Re: firewall and ip-masquerading
Something that no one ever mentions as a response to this kind of question
is the "ipmasq" package. The default kernel comes with support for
masquerading and ipchains, but disabled. By turning those features on
through the /proc file system, you'll be able to do what you want to do
without a kernel recompile. The kernel will be bloated with features you
don't need but it'll work.
The ipmasq package automatically works for ppp configurations, though I've
never tried it with a setup with only ethernet NICs. My assumption would
be that it will think eth0 is your private network, and eth1 is a public
network. It automatically sets up rules to prevent attacks like outsiders
claiming to be on your private network and other spoofing scenarios, and
is designed to go up and down with your network connection, which is ideal
for people with dynamically assigned IP addresses. Modem, cable modem,
ISDN and DSL users come to mind.
It's kind of hard to figure out from looking at the scripts under
/etc/ipmasq/rules, but with enough looking, you can take advantage of the
varibles to create ipchains that work with changing IPs. I've done it at
home, and am pretty happy with the results. The same setup works for both
my dsl and modem connections (just in case dsl dies and I need to use the
analog modem).
Is there a reason people shy away from this, besides the lack of good
documentation?
Reply to: