Originally Published: Sunday, 9 January 2000 Author: Mike Chan
Published to: learn_articles_firststep/General Page: 1/1 - [Printable]

IP Masquerading on your Network with Linux

Using your Linux box to share a single internet connection is one of the most popular ways to use an old beat up 486 or Pentium machine that otherwise would have been thrown into the garage. Using Linux as your connection-sharing box doesn't mean that you have to only run Linux on your internal network (your office or your home). In fact, Linux will work well with Windows, Macintoshes, and other flavors of Unix.

   Page 1 of 1  

Using your Linux box to share a single internet connection is one of the most popular ways to use an old beat up 486 or Pentium machine that otherwise would have been thrown into the junk pile in the garage. When used in conjunction with a fast Ethernet connection like cable, or DSL. Using Linux as your connection-sharing box doesn't mean that you have to only run Linux on your internal network (your office or your home). In fact, Linux will work well with Windows, Macs, and other flavors of Unix.

Throughout this article, I will be assuming you have some networking experience (using Linux or any other operating system), and are familiar with the concepts of a firewall, network, and IP addresses. For compatibility with this article you should be running a recent version of Red Hat Linux, SuSE Linux, or Mandrake Linux. You should be comfortable with entering commands on the Linux command line.

The minimum requirements are one Linux box, and one machine on the internal network. We will be using Red Hat Linux throughout this tutorial. The basic idea is to connect your Linux box to the internet, then have all other machines on your internal network talk to the Linux box if they need something from the general internet. In order to make it as secure as possible, you want to have two network cards in your Linux box, and at least one network card on the machine that you want to use internally.

A little about the software... Although there are many ways to create a subnet and use Linux as the router, one of the most popular and easiest ways is to set up IP Masquerading on your Linux box. IPMasq as it's called works by changing the TCP/IP packets that are passed into the internal network interface card (NIC) before pushing it out onto the external NIC. From the outside world, all connections will seem to be emanating from your Linux box. Linux keeps track of the connections that are made, and when packets return, they are changed again, so that the machine that made the original request can interpret it. One special note is that because sometimes, packets are special in nature, IPMasq may not work for all applications, but it works in most cases. There are modules for ICQ, ftp, and quake that need to be inserted in order for those special applications to run correctly from the internal network. In general though, anything that uses only the HTTP protocol (web browsers), telnet, ssh, or smtp (the email protocol) should work fine.

This is by no means an article on every aspect of IPMasq, but if you follow these general steps, you should be able to get IPMasq up pretty easily. In order to make it simple, you want to be running the latest version of Red Hat Linux (currently at version 6.1), because it generally has all the special IPMasq modules compiled, as well as the necessary changes required in the kernel.

On your IPMasqing server, you should have two interfaces, one external and one internal. You must assign a static IP to your internal interface (probably eth1). You can do this by running as root, "ifconfig eth1 192.168.0.1 netmask 255.255.255.0" but make sure to replace "eth1" and "192.168.0.1" to whatever interface or internal IP you want. Using these defaults is perfectly acceptable.

If you're sure that your system is ready for IPMasq, the only thing you have to do is to put this script into your /etc/rc.d/init.d/ directory...

Read through this script carefully, and note the areas where it says, "Uncomment the next line if you use xxxxx" and do exactly that when you customize your own script. #!/bin/sh # # rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using IPCHAINS # # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented out from loading. # Needed to initially load modules # /sbin/depmod -a # Supports the proper masquerading of FTP file transfers using the PORT method # /sbin/modprobe ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality #Uncomment the next line to allow real audio to work #/sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. This modules is # for multiple users behind the Linux MASQ server. If you are going to play # Quake I, II, and III, use the second example. # #Quake I / QuakeWorld (ports 26000 and 27000) #Uncomment the next line if you use quakeworld or quake 1 #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #Uncomment the next line if you play Quake I, II, or III #/sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960 # # Supports the masquerading of the CuSeeme video conferencing software #Uncomment the next line if you want to enble CuSeeMe #/sbin/modprobe ip_masq_cuseeme # #Supports the masquerading of the VDO-live video conferencing software #Uncomment the next line if you want to allow VDO live video conferencing #/sbin/modprobe ip_masq_vdolive #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following # option. This enables dynamic-ip address hacking in IP MASQ, making the life # with Diald and similar programs much easier. # #Uncomment the next line if you use DHCP #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # /sbin/ipchains -M -S 7200 10 160 # DHCP: For people who receive their external IP address from either DHCP or BOOTP # such as ADSL or Cablemodem users, it is necessary to use the following # before the deny command. The "bootp_client_net_if_name" should be replaced # The name of the link that the DHCP/BOOTP server will put an address on to? # This will be something like "eth0", "eth1", etc. # # This example is currently commented out. # #Uncomment the next line if you use DHCP or BOOTP #/sbin/ipchains -A input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0 68 -p udp # Enable simple IP forwarding and Masquerading # # NOTE: The following is an example for an internal LAN address in the 192.168.0.x # network with a 255.255.255.0 or a "24" bit subnet mask. # # Please change this network number and subnet mask to match your internal LAN setup # /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ

# end of file

If you saved the file as rc.firewall, make sure that the permissions are correct by doing a "chmod 744 rc.firewall" so that only root can run the script.

the next thing you want to do as root is edit "/etc/rc.d/rc.local" by appending "/etc/rc.d/init.d/rc.firewall" to the end of "rc.local". You can accomplish this by running :

echo "/etc/rc.d/init.d/rc.firewall" >> /etc/rc.d/rc.local

you can run rc.local or rc.firewall and your server should be set up.

Now to test the server. On the client side, you should set the configuration to use 192.168.0.1 as the default gateway, and set the IP of the client to something like 192.168.0.2 or anything that's something like 192.168.0.x (1 is already taken by the server, and make sure all clients have a unique IP). You can use "linuxconf" on Redhat systems to configure this, or write your own scripts to run "ifconfig" to set up the client info. Your DNS info in /etc/resolv.conf should remain the same. Specify the normal search domain, and DNS servers, and you should be off to a great start.

To show you the power of this technology, combine it with wireless ethernet, and you end up with 5 computers sharing a single DSL connection at home allowing my dad to surf from the dining table, on the lawn, and in the back yard, while my sister does research on the web listening to radio broadcasts from the net, and allowing me to edit this article from my laptop in my room. Sound too good to be true? Believe it... With IPMasq and wireless ethernet, you can become one step closer to internet anywhere. If you're a business, the benefits are even more astounding.

For more info on IPMasq, A great FAQ exists at tucows

The original IPMasq resource is right here and the most complete/up to date HOWTO exists at the other side of this link. Good Luck!!!

By Mike Chan - snotty@linux.com





   Page 1 of 1