4. Configuring Masquerading
All right! The preliminaries are over, this is where the magic begins. IP masquerading is one of the truly magical services Linux provides. There are commercial products for Windows which do the same thing, but not nearly as efficiently: an ancient 386 can merrily provide IP masquerading services to a whole medium sized office, but cannot even run Windows 95, let alone the add on masquerading package. (As an addendum, I read in some recent reviews that Windows 2000 will support "connection sharing" without addon software. It looks like the companies which sold connection sharing software have been "embraced and extended" by MicroSoft. However, I wouldn't recommend you try the Windows 2000 solution on a 386.)
Linux has an extremely versatile firewalling capability, and we are going
to be using it in the simplest and crudest possible manner. If you want to
learn how to do firewalling like an expert, you should read both the
Firewalling HOWTO for an
understanding of the theory and the
IPChains HOWTO for instructions on the new ipchains
firewalling
tool which ships with the Linux 2.2.X kernel (and by extension Red Hat 6.X).
There is also now a very good
IP Masquerading HOWTO available which has more details on masquerading
tweaks.
Configuring simple masquerading is very very easy once your internal and
external networking is operational. Edit the /etc/rc.d/rc.local
file and add
the following lines to the bottom:
# 1) Flush the rule tables. /sbin/ipchains -F input /sbin/ipchains -F forward /sbin/ipchains -F output # 2) Set the MASQ timings and allow packets in for DHCP configuration. /sbin/ipchains -M -S 7200 10 60 /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 68 -d 0/0 67 -p udp # 3) Deny all forwarding packets except those from local network. # Masquerage those. /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ # 4) Load forwarding modules for special services. /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_raudio
The last two lines insert kernel modules which allow FTP and RealAudio to work for computers on the inside network. There are other modules for special services which you can tack on if you need them:
- CUSeeMe (
/sbin/modprobe ip_masq_cuseeme
) - Internet Relay Chat (
/sbin/modprobe ip_masq_irc
) - Quake (
/sbin/modprobe ip_masq_quake
) - VDOLive (
/sbin/modprobe ip_masq_vdolive
)
Now you're ready to try masquerading! Run the rc.local
script with the
command /etc/rc.d/rc.local
and you are ready to go! Sit down at one of your
other computers and try some web surfing. With any luck, everything is now
hunky dory.
Next Previous Contents