I. Introduction
1. What, Why?II. How it worksA. Share one internet connection with multiple computers2. Requirements
B. Security - Firewall, rulesets386/40 w/ 8 Megs Ram - 3-5 hosts (Also running DNS caching service)3. Alternatives
486/40 w/ 16 Megs Ram - 25-50 hostsWindows programs - Wingate, WinRoute, NAT32
Proxy server - Connections are terminated, and then re-started to destination
+----------+III. Setting up Network
| | Ethernet
| A-box |::::::
| |.2 : 192.168.0.x
+----------+ :
: +----------+ PPP
+----------+ : .1 | Linux | link
| | :::::::| Masq-Gate|:::::::::::::::::::// Internet
| B-box |:::::: | | 111.222.333.444
| |.3 : +----------+
+----------+ :
:
+----------+ :
| | :
| C-box |::::::
| |.4
+----------+
| | |
| <-Internal Network--> | | <- External Network ---->
| | |
1. Installing Network CardsIV. IPChains
2. Choosing IP'sNon-routable IP's on non-connected networks - From RFC 1597:3. Setup client machines
10.0.0.0-10.255.255.255 (Class A) (24-bit block)
172.16.0.0-172.31.255.255 (Class B) (20-bit block)
192.168.0.0-192.168.255.255 (Class C) (16-bit block)192.168.1.1 is usually the gateway machine
192.168.1.0 is the network address
192.168.0.255 is the broadcast addresshttp://members.home.net/ipmasq/ipmasq-HOWTO-1.76-4.html4. Testing connectivityA. ping ip's on your local network
1. Enable Masq in the kernelV. ModulesA. Most recent distributions support IP Masq 'out-of-the-box'2. Create ruleset and enable IP MasqCaldera < v1.2 : NO - ?B. If not, recompile kernel with IP Masq support
Caldera v1.3 : YES - 2.0.35 based
Caldera v2.2 : YES - 2.2.5 based
Debian v1.3 : NO - ?
Debian v2.0 : NO - ?
Debian v2.1 : NO - 2.2.1 based
DLX Linux v? : ? - ?
DOS Linux v? : ? - ?
Hal91 Linux v? : ? - ?
Linux Mandrake v5.3 : YES - ?
Linux Mandrake v6.0 : YES - 2.2.5 based
Linux PPC vR4 : NO - ?
Linux Pro v? : ? - ?
LinuxWare v? : ? - ?
MkLinux v? : ? - ?
MuLinux v3rl : YES - ?
Redhat < v4.x : NO - ?
Redhat v5.0 : YES - ?
Redhat v5.1 : YES - ?
Redhat v5.2 : YES - 2.0.36 based
Redhat v6.0 : YES - 2.2.5 based
Slackware v3.0 : ? - ?
Slackware v3.1 : ? - ?
Slackware v3.2 : ? - ?
Slackware v3.3 : ? - 2.0.34 based
Slackware v3.4 : ? - ?
Slackware v3.5 : ? - ?
Slackware v3.6 : ? - ?
Slackware v3.9 : ? - 2.0.37pre10 based
Slackware v4.0 : ? - ?
Stampede Linux v? : ? - ?
SuSE v5.2 : YES - ?
SuSE v5.3 : YES - ?
SuSE v6.0 : YES - ?
SuSE v6.1 : YES - 2.2.5 based
Tomsrbt Linux v? : ? - ?
TriLinux v? : ? - ?
TurboLinux v? : ? - ?
Yggdrasil Linux v? : ? - ?A. Create /etc/rc.d/rc.filewall4. Set Default route on all machines
B. chmod 700 /etc/rc.d/rc.firewall
C. Add rc.firewall to startup scripts (Usually /etc/rc.d/rc.local)# Simple rulesetD. Enable IP Masq by running /etc/rc.d/rc.firewall.
ipchains -P forward DENY
ipchains -A forward -s 192.168.1.0/24 -j MASQ
(or ipchains -A forward -s 192.168.1.0/255.255.255.0 -j MASQ)
echo 1 > /proc/sys/net/ipv4/ip_forward3. Test IP Masq
- ping ip's on your local network - local networking is functional
- ping ip's outside of your network - IP Masq is working
- ping hostnames outside of your network - Outside DNS is working
- traceroute hosts outside of your network - Let's you see where the packet is failing
- Fire up Netscape and go to http://www.mn-linux.org
- ifconfig -a
- netstat -rn
- /sbin/ipchains -L
Most applications work work fine with IP Masq, but some don't due to different port numbers they use on the reverse connection. Modules understand these connections.VI. Bugs and Annoyances
- FTP
- CuSeeMe
- IRC (DCC file transfers)
- Real Audio (UDP)
- Quake/II/III
Gamespy can crash IP Masq because it create 10,000 of quick connections in a short time. The tables become full.VII. IPautofw Packet ForwarderTimeouts- Default is 15 minutes
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
#
/sbin/ipchains -M -S 7200 10 60MTU problem - Set MTU to 1500 more ppp
Allows connections from internet to an internal machine. Next months talk.VIII. How IP Chains work
----------------------------------------------------------------
|
ACCEPT/
lo interface |
v
REDIRECT
_______
|
--> C --> S --> ______ --> D --> ~~~~~~~~ -->|forward|---->
_______ -->
h a
|input | e {Routing } |Chain
| |output |ACCEPT
e n
|Chain | m {Decision} |_______|
--->|Chain |
c i
|______| a ~~~~~~~~
| | ->|_______|
k t
| s
|
| | | |
s y
| q
|
v | | |
u |
v e
v DENY/
| | v
m |
DENY/ r Local Process
REJECT | | DENY/
| v
REJECT a
|
| | REJECT
| DENY
d --------------------- |
v
e -----------------------------
DENY
1. Options to ipchainsIX. Links1.Create a new chain (-N).2. Inversion
2.Delete an empty chain (-X).
