Question about MASQ chain behavior in ipchains
I'm confused by a couple points in the IPCHAINS-HOWTO
(http://metalab.unc.edu/mdw/HOWTO/IPCHAINS-HOWTO-7.html#ss7.4). Hope
someone who understands this can clear this up.
In the "Serious Example," the Internal network is masqueraded to
External via a chain jumped to from the FORWARD chain:
<--snip-->
Good (internal) to Bad (external).
ipchains -A good-bad -p tcp --dport www -j MASQ
ipchains -A good-bad -p tcp --dport ssh -j MASQ
ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
ipchains -A good-bad -p tcp --dport ftp -j MASQ
ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
ipchains -A good-bad -j REJECT -l
<--snip-->
Then in the rules for the External interface, only certain ports appear
to be let back in. I presume that the second and third rules with
destination ports 61000:65095 are for returning masqueraded packets, eh?
<--snip-->
Bad (external) interface.
ipchains -A bad-if -i ! ppp0 -j DENY -l
ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A bad-if -j icmp-acc
ipchains -A bad-if -j DENY
<--snip-->
This example doesn't make clear to me what happens to packets from the
Internal network when they're jumped to MASQ. Do they get a new port (in
the range 61000:65095) in addition to the masqueraded ip address so that
when they come back they get past the Bad interface to get
demasqueraded? Or do they just go around the Bad interface because in
some other fashion they're identified as masqueraded packets through
something MASQ does?
Just trying to grok what goes on here. TIA for any help!
Stan
Reply to: