Masquerade and/or Forward ?

[GentooBox]

Hi.

I have a little Q.
Im new to iptables and im in the mittle of a script, but im stuck.

i have this network:

[bmichaelsen]

From http://www.mandrakesecure.net/en/docs/HOWTO/NAT-HOWTO/NAT-HOWTO.linuxdoc-4.html

[GentooBox]

Well...

that means that i should use Masquerading if i have a dynamic ip address and i should use forward if i have static ip addresses ?`
_________________
Encrypt, lock up everything and duct tape the rest

[vert]

Yeah, but if you bring up your firewall everytime your ip changes (usually, with pppoe you specify to (re)start the firewall each time your ppp link goes up) you can also do a simple grab for your ip address and use it as if it was static. Then you can use forward. This is how I used to do it. I believe forward has slightly less overhead than masquerading. Maybe it has other advantages as well, I can't remember.

I used this piece of code to grab my ip.

[GentooBox]

hmm... im still confused.

eksample:

1) I have a network with a internet connection (with static ip)

2) A firewall (with eth0 to the internet and eth1 to the trusted network(eth1 is connected to the same switch as the terminal server))

3) And i got a terminal server (only eth0 connected to a switch)

they all use static ip addresses.

I want to share my internet connection into the firewall and out to the terminal server.

NOW.... badadadaaam... the scary part:

Should i use FORWARD ? or is FORWARD only used to forward a single port or the whole connection.

Should i use MASQURADE ? or is it only for dynamic ip addresses ? (witch i dont have in my eksample)

Should i use NAT table with POSTROUTE and PREROUTE ? and what is that ?


Hope that you will help my in my quest of iptables
_________________
Encrypt, lock up everything and duct tape the rest

[GentooBox]

*bump* please
_________________
Encrypt, lock up everything and duct tape the rest

[bmichaelsen]

Activating IP_Foward is allowing packets recieved on one interface to be reemitted on another, I think (so you need it anyways in your setup).

Ok, I will give it a try to explain MASQUERADEing:
Example: One of your clients wants to see google.com

It sends a packet with google's ip as destination to the firewall-box (because it is the gateway)

The fw-box sends packet out to the internet

This would not work with an unmodified packet, because its Source-IP field contains the ip of the local cllient (192.168.1.XXX) - and googles answer to this ip would never return to the fw-box.
So MASQUERADEing/NAT rewrites the source ip to the fw-boxes ip on the internet interface and the source port to some free high port and sends the packet to the internet. google now returns its answer to this port on the internet-interface of the fw-box. Then MASQ/NAT on the fw-box remembers the port was used for the request by client xxx and rewrites the destination ip to the ip of the client.

POSTROUTING means the rewrite of ip-adress/port happens after deciding over which interface the packet will be sent.

[bmichaelsen]

so nat/masq *pretends* all packet going to the internet coming from itself.
and it pretends all packets returned to clients to be coming directly from the internet

[GentooBox]

thanks..

So how should my setup look like if i dont use masqueradeing ?

use this eksample: (use your own, if you got a better one )

1) I have a network with a internet connection (with static ip)

2) A firewall (with eth0 to the internet and eth1 to the trusted network(eth1 is connected to the same switch as the terminal server))

3) And i got a terminal server (only eth0 connected to a switch)

they all use static ip addresses.

I want to share my internet connection into the firewall and out to the terminal server.
_________________
Encrypt, lock up everything and duct tape the rest

[bmichaelsen]