Re: Masquerading Problem

To: Jean-Francois JOLY <jfjoly@free.fr>
Cc: debian-firewall@lists.debian.org
Subject: Re: Masquerading Problem
From: Cory Petkovsek <coryp@petersen-arne.com>
Date: Mon, 15 Jan 2001 00:49:29 -0800
Message-id: <[🔎] 20010115004929.B7021@cory-l>
In-reply-to: <[🔎] 979546402.3a62b122de397@imp.free.fr>; from jfjoly@free.fr on Mon, Jan 15, 2001 at 09:13:22AM +0100
References: <[🔎] 979546402.3a62b122de397@imp.free.fr>

Hi Jean-Francois,

IP Masquerading will allow your workstation to get OUT into the internet, using the firewall's Ip address.

You need portforwarding (seperate module) for the internet to get IN.  Try reading this howto:
/usr/doc/HOWTO/en-txt/IP-Masquerade-HOWTO.txt

Basically, recompile your kernel, and turn on Experimental.  Then you have the ipmasquerade portforwarding modules available.

If you've set up IP Masquerading properly, then you can have your client setup with it's default gateway as the IP address of the firewall.  Then the linux kernel does NAT (ip masquerading), and allows the client to surf the web or use the other 65000 ports as if it had a real IP address.  But this is outgoing (and incoming responses) only!

By using the portforwarding module described above, you can then forward incoming ports, and the kernel will NAT the other way.  This works pretty well, and is pretty easy to setup.  (this is for your internal lotus notes server)

You don't NEED squid to give your clients access to the internet.  You may want it for other purposes (web caching, giving clients access ONLY to the web (80), etc).  But for plain inet access, just a NATting linux kernel and setting the workstation gateways will get you there.

Attached is a sample script to configure ipchains properly.  

Cory

On Mon, Jan 15, 2001 at 09:13:22AM +0100, Jean-Francois JOLY wrote:
> I have a problem with IP Masquerading on a debian box,
> I just installed a FireWall based on Debian 2.2 on a ADSL link (French provider 
> "Oleane") with a static IP.
> I run PPPoE to connect and it's just going smoothly.
> I've set up squid and client PC can surf perfectly but I can't manage to make 
> them access the net through masquerading. They can establish the connection but 
> they can't receive any data.
> For example with POP3, I use:
> ipchains -A forward -p tcp -s localnet/24 -d 0/0 80 -j MASQ
> 
> In fact, I've tried many different configuration and none seems to work.
> 
> The main purpose is to make an internal lotus notes server be accessible from 
> the net with port forwarding.
> 
> Thanks to anybody who can help.
> 
> ****************************************
> Jean-Francois JOLY
> ITIN - Institut des Techniques Informatiques
> Cergy Saint Christophe - FRANCE
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

#!/bin/sh
# A simple example of ipchains saved as /etc/rc.d/rc.firewall
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin

# Load required ip_masq modules (FTP included here)
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp

# Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# Assign external IP variables
extip="64.66.99.123"
extif="eth1"

# Assign internal IP variables
intif="eth0"
intnet="192.168.1.0/24"

# Initialize MASQ timeout and standard chains
ipchains -M -S 7200 10 60
ipchains -F input
ipchains -P input REJECT
ipchains -F output
ipchains -P output REJECT
ipchains -F forward
ipchains -P forward DENY

# Setup input policy
# local interface, local machines, going anywhere is valid
ipchains -A input -i $intif -s $intnet -d 0.0.0.0/0 -j ACCEPT

# reject IP spoofing where external computer claims to be a local
ipchains -A input -i $extif -s $intnet -d 0.0.0.0/0 -l -j REJECT

# allow external access via external interface
ipchains -A input -i $extif -s 0.0.0.0/0 -d $extip/32 -j ACCEPT

# loopback interface is valid
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# Setup output policy
# all outgoing traffic is allowed
ipchains -A output -i $intif -s 0.0.0.0/0 -d $intnet -j ACCEPT

# prevent traffic for local network from using external interface
ipchains -A output -i $extif -s 0.0.0.0/0 -d $intnet -l -j REJECT

# prevent traffic from local network from using external interface
ipchains -A output -i $extif -s $intnet -d 0.0.0.0/0 -l -j REJECT

# anything else can go out
ipchains -A output -i $extif -s $extip/32 -d 0.0.0.0/0 -j ACCEPT

# loopback interface is valid
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT


# Setup forwarding policy
# Masquerade local net traffic to anywhere
ipchains -A forward -i $extif -s $intnet -d 0.0.0.0/0 -j MASQ

Reply to:

References:
- Masquerading Problem
  - From: Jean-Francois JOLY <jfjoly@free.fr>

Prev by Date: Masquerading Problem
Next by Date: kernel 2.4 and iptables netfilter
Previous by thread: Masquerading Problem
Next by thread: Re: Masquerading Problem
Index(es):
- Date
- Thread