Hi.

I'd like to set up a linux gateway for my home ADSL. I can get PPPoE working well, but I'd like to be able to MASQ the PPP connection to my home network and assign some ports to the computers, preferrably using ranges.

Are there any nifty utils out there for running a shared connection with a port mapping feature?

- plasma~

PMfirewall will do the masq job and dhcpd can do the dhcp assigning with ranges. I believe you can do Port mapping with it.

but more specifically:

the iptables rules for masqing are:


LAN="192.168.0.1/24" <<< example LAN IP range

iptables -A POSTROUTING -s $LAN -d ! $LAN -j MASQUERADE


to get the computers on the net talking to each other:

you MUST DO THIS EVERY TIME YOU REBOOT:

echo 1 > /proc/sys/net/ipv4/ip_forward ## turns on ip forwarding

iptables -A FORWARD -s $LAN -d $LAN -j ACCEPT

the not very secure way is just to have a default ACCEPT policy
on forwarding:

iptables -P FORWARD ACCEPT

but me im paranoid, i drop everything and allow stuff that's necessary, by setting the forward policy as drop, you can stop
traffic from other subnets from going through your box.


that rule there will allow computers connected to yours

Or you can use gShield its very easy to configure. Its ip_tables based, i just upgraded to it from ichains today.

firestarter gets good reviews often also.

if you use a GUI tool, i still recommend learning
iptables just so that you know what's going on. One
day you may have a box with no X-windows and
it would be nice ot know how to setup everything
in text mode.

Thanks for the help.

I am currently running three linux boxes, all with SSH and remote X and VNC connections running to my main wintel machine. I have some experience with IP-Chains, but I haven't gotten into port forwarding, that's all.

One more question: do any of those tools do port-mapping in ranges?

- plasma~

not sure about ranges but to forward a port you would use the PREROUTING chain along with the nat table and the DNAT rule (Destination NAT):


iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT -to $INTERNALIP


that forwards requests for port 80 to whatever you
specify as the INTERNALIP, you can leave off
the port and it will default to port 80 on the LAN machine or you can have it forward to a different port on the INTERNALIP machine by specifying:

192.168.1.100:8080 or something like that.