From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@lists.netfilter.org
Cc: poptop-server@lists.sourceforge.net
Subject: Re: Netfilter and Poptop ( and stuff ... )
Date: Mon, 10 Oct 2005 06:29:16 -0500 [thread overview]
Message-ID: <200510100629.16485.rob0@gmx.co.uk> (raw)
In-Reply-To: <20051010062902.A7C34F4DA@sorry.no-ip-here.net>
On Monday 2005-October-10 01:28, Seferovic Edvin wrote:
> I would like allow my VPN users internet access, but not to all
This seems odd. Didn't they already have Internet access to connect to
your pptpd?
> machines on the internal network. So I have to use NAT on the tunnel
> endpoints ( ppp+ interfaces ), right?
SNAT allows clients to use non-public IP addresses. It is one condition
which must be satisfied, but it is not all. You also must have rules in
FORWARD to DROP/REJECT traffic to the internal network from ppp+ and
then to ACCEPT traffic from ppp+ to anywhere.
> I wanted to make this easy as possible, but as always - I took the
> wrong turn... probably by choosing Firewall Builder to help me get my
> firewall set up. I achived everything, but I cannot configure ppp+
> interfaces in FW-Builder? Does anyone has a hint for me? Is this
Type the command at the command line?
> possible anyway ( please don't tell me I have to configure 150 ppp
> interfaces in FW-Builder ) ???
I am not familiar with it. If you are saying that it rejects the ppp+
syntax to specify all PPP interfaces, then indeed that sounds like a
serious bug
> I suppose it would be more secure to enter a firewall rule every time
> a ppp interface comes up ( by using scripts like ip-up from pppd )?
That would be appropriate for more fine-grained control. If all ppp+
traffic is to be treated the same, I think a single blanket rule makes
more sense.
> Do I have to enter a NAT rule for each interface then? Any
No.
> performance thought when having 150+ interfaces at the same time?
Not terribly efficient, but I doubt you would see a performance impact
with that.
> Nevertheless I would also like to redirect http traffic going from a
> NATed ppp+ interface to my squid process - how does this combined
> rule looks like?
The example in the squid documentation is perfect, just adjust it to
suit your needs. You might want -s sourcerange/netmask and of course
the input interface, -i ppp+. If by "combined" you mean the same rule
as is doing the SNAT, no, that is not so. The HTTP proxying is done
using DNAT or REDIRECT target in the PREROUTING chain. SNAT is in
POSTROUTING.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
next parent reply other threads:[~2005-10-10 11:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20051010062902.A7C34F4DA@sorry.no-ip-here.net>
2005-10-10 11:29 ` /dev/rob0 [this message]
2005-10-10 6:28 Netfilter and Poptop ( and stuff ... ) Seferovic Edvin
2005-10-10 15:15 ` Phil Oester
2005-10-11 17:33 ` Seferovic Edvin
-- strict thread matches above, loose matches on Subject: below --
2005-10-10 6:28 Seferovic Edvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200510100629.16485.rob0@gmx.co.uk \
--to=rob0@gmx.co.uk \
--cc=netfilter@lists.netfilter.org \
--cc=poptop-server@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.