I've got the following:

i have a router connected to a student-flat network on nic eth0. Eth0
gets it's ip etc. through DHCP. I use roaring penguin to connect to
the internet through ppp0, which is actualy a connection over eth0. I
have a small home network on eth1 making use of masquerade rules in
the nat table (postrouting chain).

iptables -t nat -A postrouting -o ppp0 -j masquerade
iptables -t nat -A postrouting -o eth0 -j masquerade

Now i want some other computer which is on the student-flat network to
make use of my internet connection. any ideas on how to do that? is
it possoble to mix masquerade and nat rules?

Sam wrote:
> I've got the following:
>
> i have a router connected to a student-flat network on nic eth0. Eth0
> gets it's ip etc. through DHCP. I use roaring penguin to connect to
> the internet through ppp0, which is actualy a connection over eth0. I
> have a small home network on eth1 making use of masquerade rules in
> the nat table (postrouting chain).
>
> iptables -t nat -A postrouting -o ppp0 -j masquerade
> iptables -t nat -A postrouting -o eth0 -j masquerade
>
> Now i want some other computer which is on the student-flat network to
> make use of my internet connection. any ideas on how to do that? is
> it possoble to mix masquerade and nat rules?

You use DSL, so eth0 does not matter at all. You don't need the rule
with eth0.

To achieve what You want, simply allow forwarding traffic from/to Your
eth1 subnet, and masquerade everything that is outbound. So far, Your
ideas are perfectly correct.

Perhaps You want to restrict masquerading only to those packets that
arrive on eth1, otherwise, You would allow anybody in the world to use
Your box as a masquerading (and thus, anonymizing) gateway.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

jack <not@all.org> wrote in message news:<bir4v6$kug$04$1@news.t-online.com>...
> Sam wrote:
> > I've got the following:
> >
> > i have a router connected to a student-flat network on nic eth0. Eth0
> > gets it's ip etc. through DHCP. I use roaring penguin to connect to
> > the internet through ppp0, which is actualy a connection over eth0. I
> > have a small home network on eth1 making use of masquerade rules in
> > the nat table (postrouting chain).
> >
> > iptables -t nat -A postrouting -o ppp0 -j masquerade
> > iptables -t nat -A postrouting -o eth0 -j masquerade
> >
> > Now i want some other computer which is on the student-flat network to
> > make use of my internet connection. any ideas on how to do that? is
> > it possoble to mix masquerade and nat rules?
>
> You use DSL, so eth0 does not matter at all. You don't need the rule
> with eth0.
>
> To achieve what You want, simply allow forwarding traffic from/to Your
> eth1 subnet, and masquerade everything that is outbound. So far, Your
> ideas are perfectly correct.
>
> Perhaps You want to restrict masquerading only to those packets that
> arrive on eth1, otherwise, You would allow anybody in the world to use
> Your box as a masquerading (and thus, anonymizing) gateway.
>
>
> Cheers, Jack.


Hmmm, maybe i didn't explain well enough... I have a subnet indeed...
through eth1, but I want somebody on the flat network (to which i am
connected through eth0) to be able to use my dial-up connection
through ppp0.

And I do need the masq. rule for eth0 as wel, otherwise I am not able
to see the computers on that network from a computer that is behind
the firewall.

Sam wrote:
> jack <not@all.org> wrote in message news:<bir4v6$kug$04$1@news.t-online.com>...
>
>>Sam wrote:
>>
>>>I've got the following:
>>>
>>>i have a router connected to a student-flat network on nic eth0. Eth0
>>>gets it's ip etc. through DHCP. I use roaring penguin to connect to
>>>the internet through ppp0, which is actualy a connection over eth0. I
>>>have a small home network on eth1 making use of masquerade rules in
>>>the nat table (postrouting chain).
>>>
>>>iptables -t nat -A postrouting -o ppp0 -j masquerade
>>>iptables -t nat -A postrouting -o eth0 -j masquerade
>>>
>>>Now i want some other computer which is on the student-flat network to
>>>make use of my internet connection. any ideas on how to do that? is
>>>it possoble to mix masquerade and nat rules?

> Hmmm, maybe i didn't explain well enough... I have a subnet indeed...
> through eth1, but I want somebody on the flat network (to which i am
> connected through eth0) to be able to use my dial-up connection
> through ppp0.
>
> And I do need the masq. rule for eth0 as wel, otherwise I am not able
> to see the computers on that network from a computer that is behind
> the firewall.

Well, that is a bit confusing: In Your OP, You say that ppp0 actually
goes through eth0, like with a DSL connection. Then You say that eth0
connects to Your students home network. - Even if it is possible to use
one NIC for both LAN and DSL, it is no good idea at all to use it in
such a way, unless You have some very good reason to do so.

OK, but if You want this anyway, here's how to do that:

When I switched my servers to DSL three Years ago, I read an article
(for which I did a google search while writing this, but didn't find it
back) where some guy did it like this: Use one NIC for the DSL
connection, and, have a second interface defined on that very same NIC
(like eth0:1) with the appropiate private IP. The idea behind this is
that the remote side of the DSL line has a public IP (which is the gw
address for Your NAT box), and will ignore other traffic that occurs
between clients with private IPs. So if, for all inside machines, You
specify Your eth0:1 IP as the default gw, Your NAT box will accept those
packets, NAT them, and then send them out to its own gw, and vice versa.

What I don't remember, though, is whether and how You can mix pppoe and
"regular" ethernet on one NIC. In fact, if pppd is able to use "eth0:0"
as device, it shouldn't be a problem. But, I'm not too sure, sorry.

And, even if this seems possible to do, I didn't like the idea very
much, because technically, all traffic that runs on Your local net will
be visible at Your ISP's AC. I don't think that this really bears any
risk to Your home LAN, but it made me feel uncomfortable, so that I put
a second NIC in the servers.


Hope this helps, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...