[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [afnog] Red Hat 8.0 as a router

To: Daniel Obuobi <dobuobi at yahoo.com>
Subject: Re: [afnog] Red Hat 8.0 as a router
From: Stephane Bortzmeyer <bortzmeyer at nic.fr>
Date: Wed, 13 Aug 2003 10:36:04 +0200
Cc: Stephane Bortzmeyer <bortzmeyer at nic.fr>
Cc: afnog at afnog.org
Content-Disposition: inline
Content-Type: text/plain; charset=us-ascii
Delivered-To: afnog-archive at lists.eahd.or.ug
Delivered-To: afnog at afnog.org
In-Reply-To: <20030813055107.15134.qmail at web14202.mail.yahoo.com>
List-Archive: <http://listserv4.cfi.co.ug/pipermail/afnog>
List-Help: <mailto:afnog-request at afnog.org?subject=help>
List-Id: The AfNOG general discussion list <afnog.afnog.org>
List-Post: <mailto:afnog at afnog.org>
List-Subscribe: <http://listserv4.cfi.co.ug/mailman/listinfo/afnog>,<mailto:afnog-request at afnog.org?subject=subscribe>
List-Unsubscribe: <http://listserv4.cfi.co.ug/mailman/listinfo/afnog>,<mailto:afnog-request at afnog.org?subject=unsubscribe>
Organization: NIC France
References: <20030811084824.GC24436 at nic.fr><20030813055107.15134.qmail at web14202.mail.yahoo.com>
Sender: afnog-bounces at afnog.org
User-Agent: Mutt/1.5.4i

On Tue, Aug 12, 2003 at 10:51:07PM -0700,
 Daniel Obuobi <dobuobi at yahoo.com> wrote 
 a message of 72 lines which said:

> The ASCII diagram on the network is shown below. I
> hope it will look presentable.

See Brian Candler's remarks. [Brian, if you can turn your excellent
message into a FAQ that will be posted monthly on the AFNOG mailing
list...] I assume his fix is OK.

> 1)The Linux router I want to set up and the proxy pcs
> and the masq pc uses the ip 10....x

But the Linux router has two interfaces. One has, I assume, a public
IP. So, you NAT at the Linux router (because the proxies have private
addresses) and you do not NAT on the proxies (because they are ALG,
they relay at level 7). Correct?

If so, "shogunx" message numbered
<Pine.LNX.4.44.0308071506000.665-100000 at sleekfreak.ath.cx> is the way
to go, with a few caveats on security. I suggest to add more rules to
prevent external machines to use NAT and therefore to masquerade as
coming from your network. Something like:

   # Variables make the rules easier to read
   PROXYNETWORK=10.0.0.0/8
   ANY=0.0.0.0/0
   iptables -t nat --append POSTROUTING --jump MASQUERADE \
       --out-interface eth0 --source $PROXYNETWORK --destination $ANY
__________________________________________________
This is the Africa Network Operators' Group(AfNOG) 
technical discussion list.
The AfNOG website is: <http://www.afnog.org>

References:
- Re: [afnog] Red Hat 8.0 as a router
  - From: Stephane Bortzmeyer <bortzmeyer at nic.fr>
- Re: [afnog] Red Hat 8.0 as a router
  - From: Daniel Obuobi <dobuobi at yahoo.com>
- Re: [afnog] Red Hat 8.0 as a router
  - From: Daniel Obuobi <dobuobi at yahoo.com>

Prev by Date: Re: [afnog] Red Hat 8.0 as a router
Next by Date: [afnog] AFS over NAT bug
Prev by thread: Re: [afnog] Red Hat 8.0 as a router
Next by thread: Re: [afnog] Red Hat 8.0 as a router
Index(es):
- Date
- Thread