[ale] gateway

Steve Lewis sglewis at mindspring.com
Wed May 20 22:56:40 EDT 1998 

This is a multi-part message in MIME format.

------=_NextPart_000_000A_01BD8442.981828B0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

I just went through this fun a couple of weeks ago.  I have one machine that
I use for developing software for my job running NT (192.168.1.2) and a
machine running RedHat 5 (192.168.1.1).  I now dial up Mindspring with a
connect script on my Linux box and all local network traffic from either box
is masqueraded to my modem.

First of all, definitely read the Firewalling HOWTO, and maybe the Network
HOWTO.  They explain a lot.

In addition to checking the IP Forwarding on the dialog that RedHat has in
it's Network configuration dialog, you'll have to recompile your kernel to
enable forwarding and masquerading.  The default kernel build from RedHat
does not have these options enabled.  Without these kernel options set,
Linux won't know how to forward IP packets to the Internet.

You'll need to set the address of the machine that's doing the routing as
the gateway for your other machines.  (It looks like you've already done
this.)  You also need to set DNS to point to the DNS server at your ISP.

I've attached the script that gets run from my ppp connection script.  Since
Mindspring uses dynamic address assignments, I get a different address from
them every time I connect.  My ppp script calls this script with my newly
assigned ip as follows:

configure-firewall aaa.bbb.ccc.ddd

The addresses of my local network, and ethernet card are set near the top.
The line:
local_interface=102.168.1.1
is the address of my Linux machine.  The line
local_net=192.168.1.0/24
sets my local network mask for network 192.168.1.0 with a 24-bit mask (i.e..
255.255.255.0).

It looks like your script sets up the masquerading fine, I just thought
someone might like to see how I'm handling the dynamic address that
Mindspring assigns.



> -----Original Message-----
> From: owner-ale at cc.gatech.edu
> [mailto:owner-ale at cc.gatech.edu]On Behalf
> Of Glen Bankston
> Sent: Wednesday, May 20, 1998 9:53 PM
> To: Atlanta Linux; tom ringate
> Subject: [ale] gateway
>
>
> Hello,
>
> Unable to get IP forwarding and gateway to work.  Upgraded to
> 5.0 today.
>
> Have 3 W95 TCP/IP machines running with Linux server, and Samba is
> running fine.
> Local LAN is 10.0.2.x  ISP is A.B.C.1 netmask is 255.255.255.0
> Manual dial connection is fine, and can browse the web in
> Linux machine.
>
> Have W95 machines show Gateway as the Linux machine: 10.0.2.1
> All machines can 'ping' each other on the LAN, send and
> receive files no
> problem.
>
> Do not know what to enter in GUI control panel in MetroX under Network
> Routing.
> Most anything i enter there kills the internet connection ability.
> Right now, only
> IP forwarding is checked.
>
> i execute this in rc.local:
>
> ipfwadm -F -f
> ipfwadm -F -p deny
> ipfwadm -F -a masquerade -W ppp0 -S 10.0.2.0/24 -D 0.0.0.0/0
>
> I also have the nameserver provided to me by my ISP in resolv.conf
>
>
> Any ideas what i am doing wrong?
>
> Glen Bankston
> Microsystems Engineering
> Moultrie, GA
>

------=_NextPart_000_000A_01BD8442.981828B0
Content-Type: application/octet-stream;
	name="configure-firewall"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="configure-firewall"

#!/bin/sh
#
# Usage: configure-firewall ISP_net_address
#
# Called from my ppp-up script with the address 
# that my ISP dynamically assigns upon connection
#

PATH=/sbin:/bin:/usr/sbin:/usr/bin
any_net=0.0.0.0/0
local_interface=192.168.1.1
local_net=192.168.1.0/24
loopback_interface=127.0.0.1
ppp_interface=$1
ppp_net=$1/32

#--------------INCOMING-----------------
# flush and set default policy of deny
ipfwadm -I -f
ipfwadm -I -p deny

# local interface, from local addresses, going anywhere is valid
ipfwadm -I -a accept -V $local_interface    -S $local_net -D $any_net

# remote interface, claiming to be local machine (IP spoofing) is invalid
ipfwadm -I -a deny   -V $ppp_interface      -S $local_net -D $any_net   -o

# remote interface, any source, going to PPP address is valid
ipfwadm -I -a accept -V $ppp_interface      -S $any_net   -D $ppp_net

# loopback interface is valid
ipfwadm -I -a accept -V $loopback_interface -S $any_net   -D $any_net

# all other incoming is denied and logged
ipfwadm -I -a deny                          -S $any_net   -D $any_net   -o

#--------------OUTGOING-----------------
# flush and set default policy of deny
ipfwadm -O -f
ipfwadm -O -p deny

# local interface, any source, going to local net is valid
ipfwadm -O -a accept -V $local_interface    -S $any_net   -D $local_net

# remote interface, to local net (stuffed routing) is invalid
ipfwadm -O -a deny   -V $ppp_interface      -S $any_net   -D $local_net -o

# remote interface, from local net (stuffed masquerading) is invalid
ipfwadm -O -a deny   -V $ppp_interface      -S $local_net -D $any_net   -o

# anything else outgoing on remote interface is valid
ipfwadm -O -a accept -V $ppp_interface      -S $ppp_net   -D $any_net

# loopback interface is valid
ipfwadm -O -a accept -V $loopback_interface -S $any_net   -D $any_net

# all other outgoing is denied and logged
ipfwadm -O -a deny                          -S $any_net   -D $any_net   -o

#--------------FOWARDING----------------
# flush and set default policy of deny
ipfwadm -F -f
ipfwadm -F -p deny

# Masquerade from local net on local interface to anywhere
ipfwadm -F -a masquerade -W ppp0            -S $local_net -D $any_net

# all other is denied and logged
ipfwadm -F -a deny                          -S $any_net   -D $any_net   -o


------=_NextPart_000_000A_01BD8442.981828B0--

More information about the Ale mailing list