diff --git a/LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml b/LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml
index 7d79f86f..04f33246 100644
--- a/LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml
+++ b/LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml
@@ -1624,7 +1624,7 @@ lists via a CGI script).
Masquerading-Simple-HOWTO,
Masquerading Made Simple HOWTO
-Updated: February 2002.
+Updated: July 2002.
Describes how to enable the Linux IP Masquerade feature on a given Linux host.
Should be used as a complement to the
the IP-Masquerade-HOWTO.
diff --git a/LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml b/LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml
index b53ec196..262c059a 100644
--- a/LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml
+++ b/LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml
@@ -898,7 +898,7 @@ How to enable the Linux IP Masquerade feature on a given Linux host.
Masquerading-Simple-HOWTO,
Masquerading Made Simple HOWTO
-Updated: February 2002.
+Updated: July 2002.
Describes how to enable the Linux IP Masquerade feature on a given Linux host.
Should be used as a complement to the
the IP-Masquerade-HOWTO.
diff --git a/LDP/howto/docbook/Masquerading-Simple-HOWTO/Masquerading-Simple-HOWTO.sgml b/LDP/howto/docbook/Masquerading-Simple-HOWTO/Masquerading-Simple-HOWTO.sgml
index 43cb6739..1f007ed8 100644
--- a/LDP/howto/docbook/Masquerading-Simple-HOWTO/Masquerading-Simple-HOWTO.sgml
+++ b/LDP/howto/docbook/Masquerading-Simple-HOWTO/Masquerading-Simple-HOWTO.sgml
@@ -14,9 +14,9 @@
John
Tapsell
-
- tapselj0@cs.man.ac.uk
-
+
+ tapselj0@cs.man.ac.uk
+
@@ -24,9 +24,9 @@
Thomas
Spellman
-
- thomas@resonance.org
-
+
+ thomas@resonance.org
+
@@ -34,37 +34,42 @@
Matthias
Grimm
-
- DeadBull@gmx.net
-
+
+ DeadBull@gmx.net
+
- 0.07
- 2002-02-27
- jpt
+ 0.08
+ 2002-07-11
+ jpt
- 0.06
- 2001-09-08
- jpt
+ 0.07
+ 2002-02-27
+ jpt
- 0.05
- 2001-09-07
- jpt
+ 0.06
+ 2001-09-08
+ jpt
- 0.04
- 2001-09-01
- jpt
+ 0.05
+ 2001-09-07
+ jpt
- 0.03
- 2001-07-06
- jpt
+ 0.04
+ 2001-09-01
+ jpt
+
+
+ 0.03
+ 2001-07-06
+ jpt
@@ -124,26 +129,26 @@
-
+
-
+
_____________
/ \ external IP _________ internal IP
| Internet | 123.12.23.43 | linux | 192.168.0.1
| google.com | <----[outside card]-| machine |-[internal card]
\_____________/ --------- |
- |
- _____________ ______|_______
- | 192.168.0.2 | / \
- | internal |-----------| 192.168.0.0 |
- | machine | | Intranet |
- ------------- \______________/
+ |
+ _____________ ______|_______
+ | 192.168.0.2 | / \
+ | internal |-----------| 192.168.0.0 |
+ | machine | | Intranet |
+ ------------- \______________/
-
+
- Picture of network
+ Picture of network
@@ -212,7 +217,7 @@
- Network packet filtering (CONFIG_NETFILTER)
+ Network packet filtering (CONFIG_NETFILTER)
@@ -224,61 +229,61 @@
- Connection tracking (CONFIG_IP_NF_CONNTRACK)
+ Connection tracking (CONFIG_IP_NF_CONNTRACK)
- FTP Protocol support (CONFIG_IP_NF_FTP)
+ FTP Protocol support (CONFIG_IP_NF_FTP)
- IP tables support (CONFIG_IP_NF_IPTABLES)
+ IP tables support (CONFIG_IP_NF_IPTABLES)
-
- Connection state match support (CONFIG_IP_NF_MATCH_STATE)
+
+ Connection state match support (CONFIG_IP_NF_MATCH_STATE)
- Packet filtering (CONFIG_IP_NF_FILTER)
+ Packet filtering (CONFIG_IP_NF_FILTER)
-
-
+
+
REJECT target support (CONFIG_IP_NF_TARGET_REJECT)
-
+
- Full NAT (CONFIG_IP_NF_NAT)
+ Full NAT (CONFIG_IP_NF_NAT)
-
-
- MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE)
-
+
+
+ MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE)
+
+
+
+
+ REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT)
+
-
-
- REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT)
-
-
- Packet mangling (CONFIG_IP_NF_MANGLE)
+ Packet mangling (CONFIG_IP_NF_MANGLE)
- LOG target support (CONFIG_IP_NF_TARGET_LOG)
+ LOG target support (CONFIG_IP_NF_TARGET_LOG)
@@ -364,44 +369,60 @@
- Setup all the clients on the internal network to point to the Linux
- internal IP address as their gateway.
