Re: Masquerading
You're over-complicating stuff.
Just set your reply-to header to your email address, and send it to a
mailserver on the gateway box.
Basically, to use masquerading, read the IP-MASQ mini-howto
(zless /usr/doc/HOWTO/mini/IP-Masq*gz) and compile the options listed into
your kernel. If you use 2.1.125 this uses IPchains, the IPchains howto is
in /usr/doc/netbase/ or something, i've made a firewalling/masquerading
script that handles dynamic interface ips etc. and put it at
www.spoons.gen.nz/firewall-2/, there is also a IPchains patch in there for
2.0 series kernels.
Also, use fetchmail to get mail from your provider.
James Spooner - james@spoons.gen.nz
-----------------------------------
I mess with computers.
On Sun, 11 Oct 1998, Jens Hellmerichs-Friedrich wrote:
> Hi,
>
> RTFM about masquerading:
> man ipfwadm
> ....
> -m Masquerade packets accepted for forwarding. When
> this option is set, packets accepted by this rule
> will be masqueraded as if they originated from the
> local host. Furthermore, reverse packets will be
> recognized as such and they will be demasqueraded
> automatically, bypassing the forwarding firewall.
> This option is only valid in forwarding firewall
> rules with policy accept (or when specifying accept
> as default policy) and can only be used when the
> kernel is compiled with CONFIG_IP_MASQUERADE
> defined.
> ....
> man ipfw
> ....
> This paragraph describes the way a packet goes through the
> firewall and accounting rules. Packets received via one
> of the local network interface will pass the following
> sets of rules:
> accounting (incoming device)
> input firewall (incoming device)
> Here, the device (network interface) that is used when
> trying to match a rule with an IP packet is listed between
> brackets. After this step, a packet will optionally be
> redirected to a local socket. When a packet has to be
> forwarded to a remote host, it will also pass the next set
> of rules:
> forwarding firewall (outgoing device)
> After this step, a packet will optionally be masqueraded.
> Responses to masqueraded packets will never pass the for
> warding firewall (but they will pass both the input and
> output firewalls). All packets sent via one of the local
> network interfaces, either locally generated or being for
> warded, will pass the following sets of rules:
> output firewall (outgoing device)
> accounting (outgoing device)
> Note that masqueraded packets will pass the output fire
> wall and accounting rules with the new packet headers
> (after passing the input and forwarding firewall with the
> original headers). Also, responses to masqueraded packets
> will have different headers when passing the input and
> output firewall rules.
> ....
>
> Now, i want to setup masquerading with this topology:
>
> Provider (ISP-IP) <---> FW/MASQU (FW-IP) <---> INTERNAL (OWN-IP)
>
> Consider sending mail from OWN-IP to ISP-IP with masquerading:
> The firewall will use IP-Headers:
> incoming: OWN-IP
> forward : OWN-IP
> outgoing: FW-IP (masqueraded, uses temp. port)
> and responses will use:
> incoming: FW-IP (temp. port)
> outgoing: OWN-IP
> without forwarding.
>
> This leads to the following:
>
> - in order to masquerade the packets, they must be accepted for forwarding
> with original IP-Header.
> - outgoing IP-Headers are using FW-IP on temporary port
>
> =>in order to use masquerading, i have to allow the
> temporary used "masquade-ports" on the firewall in incoming direction!
>
> What about e.g. incoming mail ?
>
> The ISP only knows the (masqueraded) FW-IP as a reachable host. So the get
> incoming mail working, IP-Redirection has to be used, to connect the
> incoming SMTP-connection to the mailhost.
>
> Result:
> 1) I don´t want to allow any connection with destination adress
> of my firewall
> 2) IP-Redirection is in alpha/beta yet (?), so i don´t want to
> use this too,
> 3) In order to use masquerading, i have to use a dedicated masquerading
> host, e.g. with the following topology:
>
> Provider (ISP-IP) <---> FW (FW-IP) <---> MASQU (MQ-IP) <---> INTERNAL (OWN-IP)
>
> Any suggestions for this scenario ?
> Is my interpretation correct ?
> How do you setup masquerading ?
>
> --
> MfG
> Jens Hellmerichs-Friedrich
>
> http://www.fen.baynet.de/jens.hellmerichs-friedrich
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to:
- References:
- Masquerading
- From: Jens Hellmerichs-Friedrich <jens.hellmerichs-friedrich@fen.baynet.de>