[Re: Ip-Masq]

Matt Graham danceswithcrows@usa.net
28 Jul 2001 19:07:24 EDT


Ben Pfaff wrote:
> What kernel version is this?

Well, it's a 2.4 of some sort.  That's all I know for sure.  However, the
main problem that's going on is...

(From the .config file)
#
# Networking options
#
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
CONFIG_NETLINK=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK_DEV=y
# CONFIG_NETFILTER is not set   <-That.

In the "menuconfig" or "xconfig" dialogs, it's under Network
COnfiguration->Network Packet Filtering (replaces ipchains).  When you set
this to "Y", a new submenu called "IP: Netfilter Configuration" shows up.
 You can basically set everything to "M" here.  If you've included
"ipchains support" you can "modprobe ipchains" and do your masqing as if
you were on a 2.2 kernel, but ipchains is deprecated and will be going
away at some point so it's really better to use iptables.

I do something like this to enable masqing for my tiny little 2-node
network, from /etc/init.d/boot.local:

# module dependencies pull in everything else needed if we modprobe the
# FTP thingy....
modprobe ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# "man iptables" for what all that carp means

Note that there are none of the really nifty security bits you can put
into iptables here, and you *NEED* some of those if you're not on dialup.
 Or even if you are on dialup, they're a good idea.  HTH,


-- 
Matt G / Dances With Crows
There is no Darkness in Eternity/But only Light too dim for us to see
"I backed up my brain to tape, but tar says the tape contains no data...."