old-www/HOWTO/Masquerading-Simple-HOWTO/post-install.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>Post-install Instructions</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Masquerading Made Simple HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Bitmore indepth version"
HREF="indepth.html"><LINK
REL="NEXT"
TITLE="FAQ's - Frequently Asked Compla^H^H^H^H^H^H Questions"
HREF="faq.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Masquerading Made Simple HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="indepth.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="faq.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="POST-INSTALL"
></A
>4. Post-install Instructions</H1
><P
>     And it should all work now.  Don't forget to:
    </P
><P
></P
><UL
><LI
><P
>	Setup all the clients on the internal network to point to the Linux
	internal IP address as their gateway.
	(In windows right-click network neighbourhood-&#62;properties-&#62;gateway
	then change it to the Linux gateway internal ip.)
       </P
></LI
><LI
><P
>	Setup all the clients to use your ISP's HTTP proxy if they have one,
	use a transparent proxy (WARNING - I've heard reports of transparent
	proxying to be very slow on very big networks), or run squid on your
	new linux gateway.  (This is optional, but preferrable for large networks)
       </P
></LI
><LI
><P
>	Be sure to specify a DNS when setting up your clients.  Otherwise
	you will get errors on the clients saying 'cannot resolve address'
	etc.  If DNS used to work (URL address worked) but doesn't after
	you setup Masquerading, this is because your ISP's/network's DHCP
	server can no longer tell you what the DNS address is.
       </P
><P
>	[Offtopic] I wonder if you could simply send out a dhcp broadcast
	that just forwards on the dns server (and http_proxy while you're at
	it) without having to setup a dhcp server (or even if you do).
	Can someone mail me about this? :)
       </P
><P
>	Thanks to Richard Atcheson for pointing this out.
       </P
></LI
><LI
><P
>	Now you should start securing it!  First turn off forwarding in general:
	"<B
CLASS="COMMAND"
>iptables -P FORWARD DROP</B
>", and then learn how to use
	iptables and <TT
CLASS="FILENAME"
>/etc/hosts.allow</TT
> and 
	<TT
CLASS="FILENAME"
>/etc/hosts.deny</TT
> to secure your system.  WARNING 
	- Don't try this mentioned iptables rule until you have the masquerading
	working.  You have to explicitely allow every packet through that you want
	if you are going to set the last rule to be DENY. 
	(Undo with "<B
CLASS="COMMAND"
>iptables -P FORWARD ACCEPT</B
>")
       </P
></LI
><LI
><P
>	Allow through any services you do want the internet to see.
       </P
><P
>	For an example, to allow access to your web server do:
       </P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
><TT
CLASS="PROMPT"
>$&#62;</TT
> <B
CLASS="COMMAND"
>iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT</B
>
<TT
CLASS="PROMPT"
>$&#62;</TT
> <B
CLASS="COMMAND"
>iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT</B
></PRE
></FONT
></TD
></TR
></TABLE
><P
>	To allow ident (For connecting to irc etc) do
       </P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
><TT
CLASS="PROMPT"
>$&#62;</TT
> <B
CLASS="COMMAND"
>iptables -A INPUT --protocol tcp --dport 113 -j ACCEPT</B
></PRE
></FONT
></TD
></TR
></TABLE
></LI
></UL
><P
>     To test it:
    </P
><P
></P
><UL
><LI
><P
>       Try connecting from a client to the web using an IP.  Google's IP is
       216.239.33.100 (well that's one of them) and you should be able to get a
       reply from that.  e.g. "<B
CLASS="COMMAND"
>ping 216.239.33.100</B
>"
       "<B
CLASS="COMMAND"
>lynx 216.239.33.100</B
>".
      </P
></LI
><LI
><P
>       Try a full out connection by name. e.g. "<B
CLASS="COMMAND"
>ping google.com</B
>" 
       "<B
CLASS="COMMAND"
>lynx google.com</B
>" or from Internet Explorer / netscape.
      </P
></LI
></UL
><P
>     Where eth0 is the external Internet card, and 123.12.23.43 is the external
     ip of that machine.
    </P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="indepth.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="faq.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Bitmore indepth version</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>FAQ's - Frequently Asked Compla^H^H^H^H^H^H Questions</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>