On Tue, Feb 22, 2000 at 10:31:41PM -0800, Joey Hess wrote:
> Jeff Sheinberg wrote:
> > so, how does your new scheme cleanly handle, in my case,
> > everything that I need to do to setup masquerading properly?
>
> I just converted over to using the new method, via stanza's like this:
>
> iface eth0:0 inet static
> address 63.193.116.241
> netmask 255.255.255.0
> gateway 63.193.116.254
(Note that this is for a default gw)
> echo 1 >/proc/sys/net/ipv4/ip_always_defrag
^^^
You probably want `up echo..' there.
> up ipchains -P forward DENY
> up ipchains -A forward -j MASQ -s 10.0.0.0/8
And actually, the point about having /etc/network/options be part of
/etc/network/interfaces makes a certain amount of sense.
options inet
forwarding # implicitly yes
always-defragment no
syn-cookies yes
iface eth0 inet static
address 1.2.3.4
netmask 255.255.255.0
gateway 1.2.3.1
or similar, perhaps. Hmmm.
> That seems to work. It would be nice if there was a way to easily turn on
> IP masquerading via some simple keyword. Anthony?
apt-get install ipmasq # ?
I could do a `masquerade' option [0], I guess, but I don't want to end
up having different hardcoded options for every possibility under the
sun (``I want my smtp, bind, and http ports redirected to my firewall,
so what options do I add to /e/n/interfaces?''). There are some things
general scripts *are* better for, IMO.
Cheers,
aj
[0] Something like:
iface eth1 inet static
address 1.2.4.1
netmask 255.255.255.0
network 1.2.4.0
option masquerade
maybe.
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG encrypted mail preferred.
``The thing is: trying to be too generic is EVIL. It's stupid, it
results in slower code, and it results in more bugs.''
-- Linus Torvalds
Attachment:
pgpCSXBoZ8Bzc.pgp
Description: PGP signature