Re: RFE: Connection Sharing



On Sun, 2006-08-27 at 20:42 +0200, Nicolas "Ikke" Trangez wrote:
> On Sun, 2006-08-27 at 07:51 -0400, Saikat Guha wrote:
> > Would NM be the appropriate place to have "connection sharing" that
> > just
> > works?
> Having this functionality somewhere in the stack would be great, *but*
> setting up NAT in iptables is very dependant on existring chains/rules
> (where to put them etc). I don't know wether this is doable. I guess
> flushing all chains is not an option ;-)

If ethX is internet-facing and ethY is to be NAT'ed, perhaps
a rule at the very top of the iptables chain that whitelists all traffic
initiated from someone on ethY being routed to ethX should do the trick.

iptables -I FORWARDING --in-interface ethY -j ACCEPT
iptables -t nat -I POSTROUTING --out-interface ethX -j ACCEPT

There is probably something more clever that can be done with marking
the packets and routing them through a separate table with greater
security for the box running NM from hostiles on the internal (ethY)
network.

(vaguely from memory)

... --in-interface -j MARK 0x10
ip ro add ...

If nothing else, we can likely make the assumption that if the user is
requesting the device to NAT some internal network onto the internet, he
trusts the internal network somewhat. The first two rules above with a
warning might also be a good first stab.

-- 
Saikat

Attachment: signature.asc
Description: This is a digitally signed message part



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]