Linux IP Masquerade HOWTO - The Linux Documentation Project

More documents

Recommendations

Info

== Non−MASQ options skipped == (I2C, Watchdog cards, Ftape, Video for Linux, etc. ) [ File systems ] == Non−MASQ options skipped == (Quota, ISO9660, NTFS, etc ) * /proc filesystem support (CONFIG_PROC_FS) [Y/n/?] − YES: Required to dynamically configure the Linux forwarding and NATing systems == Non−MASQ options skipped == (Console drivers, Sound, USB, Kernel Hacking) So go ahead and select "exit" and you should be prompted to save your config. NOTE: These are just the kernel components you need for IP Masquerade networking support. You will need to select whatever other options needed for your specific setup. If you want more information on what each one of these kernel modules does, please see the FAQ section of this HOWTO for details. • Now compile the kernel (make dep; make clean; make bzImage; make modules; make modules_install) , etc. Again, it is beyond the scope of this HOWTO if you have problems compiling your kernel. Please see Section 2.6 for URLs to the KERNEL howto, etc. • You will then have move over the kernel binary, update your bootloader (LILO, Grub, etc.), and reboot. If you have questions about kernel compiling, I highly recommend to consult some of the URLs mentioned above in this section. 3.2.2. Compiling Linux 2.2.x Kernels Please see Section 2.7 for any required software, patches, etc. • First of all, you need the kernel source for 2.2.x (preferably the latest kernel version) • ♦ NOTE #1: −−− UPDATE YOUR KERNEL −−− Linux 2.2.x kernels less than version 2.2.20 contain several different security vulnerabilities (some were MASQ specific). Kernels less than 2.2.20 have a few local vulnerabilities. Kernel versions less than 2.2.16 have a TCP root exploit vulnerability and versions less than 2.2.11 have a IPCHAINS fragmentation bug. Because of these issues, users running a firewall with strong IPCHAINS rulesets are open to possible instrusion. Please upgrade your kernel to a fixed version. ♦ NOTE #2: As the 2.2.x train progressed, the compile−time options keep on changing. As of this version, this section reflects the settings for a 2.2.20 kernel. If you are running either a newer or older kernel version, the dialogs will look different. It is recommended that you update to the newest kernel for added capability and stability of the system. Linux IP Masquerade HOWTO If this is your first time compiling the kernel, don't be scared. In fact, it's rather easy and it's covered in several URLs found in Section 2.7. Please note that the instructions included here is just one way to do build a kernel. Please see the Kernel HOWTO for full details. Chapter 3. Setting Up IP Masquerade 25
• NOTE: Please notice that it isn't recommended to put the new kernel sources into /usr/src/linux. You should leave the original kernel sources that came with your Linux distribution in /usr/src/linux. For more details on this topic, please read the "README" file in the top level directory of your kernel sources. For this HOWTO example, create a directory called /usr/src/kernel. Next, "cd" into this directory and download the newest 2.2.x kernel sources into it. Once downloaded, issue the following command (if the file ends in a .tar.gz): tar xvzf linux−2.2.x.tar.gz or (if the file ends in a .tar.bzip2): tar xyvf linux−2.2.x.tar.bz2. Please substitute the "x" in the 2.2.x filename with the Linux 2.2 kernel version you downloaded. NOTE: Some Linux distributions use the "I" option instead of the "y" option to decompress bzip2 archives. Once uncompressed, I recommend that you rename the directory from "linux" to "linux−2.2.x" for clarity. To do this, run the command mv linux linux−2.2.x. Next, make sure there is a directory or symbolic link pointing to /usr/src/kernel/linux ie. run the command: ln −s /usr/src/kernel/linux−2.2.x /usr/src/kernel/linuxo again subsituting the "x" for your proper kernel version. • Apply any appropriate or optional patches to the kernel source code. By default, stock Linux kernels do not require any specific patching in order for the system to work. Features like PPTP/IPSEC masqurading are already built−in in the newest kernels but other tools like Xwindows forwarders are optional. Please refer to Section 2.7 for URLs and the IP Masquerade Resources for up−to−date information and patch URLs. • Now that the kernel is patched up (if required), here are the MINIMUM kernel configuration options required to enable IP Masquerade functionality. Please understand that this HOWTO illustrates just ONE way to compile a kernel. The main difference from this method vs. a different one is some people wish to compile things either as modules OR monolithically right into the kernel. Basically, compiling things as modules gives you added flexibility to what is or isn't installed into the kernel (reduces unneeded memory use and allow for drop−in upgrades [no need to reboot]) BUT they add more complexity to your configuration. On the flip side, compiling things directly into the kernel makes things simpler BUT you loose a level of flexibility. The following example is a mixture of both built−in AND modules. Side Note: It is assumed that you will also configure the kernel to use your other installed hardware such as network interfaces, optional SCSI controllers, etc. as well. Please refer to the Linux Kernel HOWTO and the kernel source's README file and Documentation/ directory for detailed help on compiling a kernel. Please note the YES or NO ANSWERS to the following. Not all options will be available without the proper kernel patches described later in this HOWTO. Run the following commands to configure your kernel: • cd /usr/src/kernel/linux • make menuconfig The following kernel prompts reflect a 2.2.20 kernel: [ Code maturity level options ] Linux IP Masquerade HOWTO * Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?] Chapter 3. Setting Up IP Masquerade 26
