Linux IP Masquerade HOWTO - The Linux Documentation Project

More documents

Recommendations

Info

Linux IP Masquerade HOWTO #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable this following option. This enables dynamic−address hacking # which makes the life with Diald and similar programs much easier. # echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable simple IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on external interface "eth0". This # example will MASQ internal traffic out to the Internet but not # allow non−initiated traffic into your internal network. # # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is DROP (REJECT is not a valid policy) # # Isn't ACCEPT insecure? To some degree, YES, but this is our testing # phase. Once we know that IPMASQ is working well, I recommend you run # the rc.firewall−*−stronger rulesets which set the defaults to DROP but # also include the critical additional rulesets to still let you connect to # the IPMASQ server, etc. # echo " Clearing any existing rules and setting default policy.." $IPTABLES −P INPUT ACCEPT $IPTABLES −F INPUT $IPTABLES −P OUTPUT ACCEPT $IPTABLES −F OUTPUT $IPTABLES −P FORWARD DROP $IPTABLES −F FORWARD $IPTABLES −t nat −F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES −A FORWARD −i $EXTIF −o $INTIF −m state −−state ESTABLISHED,RELATED −j ACCEPT $IPTABLES −A FORWARD −i $INTIF −o $EXTIF −j ACCEPT Chapter 3. Setting Up IP Masquerade 41
$IPTABLES −A FORWARD −j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES −t nat −A POSTROUTING −o $EXTIF −j MASQUERADE echo −e "\nrc.firewall−iptables v$FWVER done.\n" Once you are finished with editing this /etc/rc.d/rc.firewall−iptables ruleset, make it executable by typing in chmod 700 /etc/rc.d/rc.firewall−iptables Now that the firewall ruleset is ready, you need to let it run after every reboot. You could either do this by running it by hand everytime (such a pain) or add it to the boot scripts. We have covered two methods below: Redhat (SyS−V style) and Slackware (BSD style) 1. Redhat and Redhat−derived distros: • There are two ways to automatically load things in Redhat: /etc/rc.d/rc.local or a init script in /etc/rc.d/init.d/. The first method is the easiest but isn't doing things the SYS−V way. All you have to do is add the line: echo "Loading the rc.firewall−iptables ruleset.. " /etc/rc.d/rc.firewall−iptables to the end of the /etc/rc.d/rc.local file and thats it (as described earlier in the HOWTO). The problem with this approach is that the firewall isn't executed until the last stages of booting. • The preferred approach is to have the firewall loaded just after the networking subsystem is loaded. To do this, copy the following file into the /etc/rc.d/init.d directory: Linux IP Masquerade HOWTO #!/bin/sh # # chkconfig: 2345 11 89 # # description: Loads the rc.firewall−iptables ruleset. # # processname: firewall−iptables # pidfile: /var/run/firewall.pid # config: /etc/rc.d/rc.firewall−iptables # probe: true # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− # v05/24/03 # # Part of the copyrighted and trademarked TrinityOS document. # http://www.ecst.csuchico.edu/~dranch # # Written and Maintained by David A. Ranch # dranch@trinnet.net # # Updates # −−−−−−− # 05/24/03 − removed a old networking up check that had some # improper SGML ampersand conversions. # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Chapter 3. Setting Up IP Masquerade 42
Page 1 and 2: Linux IP Masquerade HOWTO David A.
Page 3 and 4: Linux IP Masquerade HOWTO Table of
Page 5 and 6: Linux IP Masquerade HOWTO Table of
Page 7 and 8: Masquerade Resource web page. If yo
Page 9 and 10: Linux IP Masquerade HOWTO IP Masque
Page 11 and 12: | | : | C−box |:::::: | |.4 +−
Page 13 and 14: • Netfilter is an entirely new ar
Page 15 and 16: HOWTO. • Loadable kernel modules,
Page 17 and 18: • Linux IP Masquerade HOWTO havin
Page 19 and 20: ◊ ip_masquerade ip_conntrack ip_t
Page 21 and 22: commands might look different. It i
