Re: Exposed Host

To: Chad Morgan <chad@chadmorgan.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: Exposed Host
From: <njacobs@yahoo.com>
Date: Sun, 6 Jan 2002 00:34:06 -0800 (PST)
Message-id: <[🔎] 20020106083406.86945.qmail@web12108.mail.yahoo.com>
In-reply-to: <[🔎] 20020104172436.A3923@chadmbl.enhancetheweb.com>

Hi Chad,
I'm not sure I've completely understood your question,
but I assume you want your firewall to do
masquerading for some of the machines on your LAN, 
and not for others.

The line in your firewall script that specifies
masqerading will be something like:
ipchains -A forward -s 192.168.1.0/24 -j MASQ

This tells your Linux kernel to masquerade all
your IP addresses in the range 192.168.1.xxx.
This is one of the IP address ranges that is
reserved for local use, i.e. not visible to
the world outside your LAN. If one of your
tenants has a public IP address it will not
be in this range and will therefore not be
masqueraded.
In other words, if you system is set up in a
normal way, you need do nothing to your
masquerading. You still need to add lines
to your script to forward packets from outside
to your tenant's IP address, of course.

I hope this helps.
Nick
--- Chad Morgan <chad@chadmorgan.com> wrote:
> I have a box with a 2.2.17 kernel doing ip masquerading.
> I've figured out
> how to foward individual ports of the external address to
> individual ports
> on an internal address but how can I forward all traffic
> on all ports from
> the external address to one of the internal addresses?
> 
> I know this isn't very secure, but I'm not very concerend
> about security
> becuase it isn't our responsibility in this case. We
> manage a small office
> building of executive suites and provide high speed
> internet for our
> tenants on the DSL line. One of our tenants would like a
> public address. In
> this case it is his responsibility to secure his system.
> Could there be a risk to some of the other tenants by a
> cracker getting
> access to their systems through the host that as all
> traffic forwarded to
> it? But, I guess if there was they don't really
> understand the different
> between private and public ip addresses and should
> consider themselves
> exposed anyway and security is again there responsibility
> since we haven't
> made any guarantees about their security.
> 
> Anyway, if this is possible using impasqadm or if someone
> has a better
> idea, I'd appreciate some advice.
> 
> Thanks
> 
> Chad Morgan
> 
> 
> -- 
> To UNSUBSCRIBE, email to
> debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

Reply to:

References:
- Exposed Host
  - From: Chad Morgan <chad@chadmorgan.com>

Prev by Date: Exposed Host
Next by Date: Re: Exposed Host
Previous by thread: Exposed Host
Next by thread: Re: Exposed Host
Index(es):
- Date
- Thread