thx for all the help so far.
I understand working principles of ipmasq and iptables. It's all working out fine now.
It's quite a lot different for Debian than for Redhat.
in Debian you have a symlink in /etc/rc.S/S41ipmasq (S40 is the networking so ipmasq is loaded after network comes up)
the symlink points to /etc/init.d/ipmasq where your ipmasq is loaded with following script :
test -x /usr/sbin/ipmasq || exit 1
case $1 in
start|restart|force-reload)
# Display 'whaddamidoing?' prompt
echo -n "Initializing IP Masquerading..."
# Setup ipmasq
/usr/sbin/ipmasq
# Display 'whaddamidoing?' prompt
echo "done."
;;
stop)
# Display 'whaddamidoing?' prompt
echo -n "Disabling IP Masquerading..."
# Setup ipmasq
/usr/sbin/ipmasq --rules /etc/ipmasq/ipmasq-down
# Display 'whaddamidoing?' prompt
echo "done."
;;
esac
and the basic check/ipmasq scripts (to see whether you have ipfwadm ipchains or iptables and what nics you have eg. eth0 and eth1) are situated in /etc/ipmasq/ipmasq-down and /etc/ipmasq/rules .
it's quite nicely structered have a look a:
A00path.def
A02unkernelforward.def
I15lospoof.def
I90extbcast.def
Z99ipmasqrules.def --> one of the last scripts ipmasq runs contains :
#: Run the deprecated /etc/ipmasq.rules, if present
if [ -e /etc/ipmasq.rules ]; then
if [ "$NOACT" != "yes" ]; then
. /etc/ipmasq.rules
fi
if [ "$SHOWRULES" = "yes" ]; then
echo ". /etc/ipmasq.rules"
fi
fi
so I suppose if you create that file that's were you will put in all your MANUAL ADDED rules like denying specific packets, DNAT forwarding and so on...
Took some time to find out ...
One more question for TigerOC
quote :
The router must be directed to forward request for port 80 to the address of the card attached to the router i.e. 192.168.1.2 (Remember what I said above i.e. Card not machine). The firewall script above given above should resolve your forwarding in terms of internet sharing. Each machine behind the router should be intructed to use 192.168.1.1 as the gateway. You may get some insight from my site
from cisco to eth0 linux router/firewall I use 192.168.1.0 range
for my leth1 I use 10.0.0.0 range with default gateway 192.168.1.1 like you said.
eth1 has 10.0.0.1 as ip.
I configured all pc's in lan to use gateway 10.0.0.1 which works out fine !
I suppose this is because my routing table from the linux router is following :
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 eth1
localnet * 255.255.255.0 U 0 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
??? He checks his routing table and sees default gateway is 192.168.1.1 am I right ?
If I put default gateway in my lan to 192.168.1.1 won't the lan users skip my packetfiltering ?
btw nice site you have there, I added it to my bookmarks
, I also have one which will contain a lot of my debian xperience in the future :
www.gigaspeeds.com (nothing there yet, just a sample page)
Now toughest part, making firewall scripts ... You guys have some examples ?
Allready reading the 'O reilly firewalling book
cheers