[ale] Linux box as a router w/DHCP

JK jknapka at kneuro.net
Mon Jan 22 18:11:04 EST 2007


James Sumners wrote:

> If you're not doing any port forwarding (DNAT) I don't suppose there
> is a problem with that. But if you want to mangle packets, I believe
> you have to reference the external IP.

You don't need to mention the ingress IP in DNAT
rules.  I'm doing this for a couple of different
services (eg accepting SSH connections and forwarding
them to my personal desktop machine).  All you
have to say is, "anything arriving on eth0 at
port 22, forward to ${INTERNAL_IP} port 22".
I'm doing this for a number of services, but
I don't have the rules in front of me at the
moment, though.

-- JK

> Of course, I'm not very knowledgeable in all of this. My firewall is a
> result of a couple day's worth of research. I then promptly forgot
> about it all and concentrated on my ODE and Combinatorics classes :)
> 
> On 1/22/07, JK <jknapka at kneuro.net> wrote:
> 
>>James Sumners wrote:
>>
>>
>>>The P2 machine I use, I got off eBay for $25.
>>>
>>>The "problem" with the IP address being assigned from the ISP via DHCP
>>>lies in the way the firewall scripts have to be written. If the ISP
>>>is... silly, and assigns a new IP address every lease renewal, or even
>>>every day (whatever), then they scripts have to be able to handle
>>>that. If you have a static IP from your ISP, then you can reference
>>>the same external IP in your firewall rules without care. If you have
>>>a dynamic IP, you have to get a little crafty and retrieve the current
>>>external IP every time the script is run.
>>
>>In general, I've never needed to explicitly mention the IP address
>>of the outside interface in my iptables rules.  As a matter of
>>curiosity, why would you need to do that?
>>
>>I just let DHCP configure the default route via eth0 (my
>>Internet-facing interface), and say "masquerade everything
>>going out of eth0":
>>
>>   iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>
>>It could be that this is a terrible idea, but if so, I'd appreciate
>>it if someone could tell me why.  (Of course, my *inward*-facing
>>interfaces have rules to prohibit spoofing, and the eth0 INPUT and
>>FORWARD chains have rules to ensure that nothing gets in on
>>eth0 with a source address from the masq'd internal subnets.)
>>
>>-- JK
> 
> 




More information about the Ale mailing list