- (In windows right-click network neighbourhood->properties->gateway
- then change it to the Linux gateway internal ip.)
+ Setup all the clients on the internal network to point to the Linux
+ internal IP address as their gateway.
+ (In windows right-click network neighbourhood->properties->gateway
+ then change it to the Linux gateway internal ip.)
- Setup all the clients to use your ISP's HTTP proxy if they have one,
- use a transparent proxy (WARNING - I've heard reports of transparent
- proxying to be very slow on very big networks), or run squid on your
- new linux gateway. (This is optional, but preferrable for large networks)
+ Setup all the clients to use your ISP's HTTP proxy if they have one,
+ use a transparent proxy (WARNING - I've heard reports of transparent
+ proxying to be very slow on very big networks), or run squid on your
+ new linux gateway. (This is optional, but preferrable for large networks)
- Now you should start securing it! First turn off forwarding in general:
- "iptables -P FORWARD DROP", and then learn how to use
- iptables and /etc/hosts.allow and
- /etc/hosts.deny to secure your system. WARNING
- - Don't try this mentioned iptables rule until you have the masquerading
- working. You have to explicitely allow every packet through that you want
- if you are going to set the last rule to be DENY.
- (Undo with "iptables -P FORWARD ACCEPT")
+ Be sure to specify a DNS when setting up your clients. Otherwise
+ you will get errors on the clients saying 'cannot resolve address'
+ etc. If DNS used to work (URL address worked) but doesn't after
+ you setup Masquerading, this is because your ISP's/network's DHCP
+ server can no longer tell you what the DNS address is.
+
+ [Offtopic] I wonder if you could simply send out a dhcp broadcast
+ that just forwards on the dns server (and http_proxy while you're at
+ it) without having to setup a dhcp server (or even if you do).
+ Can someone mail me about this? :)
+
+ Thanks to Richard Atcheson for pointing this out.
- Allow through any services you do want the internet to see.
+ Now you should start securing it! First turn off forwarding in general:
+ "iptables -P FORWARD DROP", and then learn how to use
+ iptables and /etc/hosts.allow and
+ /etc/hosts.deny to secure your system. WARNING
+ - Don't try this mentioned iptables rule until you have the masquerading
+ working. You have to explicitely allow every packet through that you want
+ if you are going to set the last rule to be DENY.
+ (Undo with "iptables -P FORWARD ACCEPT")
+
+
+
+
+ Allow through any services you do want the internet to see.
- For an example, to allow access to your web server do:
+ For an example, to allow access to your web server do:
$> iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT
$> iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT
- To allow ident (For connecting to irc etc) do
+ To allow ident (For connecting to irc etc) do
$> iptables -A INPUT --protocol tcp --dport 113 -j ACCEPT
@@ -451,6 +472,13 @@
$> iptables -t nat -L
+
+
+ It won't resolve IP's! I'm typing 'www.microsoft.com' in and it says
+ it can't find it!
+
+ - Make sure you add the dns server ip to all the clients.
+
It don't work! It doesn't like iptables / NAT / SNAT / MASQ
@@ -486,7 +514,7 @@
It still don't work!
- Hmm, does "dmesg | tail" give any errors?
- or "cat /var/log/messages | tail" ? Like I care tho...
