On Sun, 2006-08-27 at 20:42 +0200, Nicolas "Ikke" Trangez wrote: > On Sun, 2006-08-27 at 07:51 -0400, Saikat Guha wrote: > > Would NM be the appropriate place to have "connection sharing" that > > just > > works? > Having this functionality somewhere in the stack would be great, *but* > setting up NAT in iptables is very dependant on existring chains/rules > (where to put them etc). I don't know wether this is doable. I guess > flushing all chains is not an option ;-) If ethX is internet-facing and ethY is to be NAT'ed, perhaps a rule at the very top of the iptables chain that whitelists all traffic initiated from someone on ethY being routed to ethX should do the trick. iptables -I FORWARDING --in-interface ethY -j ACCEPT iptables -t nat -I POSTROUTING --out-interface ethX -j ACCEPT There is probably something more clever that can be done with marking the packets and routing them through a separate table with greater security for the box running NM from hostiles on the internal (ethY) network. (vaguely from memory) ... --in-interface -j MARK 0x10 ip ro add ... If nothing else, we can likely make the assumption that if the user is requesting the device to NAT some internal network onto the internet, he trusts the internal network somewhat. The first two rules above with a warning might also be a good first stab. -- Saikat
Attachment:
signature.asc
Description: This is a digitally signed message part