Mailinglist Archive: opensuse (3100 mails)
| < Previous | Next > |
Re: [SLE] selective NAT possible?
- From: Darryl Gregorash <raven@xxxxxxxxxxxxx>
- Date: Thu, 30 Mar 2006 10:05:57 -0600
- Message-id: <442C01E5.3050208@xxxxxxxxxxxxx>
On 30/03/06 03:28, Tathagata Banerjee wrote:
> i have installed opensuse 10 on the gateway of a medium-sized network. i
> want the gateway to be able to do packet forwarding and ip masquerading
> for only some hosts of the internal network (172.16.0.0/16). in other
> words, i want to share the internet connection with only those clients
> that i select. using acl-s in squid in not the answer, because i want to
> control *all* traffic, not only http or ftp. can this be done using
> free/opensource software?
> i am not an advanced net admin, so if the answer involves advanced
> topics, please try to provide some tutorial links too.
You can set up masquerading in the firewall, but this is no substitute
for use of proxies. I assume you have a basic firewall running already,
and only have to add in the configuration needed to do masquerading.
This is for 9.3. 10.0 should not differ greatly, if at all, but if it
does, the explanations in the config file are rather good, and you
should be able to quickly find exactly what needs to be set.
In the sysconfig editor (Yast/System), look under
network/firewall/SuSEfirewall2 for the following variables, and set them
as stated:
FW_ROUTE yes
FW_MASQUERADE yes
FW_MASQ_DEV $FW_DEV_EXT (this will substitute the value of FW_DEV_EXT,
which is already set if you have a running firewall already)
FW_PROTECT_FROM_INT no, to allow unrestricted access to the internet.
leave FW_FORWARD_MASQ blank, since this is used to allow the internet to
access servers you have running on masqueraded systems
These are sufficient to enable masquerading for all systems in your
internal network. To restrict which of those systems can actually access
the internet, you also need
FW_MASQ_NETS set it equal to the desired net/mask, here 172.16.0.0/16.
> i have installed opensuse 10 on the gateway of a medium-sized network. i
> want the gateway to be able to do packet forwarding and ip masquerading
> for only some hosts of the internal network (172.16.0.0/16). in other
> words, i want to share the internet connection with only those clients
> that i select. using acl-s in squid in not the answer, because i want to
> control *all* traffic, not only http or ftp. can this be done using
> free/opensource software?
> i am not an advanced net admin, so if the answer involves advanced
> topics, please try to provide some tutorial links too.
You can set up masquerading in the firewall, but this is no substitute
for use of proxies. I assume you have a basic firewall running already,
and only have to add in the configuration needed to do masquerading.
This is for 9.3. 10.0 should not differ greatly, if at all, but if it
does, the explanations in the config file are rather good, and you
should be able to quickly find exactly what needs to be set.
In the sysconfig editor (Yast/System), look under
network/firewall/SuSEfirewall2 for the following variables, and set them
as stated:
FW_ROUTE yes
FW_MASQUERADE yes
FW_MASQ_DEV $FW_DEV_EXT (this will substitute the value of FW_DEV_EXT,
which is already set if you have a running firewall already)
FW_PROTECT_FROM_INT no, to allow unrestricted access to the internet.
leave FW_FORWARD_MASQ blank, since this is used to allow the internet to
access servers you have running on masqueraded systems
These are sufficient to enable masquerading for all systems in your
internal network. To restrict which of those systems can actually access
the internet, you also need
FW_MASQ_NETS set it equal to the desired net/mask, here 172.16.0.0/16.
| < Previous | Next > |