IP Masquerading Setup

From Linuxhelp Wiki

rolc4tcatro

Author:x2xtreme
Created On:September 23rd, 2001
Updated On:Unknown

This set up has been tested with the 2.4.8 version of the Linux Kernel and 1.2.2 version of IPtables. You must have atleast version 2.4.4 of the Linux Kernel installed in order for the following to work.

Most modern Linux distributions will ship with IPtables but if for some reason yours does not, you will have to manually install it. You can do so by either searching RPM Find for an RPM packaged version for your rpm based system otherwise you will need to install the source package. You can find the IPtables source at http://netfilter.samba.org/.

After downloading the Kernel source (you might already have it in your /usr/src/ directory) and the IPtables source, you must compile each of them. If you are missing the Kernel Source you will want to extract the newly downloaded one into /usr/src/linux as well as extracting the IPtables tarball into that directory. The command to extract a tar file is tar -zxvf file.tar.gz of course replacing file.tar.gz with the actual file name.

Next up we will compile the IPtables package. To do so, enter in the following commands from the IPtables directory. 

make pending-patches KERNEL_DIR=/usr/src/linux
make KERNEL_DIR=/usr/src/linux
make install KERNEL_DIR=/usr/src/linux

You must now compile the new Linux kernel that you have downloaded. If you've never recompiled your kernel before, please see Joey's Kernel Compile/Upgrade guide.

After running "make menuconfig" from the command line in your kernel source directory, you must enter yes or module to the following in conjunction to the other options required by your system. 

*Prompt for development and/or incomplete code/drivers (Config_experimental) yes
*Enable loadable module support (Config_modules) yes
*Set version information on all module symbols (Config_Modeversions) yes
*Kernel module loader (Config_Kmod) Modulated

[General Setup]
*Networking support (config_net) yes
*Sysctl support (config_sysctl) yes

[Networking options] just save yourself time and say yes to everthing!!:)
*Packet socket (Config_packet) yes
*Packet socket(config_packet_mmap) yes
*Kernel/User netlink socket (Config_netlink) modulated
*Routing messages (Config_rtnetlink) yes
*Network packet filtering (config_netfilter) yes
*Socket Filtering (config_filter) yes if you plan to run a dhcp server
*Unix domain sockets (config_unix) yes
*Tcp/Ip networknig (config_inet) yes
*IP:TCP syncookie support (config_syn_cookies) yes

[Networking options--> IP: Netfilter Configuration]
*Connection tracking (Config_IP_NF_conntrack) yes
*FTP protocol support (config_ip_nf_ftp) modulated
*IP tables support (config_ip_nf_tables) yes
*limit match support (config_ip_nf_match_limit) module
*netfilter mark match support (config_ip_nf_match_mac) module
*multiple port match support (config_ip_nf_match_multiport) module
*Connection state match support (Config_ip_nf_match_state) module
*Unclean match support (config_ip_nf_match_unclean) module
*Packet filtering (Config_ip_nf_filter) module
*Reject target support (config_ip_nf_target_reject) module
*Full Nat (config_ip_nf_nat) module
*Masquerade target support (config_ip_nf_target_masquerade) module
*Packet mangling (config_ip_nf_mangle) module
*LOG target support (config_ip_nf_target_log) module
*TCPMSS target support(config_ip_nf_target_tcpmss) module
*ipchains 2.2 style support (optional if you have an existing ipchains rulset)
(config_ip_nf_compat_ipchains) module
*ipfwadm 2.0 style support (optional if you have an existing ipfwadm ruleset)
(config_ip_nf_compat_ipfwadm) module

[Network device support]
*Network device support (config_netdevices) yes
*Dummy net driver support (config_dummy) yes

[File Systems)
*/proc filesystem support (config_proc_fs) yes

Once that is done, save your kernel config and proceed to finish compiling your Linux kernel.

You must also add /etc/rc.d/rc.firewall to the bottom of the /etc/rc.d/rc.local file so it will load the IPtables ruleset after each reboot.

Below is what the /etc/rc.d/rc.firewall must contain Simply copy and paste it into the file and save it. 

#!/bin/sh
echo -e "\n\nIPMASQ *TEST* rc.firewall ruleset - v0.60\n"
#The location of the iptables program
IPTABLES=/usr/local/sbin/iptables
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp
echo "-  Enabling packet fowarding in the kernel"
echo  "1" > /proc/sys/net/ipv4/ip_forward
echo " - Enabling dynamic addressing measures"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "-Resetting the firewall andsetting the default FORWARD policy to 
DROP"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
#You must change eth0 to ppp0 if you are using a modem or change eth0 and
#eth1 to another network device if that is not what you are using.  

echo " - FWD: Allow all connections OUT andonly existing and related ones IN"
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -j LOG 

echo "- Enabling SNAT (MASQUERADE) funtionality on eth0"
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo -e "\nDone.\n"

Now that that's all done you will simply need to configure your client.

  1. The ip the machine running ipmasquerading needs to set as the gateway.
  2. Your ISP's dns server needs to be set as your dns server.
  3. The ip address should be 192.168.0.x if your running a 192.168.0.0 network
  4. The submast should be 255.255.255.0
  5. The domain name needs to be your isp's domain name. ie. msn.com bellsouth.net
  6. The hostname can be whatever.
Retrieved from "http://wiki.linuxhelp.net/index.php/IP_Masquerading_Setup"