Linux IP Masquerading
For complete information on the setup of IP masquerading, see the following Linux how-tos:
Some of the information in this section is based on these how-tos. This section summarizes and puts in simple steps some of the items you will be required to perform to set up IP masquerading. It is not a replacement for the Linux how to documents, but a complement to them by giving an overview of what must be done. You may access the howtos from one of the weblinks listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies if these howtos.
IP masquerading allows internal machines that don't have an officially assigned IP addresses to communicate to other networks and especially the internet. It uses a form of Network Address Translation (NAT) to accomplish this. In Linux, IP masquerading support is provided by the kernel. To get it to work you must do essentially three things:
- Be sure the kernel has support for IP masquerading.
- Enable IPv4 forwarding.
- Be sure modules needed for support are loaded into the kernel.
- Set up the firewall rules.
Checking for IP Masquerade kernel Support
To determine if IP masquerading is set up in your kernel type:
If one of the result files listed is "ip_masquerade", you will not need to recompile your kernel.
If IP masquerading is not set up you must recompile your kernel with the following options set (This is for a 2.2.x kernel or higher):
Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]- YES
Enable loadable module support (CONFIG_MODULES) [Y/n/?] - YES
Networking support (CONFIG_NET) [Y/n/?] - YES
Packet socket (CONFIG_PACKET) [Y/m/n/?] - YES
Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?] - YES
Routing messages (CONFIG_RTNETLINK) [Y/n/?] - NO
Network firewalls (CONFIG_FIREWALL) [Y/n/?] - YES
TCP/IP networking (CONFIG_INET) - YES
IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?] - NO
IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE) [Y/n/?] - YES
IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] - YES
IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK) [Y/n/?] - YES
IP: always defragment (required for masquerading) (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?] - YES
IP: masquerading (CONFIG_IP_MASQUERADE [Y/n/?] - YES
IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?] - YES
IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD) [Y/n/?] - YES
IP: ipautofw masquerade support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [Y/n/?] - NO
IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/n/?] - YES
IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW) [Y/m/n/?] - NO
IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?] - YES
IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?] - NO
IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES) [Y/n/?] - YES
Network device support (CONFIG_NETDEVICES) [Y/n/?] - YES
Dummy net driver support (CONFIG_DUMMY) [M/n/y/?] - YES
/proc filesystem support (CONFIG_PROC_FS) [Y/n/?] - YES
These are the kernel options you need for IP Masquerade. You will need to select other options for your specific hardware and network setup. Read the IP masquerade and kernel howtos for more information. You may also want the section about how to compile the Linux kernel in The CTDP Linux User's Guide in the Linux section of this documentation.
Enable IPv4 Forwarding
- Type "ls /proc/sys/net/ipv4" and look for a file "ip_forward" or "ip_forwarding". Whichever you find, use its name in the following example. The example will use "ip_forward".
- Type "echo "1" > /proc/sys/net/ipv4/ip_forward". This will enable IP forwarding until the next time you boot.
- If running Redhat Linux, edit the "/etc/sysconfig/network" script. Look for the line with "FORWARD_IPV4=" on it and make sure it says "FORWARD_IPV4="yes". The next time you boot, IPv4 forwarding will be enabled. There may be other ways to set this up on other systems.
Setting up Firewall Rules and Enabling Kernel Modules
Create the following text and place it in a file "/etc/rc.d/rc.firewall". This will load your needed modules into your kernel and set up your basic firewall rules. If you copy the file from this page, be sure to remove carriage returns when you get it into Linux or it may not work properly.
# rc.firewall - Initial SIMPLE IP Masquerade setup for 2.0.x kernels using IPFWADM
# Load all required IP MASQ modules
# NOTE: Only load the IP MASQ modules you need. All current available IP MASQ modules
# are shown below but are commented out from loading.
# Needed to initially load modules
# Supports the proper masquerading of FTP file transfers using the PORT method
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
# Supports the masquerading of IRC DCC file transfers
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to play
# Quake I, II, and III, use the second example.
#Quake I / QuakeWorld (ports 26000 and 27000)
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
# /sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#Supports the masquerading of the VDO-live video conferencing software
#CRITICAL: Enable IP forwarding since it is disabled by default since
# Redhat Users: you may try changing the options in /etc/sysconfig/network from:
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
# If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, enable this following
# option. This enables dynamic-ip address hacking in IP MASQ, making the life
# with DialD, PPPd, and similar programs much easier.
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# MASQ timeouts
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
/sbin/ipchains -M -S 7200 10 160
# DHCP: For people who receive their external IP address from either DHCP or BOOTP
# such as ADSL or Cablemodem users, it is necessary to use the following
# before the deny command. The "bootp_client_net_if_name" should be replaced
# the name of the link that the DHCP/BOOTP server will put an address on to?
# This will be something like "eth0", "eth1", etc.
# This example is currently commented out.
/sbin/ipchains -A input -j ACCEPT -i eth1 -s 0/0 67 -d 0/0 68 -p udp
# Enable simple IP forwarding and Masquerading
# NOTE: The following is an example for an internal LAN address in the 192.168.0.x
# network with a 255.255.255.0 or a "24" bit subnet mask.
# Please change this network number and subnet mask to match your internal LAN setup
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 10.1.199.0/24 -j MASQ
This file will load modules you need, and set your firewall rules with ipchains. The last line in the file sets IP forwarding up for network 10.1.199.*. You will need to modify this line for your network address. Your network consists of the machines that you are running IP masquerading for. It should be connected to an ethernet card on your IP masquerading machine. If your network is 192.168.1.*, you will want "/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ" on the line above. If it is 10.1.*.*, you will want "/sbin/ipchains -A forward -s 10.1.0.0/16 -j MASQ" on the line above.
Add the following line to the "/etc/rc.d/rc.local" file:
Of course, the machines that you are configuring to be behind the machine that provides the masquerading service should be configured to use that as their gateway.