+ or "cat /var/log/messages | tail" ? Like I care tho...
@@ -495,9 +523,9 @@
- I dunno.. but you should be able to:
- 1) From the gateway machine, ping the outside
- 2) From the gateway ping your internal machines
- 3) From the internal machines ping the gateway
+ 1) From the gateway machine, ping the outside
+ 2) From the gateway ping your internal machines
+ 3) From the internal machines ping the gateway
And this is before you play with masq'ing
@@ -508,7 +536,7 @@
- In the /etc/network/interfaces file, or
- firewall.rc. If you put it in the interfaces file, then put
+ firewall.rc. If you put it in the interfaces file, then put
it as a pre-up to the external interface, and have
"iptables -t nat -F" as the post-down.
@@ -518,24 +546,24 @@
How do I get it to only bring the ppp up on demand?
- Assuming your ISP gateway IP is say 23.43.12.43 for arguments sake, then
- append a line like this:
+ append a line like this:
- :23.43.12.43
+ :23.43.12.43
- to /etc/ppp/peers/provider at the end.
- (this is for dynamic IP - static IP would be
- my.external.ip.number:23.43.12.43 )
+ to /etc/ppp/peers/provider at the end.
+ (this is for dynamic IP - static IP would be
+ my.external.ip.number:23.43.12.43 )
- Then at the end of that file add on a newline:
+ Then at the end of that file add on a newline:
- demand
+ demand
- Pppd will remain in the background to redial the connection on demand
- if it's dropped until you do an "ifdown ppp0" or
- a "poff", unless you add
- a "nopersist" option, in which case pppd will exit after the connection
- is up. You can also add on a new line "idle 600" to disconnect after 10
- mins of idleness.
+ Pppd will remain in the background to redial the connection on demand
+ if it's dropped until you do an "ifdown ppp0" or
+ a "poff", unless you add
+ a "nopersist" option, in which case pppd will exit after the connection
+ is up. You can also add on a new line "idle 600" to disconnect after 10
+ mins of idleness.
@@ -544,13 +572,13 @@
The connection keeps dropping!
- First, do you have demand dialing? Is it just doing what it is supposed
- to?
- Check /etc/ppp/peers/provider, and make sure your dial up works fine
- before attempting masq'ing.
+ to?
+ Check /etc/ppp/peers/provider, and make sure your dial up works fine
+ before attempting masq'ing.
- Secondly, if not, then perhaps, like me, something is going weird, and
- you need to fall back to Linux 2.4.3 and see if that works instead.. dunno
- why.
+ you need to fall back to Linux 2.4.3 and see if that works instead.. dunno
+ why.
@@ -558,7 +586,7 @@
I hate doing this myself! I want a pre-made script and GUI and stuff.
- Sure:
- http://shorewall.sourceforge.net/
+ http://shorewall.sourceforge.net/
Eat your heart out!
@@ -582,7 +610,7 @@
How do I handle incomming services?
- Try forwarding or redirecting the IP ports - again make
- sure you firewall this if needed.
+ sure you firewall this if needed.
@@ -591,10 +619,10 @@
address, but can't access the internet.
- Okay, try doing "rmmod iptable_filter" - more
- info on this as I get it.
+ info on this as I get it.
- Make sure your not running routed or
- gated - to check run
+ gated - to check run
"ps aux | grep -e routed -e gated".
- Look at http://ipmasq.cjb.net
@@ -612,13 +640,15 @@
I need more squid info and routing and stuff!
- Try the Advanced Routing HOWTO
- http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html
+ http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html
+
This howto is crap! How do I yell at the guys who wrote this?
- Go to #debian on irc.opensource.net and find and locate JohnFlux.
+ - Mail me (JohnFlux) at tapselj0@cs.man.ac.uk
@@ -629,7 +659,16 @@
- Consult the LDP Masq-HOWTO.
-
+
+
+
+ What else are you working on?
+
+ Currently I'm writing a guide on linux on anti-missile-missiles-made-simple.
+ There's no good guides on protecting your system from nuclear attacks
+ for newbies. People seem to think its rocket science or something..
+
+