[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: forwarding

On Mon, Aug 26, 2002 at 11:10:04AM +0200, Karolina Lindqvist wrote:
> upp. Jag kan naturligtvis (förhoppningsvis) lägga in kommandona i 
> /etc/ppp/ip-up, men är det verkligen så man ska göra? Ibland gör jag saker 
> för att få det att fungera, men så har debian en annan åsikt och något slutar 
> fungera senare när man som minst anar det. I det här fallet finns ju risken 
> för säkerhetshål också.

/etc/ppp/ip-up låter som ett bra alternativ.

> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> Den sista var ju helt logisk. :-)
> Jag fattar inte mer av det utom att det faktiskt löser problemet. 

Read The Fine Manual ?

-t, --table table
  This  option specifies the packet matching table which the command should operate on.
  If the kernel is configured with automatic module loading, an attempt will be made to
  load the appropriate module for that table if it is not already there.

nat    This  table  is consulted when a packet that creates a new connection is encountered.
  It consists of three built-ins: PREROUTING (for altering packets as soon as they come
  in),  OUTPUT (for altering locally-generated packets before routing), and POSTROUTING
  (for altering packets as they are about to go out).

-o, --out-interface [!] name
  Name of an interface via which a packet is going to be sent (for packets entering the
  FORWARD,  OUTPUT  and  POSTROUTING chains).  When the "!" argument is used before the
  interface name, the sense is inverted.  If the interface name ends in a "+", then any
  interface  which  begins  with  this name will match.  If this option is omitted, any
  interface name will match.

-j, --jump target
  This  specifies  the  target  of the rule; i.e., what to do if the packet matches it.
  The target can be a user-defined chain (other than the one this rule is in),  one  of
  the  special  builtin  targets which decide the fate of the packet immediately, or an
  extension (see EXTENSIONS below).  If this option is omitted in a rule, then matching
  the  rule will have no effect on the packet's fate, but the counters on the rule will
  be incremented.

 This target is only valid in the nat table, in the POSTROUTING chain.   It  should  only  be
 used with dynamically assigned IP (dialup) connections: if you have a static IP address, you
 should use the SNAT target.  Masquerading is equivalent to specifying a mapping  to  the  IP
 address  of  the interface the packet is going out, but also has the effect that connections
 are forgotten when the interface goes down.  This is the  correct  behavior  when  the  next
 dialup is unlikely to have the same interface address (and hence any established connections
 are lost anyway).

Peter Mathiasson, peter at mathiasson dot nu, http://www.mathiasson.nu
GPG Fingerprint: A9A7 F8F6 9821 F415 B066 77F1 7FF5 C2E6 7BF2 F228

Attachment: pgp462_GhkbqQ.pgp
Description: PGP signature

Reply to: