A long time ago, in a galaxy far, far way, someone said... > Hello, > > I am looking for some documentation on how to compile kernels 2.3.x > with ip masq support. The current HOWTO doesn't cover those kernels > yet.
http://netfilter.kernelnotes.org/unreliable-guides/index.html I also have these rules that I use on my firewall. $IPT is the iptables executable (/usr/local/bin/iptables). $PUBIP is my public IP number; $OUTSIDE_IFACE is the interface $PUBIP is assigned to (eth1). This is the definition in /etc/networks: localnet 192.168.0.0 Here are the rules. Note the third stanza: this is how I got squid working as a transparent proxy (along with some http_accel_* lines in squid.conf). The second and fourth stanzas redirect Microsoft's accursed DirectPlay technology to work behind the firewall. $IPT -P INPUT ACCEPT $IPT -F $IPT -t nat -F $IPT -t nat -A POSTROUTING -o $OUTSIDE_IFACE -j MASQUERADE $IPT -P FORWARD ACCEPT $IPT -A INPUT -s localnet/16 -j ACCEPT # allowed incoming ports # for some games $IPT -A INPUT -p tcp --dport 47624 -j ACCEPT $IPT -A INPUT -p tcp --dport 2300:2400 -j ACCEPT $IPT -A INPUT -p udp --dport 47624 -j ACCEPT $IPT -A INPUT -p udp --dport 2300:2400 -j ACCEPT $IPT -A INPUT -p tcp --dport 9110 -j ACCEPT $IPT -A INPUT -p tcp --dport 9113 -j ACCEPT # for incoming ssh $IPT -A INPUT -p tcp --dport ssh -j ACCEPT # for web going to giedi $IPT -A INPUT -p tcp -d $PUBIP --dport www -j ACCEPT $IPT -t nat -A PREROUTING -d $PUBIP -p tcp --dport www \ -j DNAT --to-destination 192.168.0.2 # for the squid web cache $IPT -A INPUT -p tcp -d 127.0.0.1 --dport www -j ACCEPT $IPT -A INPUT -p tcp -d 192.168.0.3 --dport www -j ACCEPT $IPT -t nat -A PREROUTING -p tcp --dport www \ -j DNAT --to-destination 192.168.0.3:3128 # directplay stuff $IPT -t nat -A PREROUTING -p tcp -d $PUBIP --dport 47624 \ -j DNAT --to-destination 192.168.0.103 $IPT -t nat -A PREROUTING -p tcp -d $PUBIP --dport 2300:2400 \ -j DNAT --to-destination 192.168.0.103 $IPT -t nat -A PREROUTING -p udp -d $PUBIP --dport 47624 \ -j DNAT --to-destination 192.168.0.103 $IPT -t nat -A PREROUTING -p udp -d $PUBIP --dport 2300:2400 \ -j DNAT --to-destination 192.168.0.103 $IPT -t nat -A PREROUTING -p tcp -d $PUBIP --dport 9110 \ -j DNAT --to-destination 192.168.0.103 $IPT -t nat -A PREROUTING -p tcp -d $PUBIP --dport 9113 \ -j DNAT --to-destination 192.168.0.103 $IPT -A INPUT -s localhost -j ACCEPT $IPT -P INPUT DROP $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward This last stanza is particularly interesting: the new netfilter firewalling code implements what's known as a statefull firewall. What effectively happens is all new incoming connections are dropped, but established connections (as well as new connections related to another, like for www to work) are allowed. It all works like a charm; I'm using kernel 2.4.0-test2-ac2. -- ---------------------------------------------------------------------- Phil Brutsche [EMAIL PROTECTED] "There are two things that are infinite; Human stupidity and the universe. And I'm not sure about the universe." - Albert Einstien
