I'm confused by a couple points in the IPCHAINS-HOWTO (http://metalab.unc.edu/mdw/HOWTO/IPCHAINS-HOWTO-7.html#ss7.4). Hope someone who understands this can clear this up.
In the "Serious Example," the Internal network is masqueraded to External via a chain jumped to from the FORWARD chain: <--snip--> Good (internal) to Bad (external). ipchains -A good-bad -p tcp --dport www -j MASQ ipchains -A good-bad -p tcp --dport ssh -j MASQ ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ ipchains -A good-bad -p tcp --dport ftp -j MASQ ipchains -A good-bad -p icmp --icmp-type ping -j MASQ ipchains -A good-bad -j REJECT -l <--snip--> Then in the rules for the External interface, only certain ports appear to be let back in. I presume that the second and third rules with destination ports 61000:65095 are for returning masqueraded packets, eh? <--snip--> Bad (external) interface. ipchains -A bad-if -i ! ppp0 -j DENY -l ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT ipchains -A bad-if -j icmp-acc ipchains -A bad-if -j DENY <--snip--> This example doesn't make clear to me what happens to packets from the Internal network when they're jumped to MASQ. Do they get a new port (in the range 61000:65095) in addition to the masqueraded ip address so that when they come back they get past the Bad interface to get demasqueraded? Or do they just go around the Bad interface because in some other fashion they're identified as masqueraded packets through something MASQ does? Just trying to grok what goes on here. TIA for any help! Stan
