On 30/03/06 03:28, Tathagata Banerjee wrote:
i have installed opensuse 10 on the gateway of a medium-sized network. i want the gateway to be able to do packet forwarding and ip masquerading for only some hosts of the internal network (172.16.0.0/16). in other words, i want to share the internet connection with only those clients that i select. using acl-s in squid in not the answer, because i want to control *all* traffic, not only http or ftp. can this be done using free/opensource software? i am not an advanced net admin, so if the answer involves advanced topics, please try to provide some tutorial links too. You can set up masquerading in the firewall, but this is no substitute for use of proxies. I assume you have a basic firewall running already, and only have to add in the configuration needed to do masquerading.
This is for 9.3. 10.0 should not differ greatly, if at all, but if it does, the explanations in the config file are rather good, and you should be able to quickly find exactly what needs to be set. In the sysconfig editor (Yast/System), look under network/firewall/SuSEfirewall2 for the following variables, and set them as stated: FW_ROUTE yes FW_MASQUERADE yes FW_MASQ_DEV $FW_DEV_EXT (this will substitute the value of FW_DEV_EXT, which is already set if you have a running firewall already) FW_PROTECT_FROM_INT no, to allow unrestricted access to the internet. leave FW_FORWARD_MASQ blank, since this is used to allow the internet to access servers you have running on masqueraded systems These are sufficient to enable masquerading for all systems in your internal network. To restrict which of those systems can actually access the internet, you also need FW_MASQ_NETS set it equal to the desired net/mask, here 172.16.0.0/16.