Page 1 and 2: Linux IP Masquerade HOWTO David A.
Page 3 and 4: Linux IP Masquerade HOWTO Table of
Page 5 and 6: Linux IP Masquerade HOWTO Table of
Page 7 and 8: Masquerade Resource web page. If yo
Page 9 and 10: Linux IP Masquerade HOWTO IP Masque
Page 11 and 12: | | : | C−box |:::::: | |.4 +−
Page 13 and 14: • Netfilter is an entirely new ar
Page 15 and 16: HOWTO. • Loadable kernel modules,
Page 17 and 18: • Linux IP Masquerade HOWTO havin
Page 19 and 20: ◊ ip_masquerade ip_conntrack ip_t
Page 21 and 22: commands might look different. It i
Page 23 and 24: cp extensions/libipt_esp.so /usr/lo
Page 25 and 26: [ Code maturity level options ] * P
Page 27 and 28: Linux IP Masquerade HOWTO * FTP pro
Page 29: (2.2.x kernels) and enable this opt
Page 33 and 34: Linux IP Masquerade HOWTO * Network
Page 35 and 36: == (Slow CPU, Telephony, SCSI, I2O,
Page 37 and 38: Please note the YES or NO ANSWERS t
Page 39 and 40: * IP: IPSEC masq debugging (DEBUG_I
Page 41 and 42: Linux IP Masquerade HOWTO We will r
Page 43 and 44: # #IPTABLES=/sbin/iptables IPTABLES
Page 45 and 46: #Loads the IRC NAT functionality in
Page 47 and 48: $IPTABLES −A FORWARD −j LOG ech
Page 49 and 50: esac 2. Slackware: • exit 1 exit
Page 51 and 52: Linux IP Masquerade HOWTO FWVER="1.
Page 53 and 54: Linux IP Masquerade HOWTO #CRITICAL
Page 55 and 56: this, copy the following file into
Page 57 and 58: Linux IP Masquerade HOWTO echo "Loa
Page 59 and 60: # Load all required IP MASQ modules
Page 61 and 62: # #/sbin/ipfwadm −I −a accept
Page 63 and 64: Slackware: • mlist) $IPFWADM −M
Page 65 and 66: Chapter 4. Configuring the other in
Page 67 and 68: 4.2. Configuring Windows NT Linux I
Page 69 and 70: 8. Linux IP Masquerade HOWTO gatewa
Page 71 and 72: USE DEFAULTS = OFF VLM = CONN.VLM V
Page 73 and 74: Chapter 5. Testing IP Masquerade Fi
Page 75 and 76: Linux IP Masquerade HOWTO −−−
Page 77 and 78: Linux IP Masquerade HOWTO . . PPP:
Page 79 and 80: −−−−−−−−−−−
Page 81 and 82:
Linux IP Masquerade HOWTO 5.12. Any
Page 83 and 84:
all IRC clients on various supporte
Page 85 and 86:
6.3.2. Clients that do not have ful
Page 87 and 88:
# just leave this section alone. #
Page 89 and 90:
Linux IP Masquerade HOWTO # Enabled
Page 91 and 92:
echo "1" > /proc/sys/net/ipv4/ip_fo
Page 93 and 94:
# STATEFULLY TRACKED # $IPTABLES
Page 95 and 96:
echo −e "\nrc.firewall−iptables
Page 97 and 98:
INTNET="192.168.0.0/24" echo " Inte
Page 99 and 100:
# # Make sure the EXTIF variable ab
Page 101 and 102:
# −−−−− Begin OPTIONAL FO
Page 103 and 104:
#!/bin/sh # # /etc/rc.d/rc.firewall
Page 105 and 106:
# If you get your TCP/IP address a
Page 107 and 108:
#End of file. To automatically sta
Page 109 and 110:
Linux IP Masquerade HOWTO #Enable i
Page 111 and 112:
• 2.6.x and 2.4.x kernels have PO
Page 113 and 114:
look something like this: /sbin/ins
Page 115 and 116:
If I use: > > ipmasqadm portfw −a
Page 117 and 118:
If you plan on port forwarding FTP
Page 119 and 120:
SOCKS: Finally, your last and possi
Page 121 and 122:
Linux IP Masquerade HOWTO 6.10. Gam
Page 123 and 124:
Chapter 7. Frequently Asked Questio
Page 125 and 126:
Linux IP Masquerade HOWTO 7.3. ( Er
Page 127 and 128:
Linux IP Masquerade HOWTO MASQ: IP
Page 129 and 130:
♦ correct rc.firewall−* name fo
Page 131 and 132:
The reason is because you have a dy
Page 133 and 134:
Linux IP Masquerade HOWTO rc.firewa
Page 135 and 136:
*** If you know how to also change
Page 137 and 138:
type=DWORD name="MaxMSS" (Do NOT in
Page 139 and 140:
All interface types: So, in your PP
Page 141 and 142:
like: −−−−−−−−−
Page 143 and 144:
Linux IP Masquerade HOWTO − IPTAB
Page 145 and 146:
7.21. ( Log Reduction ) − My logs
Page 147 and 148:
7.26. ( IDENT ) − IRC won't work
Page 149 and 150:
• Idea #3: Say you want to log al
Page 151 and 152:
Linux IP Masquerade HOWTO 7.34. ( N
Page 153 and 154:
The "iprule" and "iproute" commands
Page 155 and 156:
There are several things you should
Page 157 and 158:
available at the Linux IP Masquerad
Page 159 and 160:
8.3. Thanks to the following suppor
Page 161 and 162:
this one. • 05/21/05 − Updated
Page 163 and 164:
• 05/24/03: Updated the 2.4 Requi
Page 165 and 166:
Linux IP Masquerade HOWTO • 08/25
Page 167 and 168:
• − Load the FTP nat modules no
Page 169 and 170:
• Updated the comments in the 2.0
Page 171 and 172:
• Added Mandrake 6.0, 6.1, 7.0 to
Page 173:
Linux IP Masquerade HOWTO • In th
show all

Linux IP Masquerade HOWTO - The Linux Documentation Project

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?