[ale] Linux box as a router w/DHCP

JK jknapka at kneuro.net
Mon Jan 22 16:40:15 EST 2007 

James Sumners wrote:

> The P2 machine I use, I got off eBay for $25.
> 
> The "problem" with the IP address being assigned from the ISP via DHCP
> lies in the way the firewall scripts have to be written. If the ISP
> is... silly, and assigns a new IP address every lease renewal, or even
> every day (whatever), then they scripts have to be able to handle
> that. If you have a static IP from your ISP, then you can reference
> the same external IP in your firewall rules without care. If you have
> a dynamic IP, you have to get a little crafty and retrieve the current
> external IP every time the script is run.

In general, I've never needed to explicitly mention the IP address
of the outside interface in my iptables rules.  As a matter of
curiosity, why would you need to do that?

I just let DHCP configure the default route via eth0 (my
Internet-facing interface), and say "masquerade everything
going out of eth0":

   iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

It could be that this is a terrible idea, but if so, I'd appreciate
it if someone could tell me why.  (Of course, my *inward*-facing
interfaces have rules to prohibit spoofing, and the eth0 INPUT and
FORWARD chains have rules to ensure that nothing gets in on
eth0 with a source address from the masq'd internal subnets.)

-- JK

> If you're using a third party script like the sentryCD system you are
> using, then you don't really have to worry about it. Such scripts are
> written to be generic and take such a scenario into account. If you
> are writing your own scripts, as I assume Mr. Kruger is, then you have
> to do it yourself.
> 
> On 1/22/07, Charles Shapiro <hooterpincher at gmail.com> wrote:
> 
>>Ooh, I have exactly this setup, using sentryCD  (
>>http://www.linux.com/howtos/Sentry-Firewall-CD-HOWTO-1.shtml
>>) on a machine with 2 NICs, a floppy drive, and no hard drive.  I think it
>>has, like, 128 mb on a PII or so motherboard. You don't need a lot of power
>>to run one of these things -- betcha you could pick up a machine capable of
>>doing it for $80 or so at MicroSeconds.. I really likes SentryCD. It is a
>>bootable CD distro which uses a floppy to store configuration files and
>>scripts. I also have it running my caching local name server.  Before I got
>>broadband I had it running diald ( http://diald.sourceforge.net/ ) to go
>>through the phone lines without a problem (well, besides how s l o w it
>>was).
>>
>> I just changed the link between the router and the modem/router supplied by
>>my ISP to be static, not DHCP. Using the DHCP server on the modem/router
>>means that it has to come up before the linux box in the event of a power
>>failure for things to work properly. So your wife is always after you to fix
>>the darn thing after a storm.
>>
>> I don't quite get why dhcp to your isp would be a problemo.  As long as
>>you're using it and it's up, it should know what IP address it has. If it
>>reboots, it'll contact the dhcp server on the far end automatically when it
>>runs its client, right?
>>
>> -- CHS
> 
>

More information about the Ale mailing list