Linux Today: Linux News On Internet Time.

More on LinuxToday

BSD Today: Setting up OpenBSD 2.7 as a cable NAT system

Jul 25, 2000, 21:05 (0 Talkback[s])
(Other stories by Vlad Sedach)


Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers

[ Thanks to Jeremy C. Reed for this link. ]

"The first thing I did upon getting cable modem access in my apartment was to get an old Pentium 133 computer, put in two NICs, and fire up the OpenBSD 2.7 boot floppy. I did this for several reasons: first, because I heard that OpenBSD runs as a fast network node even with old hardware; and second, because I knew that it was probably the most secure operating system I can get in that price range. While some people may view OpenBSD security as overkill for a simple home cable modem setup, upon closer examination I found that OpenBSD's secure upon install feature did save my butt more than once; right now, the logfiles show that (literally) not an hour goes by without my system being scanned by someone on the internet."

"The first thing I did after that point [after installing OpenBSD] was to try to set up Network Address translation for the rest of my lan. Being familiar with doing that on a Linux box with a dial-up link, I looked for familiar tools. ipchains wasn't there, and neither were the slackware config files. Once again I hit the OpenBSD FAQ. Upon reading it, I changed my /etc/rc.local file to start up the NAT and IP Filtering services on bootup (change the ipfilter= and ipnat= lines to YES). Because I used the GENERIC kernel that came with the installation, I also had to enable ip forwarding in the /etc/sysctl.conf file (change the net.inet.ip.forwarding= from a 0 to a 1). I then edited the /etc/ipf.rules file to pass in packets from both sides to see how it would work."

"Next, I had to edit the /etc/ipnat.rules file to set up the NAT rules (a simple syntax is map [outside interface] [internal network/netmask (in CIDR format - corresponds to a 24)] -> [name of outside interface OR ip of outside interface/netmask] ). My /etc/ipnat.rules looks like the following:

map ep0 -> ep0/32 portmap tcp/udp 10000:20000
map ep0 -> ep0/32
For some reason, the two of those lines are necessary to get things working."

Complete Story

Related Stories: