"David Blevins" <dmblevins at mediaone.net> wrote: > > I spent all day reading about gateways, routing, etc. in order to setup > Linux as my gateway. I actually got it setup, but from what I > understand the approach I tried is terribly insecure. > > I did this and got it running: > # echo 1 >/proc/sys/net/ipv4/ip_forward > # ipchains -F > # ipchains -P forward ACCEPT ^^^^^^ This is one supposedly insecure bit. You should use DENY there instead. > # ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ For the above command, you should also make sure that you are only masquerading for 192.168.1.0/24 on your internal interface, eth0. Otherwise, there is a chance that packets could get routed from the outside interface back into your network (I think the kernel is supposed to check for this in most cases, but it's always good to be certain..) > That works, but everything is reset when I restart my network. In the olden days, this stuff would end up in the rc.local script, though most distributions don't have that anymore (AFAIK). I think RedHat (and probably friends) will look for an ipchains config file on boot, and will load it if it exists. Open up /etc/init.d/ipchains (if it exists) and look at what config file it's looking for. If the file is /etc/network/ipchains, just save your configuration before rebooting: /sbin/ipchains-save > /etc/network/ipchains -- _ _ _ _ _ ___ _ _ _ ___ _ _ __ Try? Try not. Do, or do / \/ \(_)| ' // ._\ / - \(_)/ ./| ' /(__ not. There is no try. \_||_/|_||_|_\\___/ \_-_/|_|\__\|_|_\ __) [ Mike Hicks | http://umn.edu/~hick0088/ | mailto:hick0088 at tc.umn.edu ] -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20011114/234fb8ca/attachment.pgp