Re: Masquerading

To: Jens Hellmerichs-Friedrich <jens.hellmerichs-friedrich@fen.baynet.de>
Cc: debian-firewall@lists.debian.org
Subject: Re: Masquerading
From: James Spooner <james@spoons.gen.nz>
Date: Mon, 12 Oct 1998 00:28:12 +1300 (NZDT)
Message-id: <[🔎] Pine.LNX.3.96.981012002431.6994A-100000@grumpy.spoons.gen.nz>
In-reply-to: <[🔎] 98101113160402.00643@maniac>

You're over-complicating stuff.

Just set your reply-to header to your email address, and send it to a
mailserver on the gateway box.

Basically, to use masquerading, read the IP-MASQ mini-howto
(zless /usr/doc/HOWTO/mini/IP-Masq*gz) and compile the options listed into
your kernel.  If you use 2.1.125 this uses IPchains, the IPchains howto is
in /usr/doc/netbase/ or something, i've made a firewalling/masquerading
script that handles dynamic interface ips etc. and put it at
www.spoons.gen.nz/firewall-2/, there is also a IPchains patch in there for
2.0 series kernels.

Also, use fetchmail to get mail from your provider. 


James Spooner - james@spoons.gen.nz
-----------------------------------
I mess with computers.


On Sun, 11 Oct 1998, Jens Hellmerichs-Friedrich wrote:

> Hi,
> 
> RTFM about masquerading:
> man ipfwadm
> ....
>        -m     Masquerade  packets  accepted for forwarding.  When
>               this option is set, packets accepted by  this  rule
>               will  be masqueraded as if they originated from the
>               local host.  Furthermore, reverse packets  will  be
>               recognized  as  such and they will be demasqueraded
>               automatically, bypassing the  forwarding  firewall.
>               This  option  is  only valid in forwarding firewall
>               rules with policy accept (or when specifying accept
>               as  default  policy)  and can only be used when the
>               kernel  is   compiled   with   CONFIG_IP_MASQUERADE
>               defined.
> ....
> man ipfw
> ....
>        This paragraph describes the way a packet goes through the      
>        firewall  and  accounting rules.  Packets received via one
>        of the local network interface  will  pass  the  following
>        sets of rules:
>               accounting (incoming device)
>               input firewall (incoming device)
>        Here,  the  device  (network  interface) that is used when
>        trying to match a rule with an IP packet is listed between
>        brackets.   After  this  step, a packet will optionally be
>        redirected to a local socket.  When a  packet  has  to  be
>        forwarded to a remote host, it will also pass the next set
>        of rules:
>               forwarding firewall (outgoing device)
>        After this step, a packet will optionally be  masqueraded.
>        Responses  to masqueraded packets will never pass the for
>        warding firewall (but they will pass both  the  input  and
>        output  firewalls).  All packets sent via one of the local
>        network interfaces, either locally generated or being for
>        warded, will pass the following sets of rules:
>               output firewall (outgoing device)
>               accounting (outgoing device)
>        Note  that  masqueraded packets will pass the output fire
>        wall and accounting rules  with  the  new  packet  headers
>        (after  passing the input and forwarding firewall with the
>        original headers).  Also, responses to masqueraded packets
>        will  have  different  headers  when passing the input and
>        output firewall rules.
> ....
> 
> Now, i want to setup masquerading with this topology:
> 
> Provider (ISP-IP) <---> FW/MASQU (FW-IP) <---> INTERNAL (OWN-IP)
> 
> Consider sending mail from OWN-IP to ISP-IP with masquerading:
> The firewall will use IP-Headers:
>   incoming: OWN-IP
>   forward : OWN-IP
>   outgoing: FW-IP  (masqueraded, uses temp. port)
> and responses will use:
>   incoming: FW-IP  (temp. port)
>   outgoing: OWN-IP
> without forwarding.
> 
> This leads to the following:
> 
> - in order to masquerade the packets, they must be accepted for forwarding
>   with original IP-Header.
> - outgoing IP-Headers are using FW-IP on temporary port
> 
> =>in order to use masquerading, i have to allow the
>   temporary used "masquade-ports" on the firewall in incoming direction!
> 
> What about e.g. incoming mail ?
> 
> The ISP only knows the (masqueraded) FW-IP as a reachable host. So the get
> incoming mail working, IP-Redirection has to be used, to connect the
> incoming SMTP-connection to the mailhost.
> 
> Result:
> 1) I don´t want to allow any connection with destination adress
>    of my firewall
> 2) IP-Redirection is in alpha/beta yet (?), so i don´t want to
>    use this too,
> 3) In order to use masquerading, i have to use a dedicated masquerading
>    host, e.g. with the following topology:
> 
> Provider (ISP-IP) <---> FW (FW-IP) <---> MASQU (MQ-IP) <---> INTERNAL (OWN-IP)
> 
> Any suggestions for this scenario ?
> Is my interpretation correct ?
> How do you setup masquerading ?
> 
> --
> MfG
>     Jens Hellmerichs-Friedrich
> 
> http://www.fen.baynet.de/jens.hellmerichs-friedrich
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- Masquerading
  - From: Jens Hellmerichs-Friedrich <jens.hellmerichs-friedrich@fen.baynet.de>

Prev by Date: Masquerading
Next by Date: Re: Masquerading
Previous by thread: Masquerading
Next by thread: Re: Masquerading
Index(es):
- Date
- Thread