Re: SNAT or MASQUERADE?

To: Debian-user <debian-user@lists.debian.org>
Subject: Re: SNAT or MASQUERADE?
From: Michael Heldebrant <hmike@portalofevil.com>
Date: 09 Dec 2001 13:13:40 -0600
Message-id: <[🔎] 1007925221.26529.2.camel@sandworm>
In-reply-to: <[🔎] 20011208181826.B4553@beast.home>
References: <20011201210234.43f3584a.dbarclay10@yahoo.ca> <Pine.LNX.3.96.1011205004359.26398A-100000@trillian> <[🔎] 20011208181826.B4553@beast.home>

On Sat, 2001-12-08 at 02:18, mdevin@ozemail.com.au wrote:
> On Wed, Dec 05, 2001 at 12:48:13AM -0600, Jor-el wrote:
> > On Sat, 1 Dec 2001, David B Harris wrote:
> > 
> > > On Sun, 2 Dec 2001 11:36:20 +1000,
> > >   mdevin@ozemail.com.au wrote:
> > > 
> > > SNAT would be. However, you better make sure that each time the IP
> > > address of your interface changes, your firewall script runs. You could
> > > do this in Debian by putting your firewall script in /etc/ppp/ip-up.d/.
> > > But also please keep in mind that your firewall rules should be put in
> > > place *before* any external interfaces are brought on-line.
> > > 
> > 	Isnt this assuming that the internet connection uses ppp?
> > Cablemodem, for instance, doesnt use ppp at all - a fact that seems to
> > have escaped the maintainer of the dhcpcd package too. How would one solve
> > this problem in the case of cablemodem?
> > 
> I understand that you are using dhclient from a subsequent post of
> yours.
> 
> If you wanted to re-run part of your firewall to reconfigure for a
> change in IP address with a cable connection then you could look into
> the following:
> 
> Firstly, I don't have a cable connection, but I did set one up on a
> friends computer recently.  I can't remember all the details now, but I
> do remember that dhclient provided some hooks for doing things when
> certain conditions were met.  For example, it is possible with dhclient
> to check the new IP address assigned and compare this to the old one and
> only have the firewall script run if the new IP address has changed.
> This would mean that even if dhclient lost the connection and had to
> reconnect, it would rarely have to re-run the firewall script for a
> cable connection (where IP rarely changes).
> 
> Sorry I can't remember the name of the file to put these config details
> in to do this stuff, but if you read the documentation with dhclient
> then you will figure it out.  Hey, I did :-)
> 
> Anyway, I guess the point is, that you can do the same with dhclient,
> and in a more configurable way.

I actually just wrote a script to do this exact thing because I no
longer have a static cable modem ip.  It's going to trigger in theory
sometime tommorow night, so I can report back if it doesn't work
perfectly.

I rewrite my ipchains rules when my external interface changes ip's
because I drop anything not coming or going from my external ip for
added security.  Dhclient has the dhclient-script (which I'm not sure if
it runs by default or if it explicitly needs to be mentioned in the
config file, I'll find out) which can call a script that you can make
called dhclient-exit-hooks (and enter-hooks if you want one to run
before hand).

This script inherits the environment of the dhclient-script which
includes things like $old_ip_address and $new_ip_address as well as the
$reason the script was called.

My exit hooks script cats a firewall rule set through SED to change my
REPLACEIP placeholder to the $new_ip_address which then goes to
ipchains-restore.  I only run this if $old_ip_address !=
$new_ip_address.  I also change my masquerade rules and update my
dyndns.org account when things change.

If you are interested I can post the actual script once I make sure it
works.

--mike

Reply to:

References:
- Re: SNAT or MASQUERADE?
  - From: mdevin@ozemail.com.au

Prev by Date: Re: Network config problem
Next by Date: Re: Restricting a google search
Previous by thread: Re: SNAT or MASQUERADE?
Next by thread: looping symlink = reboot ?
Index(es):
- Date
- Thread