port-mac68k: Re: Several Questions: netatalk, router

Subject: Re: Several Questions: netatalk, router
To: kevin havener <havenerk@thunder.scott.af.mil>
From: Xiamin Raahauge <xiamin@scdesantis.ne.mediaone.net>
List: port-mac68k
Date: 12/17/1997 19:07:11

On Wed, 17 Dec 1997, kevin havener wrote:
> lee wrote:
> > 
> (snip, snip)
> 
> > (2) Dialing up with PPP from home, I'd like to use the ci as a gateway
> > for two other machines. Right now, I have a dynamically assigned IP
> > number and am calling in at 33.6. Is the ci fast enough to handle the
> > traffic? Are there instructions out on the 'Net for handling the IP
> > routing between the PPP and the local machines so I don't need several
> > fixed IP numbers from the ISP?
> 
> What you're looking for here is IP masquerading, where you set up a
> private network using the IP addresses reserved for that purpose.  Look
> in the Linux Documentation Project's HOWTO's for the one about IP
> Masquerading.  It might also be disguised under the one about
> Firewalling.  I don't recall and I'm too lazy to look right now :-). 
> While the linux info may not be BSD specific, I'm not sure it has to be
> in this case.  There's also info in LDP HOWTO's about some creative
> dynamic IP hacks that may be useful (or not) for you.
> 
Actually, under NetBSD (and I think other non-Linux systems) this is
called IPNAT. I don't know how much it differs from IP-Masqing, but they
are not the same thing. Setting up ipnat is easy, so it's not too bad.
You can start ipnat from the /etc/ppp/ip-up script, and shut it down via
ip-down.
Since your IP is dynamic, things get a bit hairy, but you can still work
it.
Check this out as a ip-up script:
--SNIP--
#!/bin/sh
CONFLINE="map sn0 10.0.0.0/8 -> `ifconfig sn0 | grep "inet.*netmask" | cut
-d" " -f 2`/32 portmap tcp/udp 10000:20000"
#NB the above should be all one line.
#This also assumes that your outgoing interface is sn0, in your case it
#would be ppp0. Also, this assumes your internel network is numbered in
#the 10 range.

echo $CONFLINE > /etc/ipnat.conf
#Ok, now your ipnat.conf file has the right ip#

#Now, get the real stuff going.
ipnat -f /etc/ipnat.conf
--SNIP--

You should have ipfilter=YES in /etc/rc.conf I think, but I'm not sure.
This should switch on ipf (by doing ipf -E at startup). I guess you could
just put ipf -E in the ip-up script too.

To kill ipnat so things don't get messed up while the ppp connection is
down, try this in ip-down:

--SNIP--
#!/bin/sh
ipnat -F
ipf -D
--SNIP--

All this needs to be run as root, since these scripts are auto-run by pppd
when it gets started up...pppd is setuid root, so maybe it'll work with no
trouble ;).

-Xiamin