Page 23 and 24: cp extensions/libipt_esp.so /usr/lo
Page 25 and 26: [ Code maturity level options ] * P
Page 27 and 28: Linux IP Masquerade HOWTO * FTP pro
Page 29 and 30: (2.2.x kernels) and enable this opt
Page 31 and 32: • NOTE: Please notice that it isn
Page 33 and 34: Linux IP Masquerade HOWTO * Network
Page 35 and 36: == (Slow CPU, Telephony, SCSI, I2O,
Page 37 and 38: Please note the YES or NO ANSWERS t
Page 39 and 40: * IP: IPSEC masq debugging (DEBUG_I
Page 41 and 42: Linux IP Masquerade HOWTO We will r
Page 43 and 44: # #IPTABLES=/sbin/iptables IPTABLES
Page 45: #Loads the IRC NAT functionality in
Page 49 and 50: esac 2. Slackware: • exit 1 exit
Page 51 and 52: Linux IP Masquerade HOWTO FWVER="1.
Page 53 and 54: Linux IP Masquerade HOWTO #CRITICAL
Page 55 and 56: this, copy the following file into
Page 57 and 58: Linux IP Masquerade HOWTO echo "Loa
Page 59 and 60: # Load all required IP MASQ modules
Page 61 and 62: # #/sbin/ipfwadm −I −a accept
Page 63 and 64: Slackware: • mlist) $IPFWADM −M
Page 65 and 66: Chapter 4. Configuring the other in
Page 67 and 68: 4.2. Configuring Windows NT Linux I
Page 69 and 70: 8. Linux IP Masquerade HOWTO gatewa
Page 71 and 72: USE DEFAULTS = OFF VLM = CONN.VLM V
Page 73 and 74: Chapter 5. Testing IP Masquerade Fi
Page 75 and 76: Linux IP Masquerade HOWTO −−−
Page 77 and 78: Linux IP Masquerade HOWTO . . PPP:
Page 79 and 80: −−−−−−−−−−−
Page 81 and 82: Linux IP Masquerade HOWTO 5.12. Any
Page 83 and 84: all IRC clients on various supporte
Page 85 and 86: 6.3.2. Clients that do not have ful
Page 87 and 88: # just leave this section alone. #
Page 89 and 90: Linux IP Masquerade HOWTO # Enabled
Page 91 and 92: echo "1" > /proc/sys/net/ipv4/ip_fo
Page 93 and 94: # STATEFULLY TRACKED # $IPTABLES
Page 95 and 96: echo −e "\nrc.firewall−iptables
Page 97 and 98:
INTNET="192.168.0.0/24" echo " Inte
Page 99 and 100:
# # Make sure the EXTIF variable ab
Page 101 and 102:
# −−−−− Begin OPTIONAL FO
Page 103 and 104:
#!/bin/sh # # /etc/rc.d/rc.firewall
Page 105 and 106:
# If you get your TCP/IP address a
Page 107 and 108:
#End of file. To automatically sta
Page 109 and 110:
Linux IP Masquerade HOWTO #Enable i
Page 111 and 112:
• 2.6.x and 2.4.x kernels have PO
Page 113 and 114:
look something like this: /sbin/ins
Page 115 and 116:
If I use: > > ipmasqadm portfw −a
Page 117 and 118:
If you plan on port forwarding FTP
Page 119 and 120:
SOCKS: Finally, your last and possi
Page 121 and 122:
Linux IP Masquerade HOWTO 6.10. Gam
Page 123 and 124:
Chapter 7. Frequently Asked Questio
Page 125 and 126:
Linux IP Masquerade HOWTO 7.3. ( Er
Page 127 and 128:
Linux IP Masquerade HOWTO MASQ: IP
Page 129 and 130:
♦ correct rc.firewall−* name fo
Page 131 and 132:
The reason is because you have a dy
Page 133 and 134:
Linux IP Masquerade HOWTO rc.firewa
Page 135 and 136:
*** If you know how to also change
Page 137 and 138:
type=DWORD name="MaxMSS" (Do NOT in
Page 139 and 140:
All interface types: So, in your PP
Page 141 and 142:
like: −−−−−−−−−
Page 143 and 144:
Linux IP Masquerade HOWTO − IPTAB
Page 145 and 146:
7.21. ( Log Reduction ) − My logs
Page 147 and 148:
7.26. ( IDENT ) − IRC won't work
Page 149 and 150:
• Idea #3: Say you want to log al
Page 151 and 152:
Linux IP Masquerade HOWTO 7.34. ( N
Page 153 and 154:
The "iprule" and "iproute" commands
Page 155 and 156:
There are several things you should
Page 157 and 158:
available at the Linux IP Masquerad
Page 159 and 160:
8.3. Thanks to the following suppor
Page 161 and 162:
this one. • 05/21/05 − Updated
Page 163 and 164:
• 05/24/03: Updated the 2.4 Requi
Page 165 and 166:
Linux IP Masquerade HOWTO • 08/25
Page 167 and 168:
• − Load the FTP nat modules no
Page 169 and 170:
• Updated the comments in the 2.0
Page 171 and 172:
• Added Mandrake 6.0, 6.1, 7.0 to
Page 173:
Linux IP Masquerade HOWTO • In th
show all

Linux IP Masquerade HOWTO - The Linux Documentation Project

Create successful ePaper yourself

Delete template?

Save as template?