3.Change the policy for a built-in chain. (-P).
4.List the rules in a chain (-L).
5.Flush the rules out of a chain (-F).
6.Zero the packet and byte counters on all rules in a chain (-Z).Manipulate rules inside a chain:
1.Append a new rule to a chain (-A).
2.Insert a new rule at some position in a chain (-I).
3.Replace a rule at some position in a chain (-R).
4.Delete a rule at some position in a chain (-D).
5.Delete the first rule that matches in a chain (-D).Masquerading options
1.List the currently masqueraded connections (-M -L).
2.Set masquerading timeout values (-M -S). (But see I can't set masquerading timeouts!).
Many flags, including the `-s' and `-d' flags can have their arguments preceded by `!' (pronounced `not') to match addresses NOT equal to the ones given. For example. `-s ! localhost' matches any packet not coming from localhost.3. ProtocolThe protocol can be specified with the `-p' flag. Protocol can be a number (if you know the numeric protocol values for IP) or a name for the special cases of4. Specifying TCP and UDP ports
`TCP', `UDP' or `ICMP'. Case doesn't matter, so `tcp' works as well as `TCP'.The protocol name can be prefixed by a `!', to invert it, such as `-p ! TCP'.
ipchains -p TCP -d 0.0.0.0/0 6000:6010 (inclusive)5. Interface
ipchains -p TCP -d 0.0.0.0/0 :1023 (0-1023)
ipchains -p TCP -d 0.0.0.0/0 ! www-i <interface>6. TCP SYN packets only-p TCP -s 192.168.1.1 -y
http://members.home.net/ipmasq/
http://members.home.net/ipmasq/ipmasq-HOWTO-1.76.html
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri
Here is a simple rc.filewall script.
#!/bin/sh
#
# rc.firewall - Initial
SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using IPCHAINS
#
# Load all required
IP MASQ modules
#
# NOTE:
Only load the IP MASQ modules you need. All current IP MASQ modules
#
are shown below but are commented out from loading.
# Needed to initially
load modules
#
/sbin/depmod -a
# Supports the proper
masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
# Supports the masquerading
of RealAudio over UDP. Without this module,
#
RealAudio WILL function but in TCP mode. This can cause a reduction
#
in sound quality
#
#/sbin/modprobe ip_masq_raudio
# Supports the masquerading
of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc
# Supports the masquerading
of Quake and QuakeWorld by default. This modules is
# for
for multiple users behind the Linux MASQ server. If you are going
to play
# Quake
I, II, and III, use the second example.
#
#Quake I / QuakeWorld
(ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III /
QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake
ports=26000,27000,27910,27960
# Supports the masquerading
of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme
#Supports the masquerading
of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive
#CRITICAL: Enable
IP forwarding since it is disabled by default since
#
#
Redhat Users: you may try changing the options in /etc/sysconfig/network
from:
#
#
FORWARD_IPV4=false
#
to
#
FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you
get your IP address dynamically from SLIP, PPP, or DHCP, enable this following
#
option. This enables dynamic-ip address hacking in IP MASQ, making
the life
#
with Diald and similar programs much easier.
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# MASQ timeouts
#
# 2 hrs
timeout for TCP session timeouts
# 10 sec timeout
for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout
for UDP traffic (Important for MASQ'ed ICQ users)
#
/sbin/ipchains -M
-S 7200 10 160
# DHCP: For people
who receive their external IP address from either DHCP or BOOTP
#
such as ADSL or Cablemodem users, it is necessary to use the following
#
before the deny command. The "bootp_client_net_if_name" should be
replaced
#
the name of the link that the DHCP/BOOTP server will put an address on
to?
#
This will be something like "eth0", "eth1", etc.
#
#
This example is currently commented out.
#
#
#/sbin/ipchains -A
input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0 68 -p udp
# Enable simple IP
forwarding and Masquerading
#
# NOTE:
The following is an example for an internal LAN address in the 192.168.0.x
#
network with a 255.255.255.0 or a "24" bit subnet mask.
#
#
Please change this network number and subnet mask to match your internal
LAN setup
#
/sbin/ipchains -P
forward DENY
/sbin/ipchains -A
forward -s 192.168.0.0/24 -j MASQ