How to setup ip masquerading in RH 6.1 or 6.0?

How would I go about setting up ip Masq in redhat? Any help would be greatly appreciated. thanks (using a cable modem)
Smileyq
SmileyqAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
guiyuConnect With a Mentor Commented:
Here is a little quick-and-dirty description I have written.
First you will need ipchains.

Install the ipchains***.rpm if you do not already have it. I trust you will be able to make the appropriate modifications to the script if necessary. If you are extremely impatient, look for the 3 line test command that will immediately activate IP masquerading (using my example setup)

CopyLeft 1999.10.26      Guiyu

Assumption
==========

1 "gateway" machine (with connection to outside world) has two ethernet cards
      
  eth0      connected to cablemodem
        IP            DHCP assigned (type "ifconfig eth0" to see assignments)
      Netmask            DHCP assigned
      Broadcast      DHCP assigned
      Gateway            DHCP assigned
      DNS server      DHCP assigned, contained in /etc/resolv.conf

  eth1      connected to Local Area Network
        IP            192.168.0.250
        Netmask            255.255.255.0
      Broadcast      192.168.0.255
      Gateway            192.168.0.250
      DNS server      same as eth0, uses same file /etc/resolve.conf
        
2 clients (any type of OS) configured locally as
      IP            192.168.0.xxx            (xxx = 0 to 254 except 250)
      Netmask            255.255.255.0
      Gateway            192.168.0.250
      DNS            copy values from gateway:/etc/resolv.conf


3-line TEST
===========
After setting up all the machines, you clients should be able to ping the gateway,
but cannot connect to the outside world.
The following is a 3-line command that will immediately setup IP masquerading:

      ipchains -P forward DENY
      ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
      echo 1 > /proc/sys/net/ipv4/ip_forward

after keying in the above, your clients should be able to see the outside world,
e.g. from any of the clients and you should get a response by
      ping www.mit.edu

Permanent setup
===============
1 (you may skip this step and proceed to next stage if you have keyed in the rules in the test stages)
  execute rule(s), e.g. the 1st command resets via denying all packets,
  the 2nd command forward _all_ LAN packets thru' eth0, the gateway
      ipchains -P forward DENY
      ipchains -A forward -i eth0 -j MASQ

2 save rules in /etc/ipchains.rules

      ipchains-save > /etc/ipchains.rules


DEBIAN (skip to 4 if you have redhat or its derivatives)
======
3a copy attached script to /etc/init.d/packetfilter and change its mode:

      chmod a+x /etc/init.d/packetfilter
      chmod o-x /etc/init.d/packetfilter

3b link script file to automatically start at bootup
      ln -s /etc/init.d/packetfilter /etc/rcS.d/S39packetfilter

3c you may manually start/stop IP masquerading via
      /etc/init.d/packetfilter {start|stop}

REDHAT/Mandrake
===============
4a copy attached script to /etc/rc.d/init.d/packetfilter and change its mode:

      chmod a+x /etc/rc.d/init.d/packetfilter
      chmod o-x /etc/rc.d/init.d/packetfilter

4b append the following 2 lines to the file /etc/rc.d/rc.sysinit
      # start IP masquerading
      /etc/rc.d/init.d/packetfilter start

4c you may manually start/stop IP masquerading via
      /etc/rc.d/init.d/packetfilter {start|stop}


packetfilter script
===================CUT HERE====================================================
#! /bin/sh
# Script to control packet filtering.

# If no rules, do nothing.
[ -f /etc/ipchains.rules ] || exit 0

case "$1" in
      start)
            echo -n "Turning on packet filtering:"
            /sbin/ipchains-restore < /etc/ipchains.rules || exit 1
            echo 1 > /proc/sys/net/ipv4/ip_forward
            echo "."
            ;;
      stop)
            echo -n "Turning off packet filtering:"
            echo 0 > /proc/sys/net/ipv4/ip_forward
            /sbin/ipchains -X
            /sbin/ipchains -F
            /sbin/ipchains -P input ACCEPT
            /sbin/ipchains -P output ACCEPT
            /sbin/ipchains -P forward ACCEPT
            echo "."
            ;;
      *)
            echo "Usage: /etc/init.d/packetfilter {start|stop}"
            exit 1
            ;;
esac

       exit 0
0
 
duy102099Commented:
use linuxconf
masquerading is part of firewall
0
 
SmileyqAuthor Commented:
There isn't anything refering to firewall in linuxconf.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
SmileyqAuthor Commented:
You are the greatest. Would also work with a ISDN dial-up?
0
 
guiyuCommented:
- The above example is the _very_ basic setup, security-wise. If you want to prevent hackers from hacking into your site (I get on average 1 hacking attempt a week on my always-on linux box), consider using ipchains to setup a firewall:

http://www.linux.com/howto/Firewall-HOWTO.html

or at the very least, use tcp_wrappers to only allow trusted site to connect to your linux box.

- Also there was a typo in the client setup, you can assign client addresses 192.168.0.{1-254} (except 250, which is the gateway)

-yes, this example should work with ISDN or any other type of connection. You may have to replace the information on eth0 with the appropriate interface/information, e.g. a dial-up modem line would use ppp0 and the permanent setup ipchain command would be

ipchains -A forward -i ppp0 -j MASQ, the rest should require little or no modifcation.

0
 
guiyuCommented:
Also, most importantly, you may need to recompile your kernel to support the following IP masquerading necessary options (in addition to any other default options):

Networking Options-->
  Network firewalls
  TCP/IP networking
  IP: firewalling
  IP: always defragment
  IP: masquerading
  IP: ICMP masquerading

others may be added in the future.
0
All Courses

From novice to tech pro — start learning today.