299 lines
5.2 KiB
HTML
299 lines
5.2 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Post-install Instructions</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Masquerading Made Simple HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Bitmore indepth version"
|
|
HREF="indepth.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="FAQ's - Frequently Asked Compla^H^H^H^H^H^H Questions"
|
|
HREF="faq.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Masquerading Made Simple HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="indepth.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="faq.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="POST-INSTALL"
|
|
></A
|
|
>4. Post-install Instructions</H1
|
|
><P
|
|
> And it should all work now. Don't forget to:
|
|
</P
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> Setup all the clients on the internal network to point to the Linux
|
|
internal IP address as their gateway.
|
|
(In windows right-click network neighbourhood->properties->gateway
|
|
then change it to the Linux gateway internal ip.)
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Setup all the clients to use your ISP's HTTP proxy if they have one,
|
|
use a transparent proxy (WARNING - I've heard reports of transparent
|
|
proxying to be very slow on very big networks), or run squid on your
|
|
new linux gateway. (This is optional, but preferrable for large networks)
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Be sure to specify a DNS when setting up your clients. Otherwise
|
|
you will get errors on the clients saying 'cannot resolve address'
|
|
etc. If DNS used to work (URL address worked) but doesn't after
|
|
you setup Masquerading, this is because your ISP's/network's DHCP
|
|
server can no longer tell you what the DNS address is.
|
|
</P
|
|
><P
|
|
> [Offtopic] I wonder if you could simply send out a dhcp broadcast
|
|
that just forwards on the dns server (and http_proxy while you're at
|
|
it) without having to setup a dhcp server (or even if you do).
|
|
Can someone mail me about this? :)
|
|
</P
|
|
><P
|
|
> Thanks to Richard Atcheson for pointing this out.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Now you should start securing it! First turn off forwarding in general:
|
|
"<B
|
|
CLASS="COMMAND"
|
|
>iptables -P FORWARD DROP</B
|
|
>", and then learn how to use
|
|
iptables and <TT
|
|
CLASS="FILENAME"
|
|
>/etc/hosts.allow</TT
|
|
> and
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/hosts.deny</TT
|
|
> to secure your system. WARNING
|
|
- Don't try this mentioned iptables rule until you have the masquerading
|
|
working. You have to explicitely allow every packet through that you want
|
|
if you are going to set the last rule to be DENY.
|
|
(Undo with "<B
|
|
CLASS="COMMAND"
|
|
>iptables -P FORWARD ACCEPT</B
|
|
>")
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Allow through any services you do want the internet to see.
|
|
</P
|
|
><P
|
|
> For an example, to allow access to your web server do:
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
><TT
|
|
CLASS="PROMPT"
|
|
>$></TT
|
|
> <B
|
|
CLASS="COMMAND"
|
|
>iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT</B
|
|
>
|
|
<TT
|
|
CLASS="PROMPT"
|
|
>$></TT
|
|
> <B
|
|
CLASS="COMMAND"
|
|
>iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT</B
|
|
></PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> To allow ident (For connecting to irc etc) do
|
|
</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
><TT
|
|
CLASS="PROMPT"
|
|
>$></TT
|
|
> <B
|
|
CLASS="COMMAND"
|
|
>iptables -A INPUT --protocol tcp --dport 113 -j ACCEPT</B
|
|
></PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
></UL
|
|
><P
|
|
> To test it:
|
|
</P
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> Try connecting from a client to the web using an IP. Google's IP is
|
|
216.239.33.100 (well that's one of them) and you should be able to get a
|
|
reply from that. e.g. "<B
|
|
CLASS="COMMAND"
|
|
>ping 216.239.33.100</B
|
|
>"
|
|
"<B
|
|
CLASS="COMMAND"
|
|
>lynx 216.239.33.100</B
|
|
>".
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Try a full out connection by name. e.g. "<B
|
|
CLASS="COMMAND"
|
|
>ping google.com</B
|
|
>"
|
|
"<B
|
|
CLASS="COMMAND"
|
|
>lynx google.com</B
|
|
>" or from Internet Explorer / netscape.
|
|
</P
|
|
></LI
|
|
></UL
|
|
><P
|
|
> Where eth0 is the external Internet card, and 123.12.23.43 is the external
|
|
ip of that machine.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="indepth.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="faq.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Bitmore indepth version</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>FAQ's - Frequently Asked Compla^H^H^H^H^H^H Questions</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |