Marshal Wong wrote:
> 1. I'm networking together a iMac and my Linux box for a local
> network. I've managed to get the two computers talking to each
> other now with netatalk and macgate. I don't know how well they
> are talking to each other, but at least file sharing is
> happening. What I'd like to do is to set the network up so that
> the Mac can use the linux box as a gateway to the internet. We
> only have one phone line for the computer and the iMac doesn't
> have a phone out jack, so I can't daisy chain the modems
> together. I'm a complete newbie at networking, so if someone
> could give me a run down on more or less what to do, or what
> manuals to read, I'd greatly appreciate it.
i just connected my mac clone (powertower pro 225) to debian linux
from the 2.1 cd's and did the 'server' install.
with modconf (which can be run from the initial setup retines after
getting a linux launch) you can enable misc -> appletalk, which
you've already done, and ipv4 (or ipv6?) -> ip_masq_ftp. (someone
may correct me here, but i think you need one of the ip_masq jobs
to get ipmasquerading up and running).
i'm not familiar with macgate; sounds like it may be intended for
your mac to be used as the gateway machine? with appletalk running
on linux, you can use your mac chooser to select the IP number of
your linux box (via ethernet, i presume) and mount folders from
linux as volumes on your mac desktop. (/etc/netatalk/* is where
you specify what linux "publishes" for the mac to see.)
when you can mount a linux folder as a mac volume, you've got
half your battle won.
now, get ipmasq if you don't have it.
if you can connect to the 'net via linux console, do
apt-get ipmasq
if it doesn't work, check the docs for apt-get on what you need
in your /etc/apt/sources.list file: mine is
deb http://http.us.debian.org/debian frozen main contrib non-free
that might get you started.
then, run "ipmasq -d" and see what commands it would run.
(they're all in /etc/ipmasq/rules/*.def which you can override
with a *.rul of your own, but you'll probably not need to.)
ipmasq depends on the inferfaces you've got running (try "ifconfig")
... specifically, the devices (eth0, eth1, ppp0...) and IP numbers
(w/netmasks) that are attached to them. it allows everything that
looks reasonable based on your ifconfig setup, and forbids everything
else.
i've got a 24x7 cablemodem, so i don't have to worry about the
pon/poff situation; others here are more qualified to discuss
how that works, but with luck it'll be set up to automatically
get you going!
linux eth0 = 192.168.1.1 <--hub--> mac is 192.168.1.100
linux eth1 = 208.33.90.85 <-------> cablemodem 208.33.90.84 --> 'net
after this worked, it was a snap to get my wife's winblows98
box attached as 192.168.1.200 and another mac at 192.168.1.101...
> 2. Along the same lines, I'd like to harden the machine against the
> outside world a bit. I know I probably should put up a firewall,
> but have no clue as to where to start. Again any hints would be
> great.
the ipmasq really uses ipchains or ipfwadm which are firewall rule-
setters; these rules include 'what's okay to accept as incoming',
'what's okay for outgoing' and (the important one for this topic)
'what do we forward on to somewhere else?' i.e. if we receive a packet
that is acceptable via incoming parameters, and it's not intended
for us specifically, and it matches what's okay for output parameters,
then send it on...
my setup uses ipfwadm:
ipfwadm -F -f
resets all rules
ipfwadm -F -a masq -W eth1 -S 192.168.1.1/24
that allows everything from my internal network (192.168.1.*) to
promenade thru eth1 to the World Wide Net.
ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
everything else is forbidden--and logged (with "-o") in
/var/log/syslog, depending on your /etc/syslog.conf setup.
i hear you can also use ip_aliasing to get one ethernet card
to work as more than one address (eth0, eth0:1, eth0:2) but
it's probably easier to debug if you have one card per ip#.
