Re: IP masq (ipchains): masq whole LAN *except* some hosts?

["Karl B. Hammar" <karl@kalle.csb.ki.se>]

You then have two networks on the internal net, one private
 (like 192.168.56.0) and one public ( like 130.237.0.0 ).
Since:
  a, you shouldn't let out packets with private addresses on the
     Internet
  b, to be accessable from the outside your machine has to have a public
     ip number
  c, you don't waste public number by masqerading them, use private
     numbers
Then you should set up an alias on the firewall or hassle with routing
tables on our internal net, so everyone internal can ping everybody
else.

Right now I can see possible problems with your setup
  a, fileserver has a private number, i.e. someone on the Internet
     can't ping it because routers don't have routes to thoose
     adderesses
  b, maybe the kernel can't handle overlapping ranges in forward and
     MASQ rules??
Hints
  a, if you make it work, fileserver is fully exposed to the Internet,
     why not use "ipmasqadm portfw" instead, then it is only exposed
     at one port and you save public ipnumbers
  b, if only you will access thoose internal machines, use ssh instead,
     with it you can login and with scp you can transfer files
     more, ssh is easier to let through your firewall, it only use one
     port number

Cheers,
/Karl

-----------------------------------------------------------------------
Karl Hammar            Aspö Data            karl@kalle.csb.ki.se
Lilla Aspö 2340        +46 173 140 57
S-742 94 Östhammar                          Unix for the small company
Sweden                 +46 70 511 97 84 (mobile)
-----------------------------------------------------------------------


From: "Ralf G. R. Bergs" <rabe@RWTH-Aachen.DE>
Subject: IP masq (ipchains): masq whole LAN *except* some hosts?
Date: Sat, 20 Nov 1999 16:59:12 +0100

> Hi there,
> 
> I've a little problem that I'm not sure how to solve on my own.
> 
> I've a machine with two NIC acting as a router/NAT host. Masquerading works 
> fine for the LAN machines, and access from outside is limited to the 
> firewall machine. I want a couple of machines NOT to be masqueraded so that 
> I can ftp or log into them from outside.
> 
> Which ipchains rules do I have to add to make this work? I have tried to 
> insert a rule above the standard rule in M70masq like this, but to no avail:
> 
>                 $IPCHAINS -A forward -j ACCEPT -i $j -s fileserver/32 -b
> 
>                 # Masquerade remaining hosts
>                 $IPCHAINS -A forward -j MASQ -i $j -s $IPOFIF/$NMOFIF
> 
> I'm sure I'm overlooking something, but it is not clear to me what's wrong.
> 
> Thanks for any insight you can give me.
> 
> Ralf
> 
> 
> -- 
> Sign the EU petition against SPAM:          L I N U X       .~.
> http://www.politik-digital.de/spam/        The  Choice      /V\
>                                             of a  GNU      /( )\
>                                            Generation      ^^-^^
> 
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org