Originally Published: Thursday, 1 June 2000 Author: Matt Craven
Published to: learn_articles_support/Articles Page: 1/1 - [Printable]

An Introduction to IP Masquerading (Part 2 of 2)

Now that relatively high-bandwidth Internet connections are becoming both commonplace and inexpensive, cable modem and DSL users wanting to put more than one computer on the Internet find that their Internet service provider will not allow them to do so. Typically, an ISP will grant a user a single, dynamically-allocated IP address to be used by only one computer at the user's home, in order to conserve their precious pool of IP addresses.

   Page 1 of 1  

Now that you've configured and compiled the Linux kernel to support IP Masquerading, we're going to setup your Ethernet cards, and configure the kernel firewall.

A Few Words About Addresses

In the first part we talked about "private" IP addresses. In the following example, we'll be using addresses in the range from to This is part of one of three special blocks of addresses set aside for the purpose of building a private network. These addresses are not routable on the Internet, and if such a network address were to be used to communicate directly with the Internet, packets coming from that address would be discarded by the first router they encounter. For more on private IP addresses, please see the document RFC 1918.

Configuration For Two Ethernet cards (Figure 3)

First, we'll deal with the case in which you have two Ethernet cards: one connected to your cable/DSL modem, which we'll call eth0; and another connected to an Ethernet hub, which we'll call eth1. Since most Internet service providers hand out IP addresses dynamically whenever you boot your computer, configure eth0 to obtain an IP addresses dynamically (typically using the Dynamic Host Configuration Protocol). Please see the DHCP mini-HOWTO for distribution-specific information on how to handle this.

Now let's configure eth1 for your local network. We'll give eth1 the address since it's to be the gateway for the local network. How to accomplish this is distribution-specific, as above, so please consult the Ethernet-HOWTO for details.

Please continue with "Configuring the kernel firewall," below.

Configuration for One Ethernet Card (Figure 4)

Now, let's examine how to configure one Ethernet card (which we'll call eth0) to handle both the connection to our cable/DSL modem and to our home network. To do this, we need to be able to give a single Ethernet card two IP addresses. This is called IP aliasing, and requires the following option to be built into the kernel:

Networking options:
        [*] IP: aliasing support
Then, after building and installing the kernel, set up eth0 to dynamically obtain an address, as in the two-card case above, and configure the alias eth0:0 for the address For details on IP aliasing, please see Linux Networking-HOWTO and the IP Alias mini-HOWTO .

Configuring the Kernel Firewall

Now we want to configure the kernel firewall settings to masquerade all connections from our home network of, while preventing connections from other addresses, ie., elsewhere on the Internet, from accessing our home network. Administration of the kernel firewall is handled by the ipchains program. If you don't already have it, ipchains is available from the Internet. Please see the IP Masquerading HOWTO for further information.

Before you set the firewall policies, however, you have to make certain that the kernel knows to enable IP Masquerading, by using this command:

echo "1" > /proc/sys/net/ipv4/ip_forward

Then, configuration of the firewall takes the following three commands:

/sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -s -j MASQ

The first command allows dynamic IP addressing protocols through the firewall, such as DHCP. This is important for cable/DSL modem users, since most addresses for these services are provided dynamically. The second command sets the default forwarding policy to DENY, so that Masquerading will only be allowed from the networks you specify. The third command allows Masquerading from any machine on your local network with an IP address beginning with 192.168.1 . Note that these commands, including the "echo" command above, have to be entered each time the machine is booted, so they should be placed in a script file in /etc/rc.d, or the appropriate directory on your Linux distribution.

Configuring the Client Machines

Now that you've got our Masquerading gateway running on our Linux box, we turn to configuring our other computers for your home network. To make a client machine talk to the network, you merely need to give it a unique address in the range of to The netmask for these addresses is, and the gateway is your Linux box, which you've given the IP address For your Domain Name Server, you can use the numbers provided by your ISP.

Now you should have a working IP Masquerading Linux box, with your client machines able to use most services as if they were directly connected to the Internet. There are some special cases, such as network games, which require a kernel module to work with IP Masquerading. Please see the IP Masquerading HOWTO for further details.

Matthew Craven, craven@linux.com

   Page 1 of 1