphasis> - to check run
|
||||
<emphasis>gated</emphasis> - to check run
|
||||
"<command>ps aux | grep -e routed -e gated</command>".
|
||||
</para><para>
|
||||
- Look at <ulink url="http://ipmasq.cjb.net">http://ipmasq.cjb.net</ulink>
|
||||
|
@ -612,13 +640,15 @@
|
|||
I need more squid info and routing and stuff!
|
||||
</para><para>
|
||||
- Try the Advanced Routing HOWTO
|
||||
http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html
|
||||
http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
This howto is crap! How do I yell at the guys who wrote this?
|
||||
</para><para>
|
||||
- Go to #debian on irc.opensource.net and find and locate JohnFlux.
|
||||
- Mail me (JohnFlux) at tapselj0@cs.man.ac.uk
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
|
@ -629,7 +659,16 @@
|
|||
</para><para>
|
||||
- Consult the LDP Masq-HOWTO.
|
||||
</para>
|
||||
</listitem>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
What else are you working on?
|
||||
</para><para>
|
||||
Currently I'm writing a guide on linux on anti-missile-missiles-made-simple.
|
||||
There's no good guides on protecting your system from nuclear attacks
|
||||
for newbies. People seem to think its rocket science or something..
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
</sect1>
|
||||
|
|
Loading…
Reference in New Issue