IP Masquerading 1

IP Masquerading Guide with 2.4.x Kernels and IPTables
by x2xtreme, x2xtreme@linuxhelp.net
Created on September 23 2001.

This set up has been tested with the 2.4.8 version of the Linux Kernel and 1.2.2 version of IPtables. You must have atleast version 2.4.4 of the Linux Kernel installed in order for the following to work.

Most modern Linux distributions will ship with IPtables but if for some reason yours does not, you will have to manually install it. You can do so by either searching RPM Find for an RPM packaged version for your rpm based system otherwise you will need to install the source package. You can find the IPtables source at http://netfilter.samba.org/.

After downloading the Kernel source (you might already have it in your /usr/src/ directory) and the IPtables source, you must compile each of them. If you are missing the Kernel Source you will want to extract the newly downloaded one into /usr/src/linux as well as extracting the IPtables tarball into that directory. The command to extract a tar file is tar -zxvf file.tar.gz of course replacing file.tar.gz with the actual file name.

Next up we will compile the IPtables package. To do so, enter in the following commands from the IPtables directory.

make pending-patches KERNEL_DIR=/usr/src/linux

make KERNEL_DIR=/usr/src/linux

make install KERNEL_DIR=/usr/src/linux

You must now compile the new Linux kernel that you have downloaded. If you've never recompiled your kernel before, please see Joey's Kernel Compile/Upgrade guide at http://www.linuxhelp.net/guides/joey/kernel.shtml.

After running "make menuconfig" from the command line in your kernel source directory, you must enter yes or module to the following in conjunction to the other options required by your system.

*Prompt for development and/or incomplete code/drivers (Config_experimental) yes

*Enable loadable module support (Config_modules) yes

*Set version information on all module symbols (Config_Modeversions) yes

*Kernel module loader (Config_Kmod) Modulated

[General Setup]

*Networking support (config_net) yes

*Sysctl support (config_sysctl) yes

[Networking options] just save yourself time and say yes to everthing!!:)

*Packet socket (Config_packet) yes

*Packet socket(config_packet_mmap) yes

*Kernel/User netlink socket (Config_netlink) modulated

*Routing messages (Config_rtnetlink) yes

*Network packet filtering (config_netfilter) yes

*Socket Filtering (config_filter) yes if you plan to run a dhcp server

*Unix domain sockets (config_unix) yes

*Tcp/Ip networknig (config_inet) yes

*IP:TCP syncookie support (config_syn_cookies) yes

[Networking options--> IP: Netfilter Configuration]

*Connection tracking (Config_IP_NF_conntrack) yes

*FTP protocol support (config_ip_nf_ftp) modulated

*IP tables support (config_ip_nf_tables) yes

*limit match support (config_ip_nf_match_limit) module

*netfilter mark match support (config_ip_nf_match_mac) module

*multiple port match support (config_ip_nf_match_multiport) module

*Connection state match support (Config_ip_nf_match_state) module

*Unclean match support (config_ip_nf_match_unclean) module

*Packet filtering (Config_ip_nf_filter) module

*Reject target support (config_ip_nf_target_reject) module

*Full Nat (config_ip_nf_nat) module

*Masquerade target support (config_ip_nf_target_masquerade) module

*Packet mangling (config_ip_nf_mangle) module

*LOG target support (config_ip_nf_target_log) module

*TCPMSS target support(config_ip_nf_target_tcpmss) module

*ipchains 2.2 style support (optional if you have an existing ipchains rulset)

(config_ip_nf_compat_ipchains) module

*ipfwadm 2.0 style support (optional if you have an existing ipfwadm ruleset)

(config_ip_nf_compat_ipfwadm) module

[Network device support]

*Network device support (config_netdevices) yes

*Dummy net driver support (config_dummy) yes

[File Systems)

*/proc filesystem support (config_proc_fs) yes

Once that is done, save your kernel config and proceed to finish compiling your Linux kernel.

You must also add /etc/rc.d/rc.firewall to the bottom of the /etc/rc.d/rc.local file so it will load the IPtables ruleset after each reboot.

Below is what the /etc/rc.d/rc.firewall must contain Simply copy and paste it into the file and save it.

#!/bin/sh

echo -e "\n\nIPMASQ *TEST* rc.firewall ruleset - v0.60\n"

#The location of the iptables program

IPTABLES=/usr/local/sbin/iptables

echo " - Verifying that all kernel modules are ok"

/sbin/depmod -a

/sbin/insmod ip_tables

/sbin/insmod ip_conntrack

next >>