How to setup ip masquerading in RH 6.1 or 6.0?

How would I go about setting up ip Masq in redhat? Any help would be greatly appreciated. thanks (using a cable modem)
Smileyq
SmileyqAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

duy102099Commented:
use linuxconf
masquerading is part of firewall
0
SmileyqAuthor Commented:
There isn't anything refering to firewall in linuxconf.
0
guiyuCommented:
Here is a little quick-and-dirty description I have written.
First you will need ipchains.

Install the ipchains***.rpm if you do not already have it. I trust you will be able to make the appropriate modifications to the script if necessary. If you are extremely impatient, look for the 3 line test command that will immediately activate IP masquerading (using my example setup)

CopyLeft 1999.10.26      Guiyu

Assumption
==========

1 "gateway" machine (with connection to outside world) has two ethernet cards
      
  eth0      connected to cablemodem
        IP            DHCP assigned (type "ifconfig eth0" to see assignments)
      Netmask            DHCP assigned
      Broadcast      DHCP assigned
      Gateway            DHCP assigned
      DNS server      DHCP assigned, contained in /etc/resolv.conf

  eth1      connected to Local Area Network
        IP            192.168.0.250
        Netmask            255.255.255.0
      Broadcast      192.168.0.255
      Gateway            192.168.0.250
      DNS server      same as eth0, uses same file /etc/resolve.conf
        
2 clients (any type of OS) configured locally as
      IP            192.168.0.xxx            (xxx = 0 to 254 except 250)
      Netmask            255.255.255.0
      Gateway            192.168.0.250
      DNS            copy values from gateway:/etc/resolv.conf


3-line TEST
===========
After setting up all the machines, you clients should be able to ping the gateway,
but cannot connect to the outside world.
The following is a 3-line command that will immediately setup IP masquerading:

      ipchains -P forward DENY
      ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
      echo 1 > /proc/sys/net/ipv4/ip_forward

after keying in the above, your clients should be able to see the outside world,
e.g. from any of the clients and you should get a response by
      ping www.mit.edu

Permanent setup
===============
1 (you may skip this step and proceed to next stage if you have keyed in the rules in the test stages)
  execute rule(s), e.g. the 1st command resets via denying all packets,
  the 2nd command forward _all_ LAN packets thru' eth0, the gateway
      ipchains -P forward DENY
      ipchains -A forward -i eth0 -j MASQ

2 save rules in /etc/ipchains.rules

      ipchains-save > /etc/ipchains.rules


DEBIAN (skip to 4 if you have redhat or its derivatives)
======
3a copy attached script to /etc/init.d/packetfilter and change its mode:

      chmod a+x /etc/init.d/packetfilter
      chmod o-x /etc/init.d/packetfilter

3b link script file to automatically start at bootup
      ln -s /etc/init.d/packetfilter /etc/rcS.d/S39packetfilter

3c you may manually start/stop IP masquerading via
      /etc/init.d/packetfilter {start|stop}

REDHAT/Mandrake
===============
4a copy attached script to /etc/rc.d/init.d/packetfilter and change its mode:

      chmod a+x /etc/rc.d/init.d/packetfilter
      chmod o-x /etc/rc.d/init.d/packetfilter

4b append the following 2 lines to the file /etc/rc.d/rc.sysinit
      # start IP masquerading
      /etc/rc.d/init.d/packetfilter start

4c you may manually start/stop IP masquerading via
      /etc/rc.d/init.d/packetfilter {start|stop}


packetfilter script
===================CUT HERE====================================================
#! /bin/sh
# Script to control packet filtering.

# If no rules, do nothing.
[ -f /etc/ipchains.rules ] || exit 0

case "$1" in
      start)
            echo -n "Turning on packet filtering:"
            /sbin/ipchains-restore < /etc/ipchains.rules || exit 1
            echo 1 > /proc/sys/net/ipv4/ip_forward
            echo "."
            ;;
      stop)
            echo -n "Turning off packet filtering:"
            echo 0 > /proc/sys/net/ipv4/ip_forward
            /sbin/ipchains -X
            /sbin/ipchains -F
            /sbin/ipchains -P input ACCEPT
            /sbin/ipchains -P output ACCEPT
            /sbin/ipchains -P forward ACCEPT
            echo "."
            ;;
      *)
            echo "Usage: /etc/init.d/packetfilter {start|stop}"
            exit 1
            ;;
esac

       exit 0
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

SmileyqAuthor Commented:
You are the greatest. Would also work with a ISDN dial-up?
0
guiyuCommented:
- The above example is the _very_ basic setup, security-wise. If you want to prevent hackers from hacking into your site (I get on average 1 hacking attempt a week on my always-on linux box), consider using ipchains to setup a firewall:

http://www.linux.com/howto/Firewall-HOWTO.html

or at the very least, use tcp_wrappers to only allow trusted site to connect to your linux box.

- Also there was a typo in the client setup, you can assign client addresses 192.168.0.{1-254} (except 250, which is the gateway)

-yes, this example should work with ISDN or any other type of connection. You may have to replace the information on eth0 with the appropriate interface/information, e.g. a dial-up modem line would use ppp0 and the permanent setup ipchain command would be

ipchains -A forward -i ppp0 -j MASQ, the rest should require little or no modifcation.

0
guiyuCommented:
Also, most importantly, you may need to recompile your kernel to support the following IP masquerading necessary options (in addition to any other default options):

Networking Options-->
  Network firewalls
  TCP/IP networking
  IP: firewalling
  IP: always defragment
  IP: masquerading
  IP: ICMP masquerading

others may be added in the future.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.