Linux IP Masquerade HOWTO - The Linux Documentation Project
Linux IP Masquerade HOWTO - The Linux Documentation Project
Linux IP Masquerade HOWTO - The Linux Documentation Project
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
* Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) [N/y/?] y<br />
− YES: Enable this option to let <strong>IP</strong>TABLES configure the TCP/<strong>IP</strong> subsection<br />
of the kernel. By enabling this, then you can turn on advanced<br />
routing mechanisms like <strong>IP</strong> Masq, packet filtering, etc.<br />
* Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) [N/y/?] (NEW) n<br />
− NO: Not required for Masquerading functionality though it may help<br />
for troubleshooting. <strong>The</strong>re might be a performance penalty when<br />
enabling this.<br />
* Socket Filtering (CONFIG_FILTER) [Y/n/?]<br />
− OPTIONAL: Recommended : Though this doesn't have anything do with <strong>IP</strong>MASQ,<br />
if you plan on implimenting a DHCP server on the internal network, you WILL<br />
need to enable this option.<br />
* Unix domain sockets (CONFIG_UNIX) [Y/m/n/?]<br />
− YES: This enables the UNIX TCP/<strong>IP</strong> sockets mechanisms<br />
* TCP/<strong>IP</strong> networking (CONFIG_INET) [Y/n/?]<br />
− YES: Enables the TCP/<strong>IP</strong> protocol<br />
* <strong>IP</strong>: multicasting (CONFIG_<strong>IP</strong>_MULTICAST) [N/y/?]<br />
− OPTIONAL: You can enable this if you want to be able to receive<br />
Multicast traffic. Please note that your ISP must<br />
support Multicast as well for this all to work at all<br />
* <strong>IP</strong>: advanced router (CONFIG_<strong>IP</strong>_ADVANCED_ROUTER) [Y/n/?]<br />
− OPTIONAL: Though there is nothing in this section mandatory for<br />
<strong>Masquerade</strong>, some specific options might be useful<br />
== Non−MASQ options skipped<br />
== ( autoconf, tunneling )<br />
* <strong>IP</strong>: multicast routing (CONFIG_<strong>IP</strong>_MROUTE) [N/y/?] n<br />
− OPTIONAL: Though not needed for <strong>IP</strong>MASQ, enabling this feature will<br />
let you route multicast traffic through your <strong>Linux</strong> box.<br />
Please note that this requires that your ISP be multicast<br />
enabled as well.<br />
== Non−MASQ options skipped<br />
== (ARPd)<br />
<strong>Linux</strong> <strong>IP</strong> <strong>Masquerade</strong> <strong>HOWTO</strong><br />
* <strong>IP</strong>: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) [N/y/?] n<br />
− NO: Though enabling this option would be great, there are many Internet<br />
sites out there that will block this. Hit the "?" when configuring<br />
the kernel to learn more about it but it is recommended to say NO for<br />
now.<br />
* <strong>IP</strong>: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [Y/n/?]<br />
− YES: Recommended : for basic TCP/<strong>IP</strong> network security<br />
[ Networking options −−> <strong>IP</strong>: Netfilter Configuration ]<br />
* Connection tracking (required for masq/NAT) (CONFIG_<strong>IP</strong>_NF_CONNTRACK) [N/y/m/?] (NEW) m<br />
− YES: (Module) This enables the kernel to track various network connections.<br />
This option is required for Masquerading support as well as to enable<br />
Stateful tracking for various filewall mechanisms. Please note that<br />
if you compile this directly into the kernel, you cannot enable<br />
the legacy <strong>IP</strong>CHAINS or <strong>IP</strong>FWADM compatibility modules.<br />
Chapter 3. Setting Up <strong>IP</strong> <strong>Masquerade</strong> 21