|This document is available in: English Castellano Deutsch Francais Italiano Nederlands Russian Turkce Arabic|
by Guido Socher
About the author:
Guido is a long time Linux fan. His Linux home page can be found at www.oche.de/~bearix/g/.
Setting up IP-Masquerading
IP-Masquerading provides the possibility to connect several computers
to the Internet using a computer running Linux with just one public IP address.
This means you can connect a whole private network to the Internet, and
your Internet Service provider thinks you are still connecting just
one single computer. This article will explain how to configure
IP-Masquerading with a 2.2.x Kernel. It does not explain how to build
a network. To get a general idea about computer networks I
recommend to read also the January 2000
issue article about home networks.
Sometimes, IP packets are special in nature and IP-Masquerading may not work for all applications, but it works in most cases. There are modules for ICQ, ftp, and quake that need to be inserted in the Kernel in order for those special applications to run correctly from the internal network. In general though, anything that uses only the HTTP (web browsers), telnet, ssh, or smtp (email) will work fine.
I usually make a backup of /usr/src/linux/.config after I have compiled a successfully working Kernel. Next time I need to compile a Kernel I just load this configuration and I have already the configuration of my previous Kernel in place. It is then relatively simple to configure minor changes such as IP-Masquerading.
To use IP-Masquerading say yes to the following when configuring the Kernel. These are just the components you need for IP Masquerade, select whatever other options you need for your specific setup.
#!/bin/sh echo "Setting up IP masquerading ..." # People still using windows to surf the web must convert this # to a UNIX text file before using it. # # Support masquerading of FTP file transfer. /sbin/modprobe ip_masq_ftp # #-------------- # Note: the modules below are commented out from loading. Remove the # comment sign if you want to use the corresponding applications form # one of the computers inside your internal network. # # Support masquerading of RealAudio over UDP. #/sbin/modprobe ip_masq_raudio # # Supports the masquerading of IRC DCC file transfers #/sbin/modprobe ip_masq_irc # # Support masquerading of Quake and QuakeWorld # Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # # Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960 # # Support masquerading of the CuSeeme video conferencing software #/sbin/modprobe ip_masq_cuseeme # #Support masquerading of the VDO-live video conferencing software #/sbin/modprobe ip_masq_vdolive #-------------- # Important: Enable IP forwarding. It is disabled by default in # the 2.2.x Kernels echo "1" > /proc/sys/net/ipv4/ip_forward # # NOTE: This is an example for an internal Network address of # 192.168.0.x The sub netmask is 255.255.255.0 or "24" bit # Please change this if you use different internal IP addresses. # /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ # #--- end of fileTo test it make sure you have configured all your computers in your private network to have a default gateway route (!!!) to 192.168.0.1 (the masquerading Linux host). Then run the script as root on the masquerading host. After that send a ping from one machine inside your network to a host in the Internet (e.g ping 18.104.22.168)
Now it is time to change your configuration such that your /etc/rc.d/init.d/ipmasq script will be executed automatically every time you boot your Linux connection-box. The best way to do this is in my opinion to edit the /etc/rc.d/init.d/network file (this file should already exist) and execute /etc/rc.d/init.d/ipmasq AT THE END of the start section in the init.d/network file. Look for a case statement and then for the "start)".
As you saw it is not difficult to setup IP-Masquerading. It is basically just ip forwarding enabled and 2 ipchains commands. IP-Masquerading is a very powerful application for small home networks schools small business networks etc....
For further and more detailed information I recommend reading the IP-Masquerading mini howto and the IPCHAINS-HOWTO.
To use IP-Masquerading you need to have of course a correctly configured network. This is not covered by this article. The Home networking article will give you some vocabulary and the Net 3 howto or the The Network Administrator Guide explains in detail how to build a network. I plan also to write another article on networking later on in the year but you might not want to wait that long :-).
Webpages maintained by the LinuxFocus Editor team
© Guido Socher
"some rights reserved" see linuxfocus.org/license/
2004-11-04, generated by lfparser version 2.51