Differences between current version and previous revision of HowToMasqueradingSimpleHOWTO.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 3 | Last edited on Thursday, October 21, 2004 5:30:31 pm | by AristotlePagaltzis | |
| Older page: | version 2 | Last edited on Friday, June 7, 2002 1:07:04 am | by perry | Revert |
@@ -1,781 +1 @@
-Masquerading Made Simple HOWTO
-!!!Masquerading Made Simple HOWTO
-!John Tapsell
-
- tapselj0@cs.man.ac.uk
-
-
-
-!Thomas Spellman
-
- thomas@resonance.org
-
-
-
-!Matthias Grimm
-
- !DeadBull@gmx.net
-
-
-
-__Revision History__Revision .072002-02-27Revised by: jptRevision .062001-09-08Revised by: jptRevision .052001-09-07Revised by: jptRevision .042001-09-01Revised by: jptRevision .032001-07-06Revised by: jpt
-
-
-
-
-
- All of the authors are available on #debian on irc.opensource.net
-
-
-
-
- John Tapsell (!JohnFlux) is the official maintainer.
-
-
-
-
- Email me (John Tapsell) for any query, flame, feedback, a date, etc.
-
-
-
-
- Shamelessly stealing from David Ranch's work - `dranch@trinnet.netb.
-
-
-
-
- This is NOT a replacement for the IP-Masquerading HOWTO - it is to
-complement it, and the two should be read side by side. I do not include
-things in
here that are covered by the the other HOWTO, nor do I explain
-what it all means, or what it is all about. See
-http://ipmasq.cjb.net
-and the standard Masq-HOWTO for a much better guides.
-
-
-
-
- This document describes how to enable the Linux IP Masquerade feature
-on a given Linux host. IP Masq is a form of Network Address
-Translation or NAT that allows internally networked computers that do not
-have one or more registered Internet IP addresses to have the ability
-to communicate to the Internet via your Linux boxes single Internet IP
-address.
-
-
-
-
- This is all under the GNU Free Documentation License
-
-
-
-
- http://www.gnu.org/copyleft/fdl.html
-
-
-
-
-
-
-
-----; __Table of Contents__; 1. Introduction; 2. Summary: (I like doing summaries first); 3. Bitmore indepth version; 4. Post-install Instructions; 5. FAQ's - Frequently Asked Compla^H^H^H^H^H^H Questions
-!!!1. Introduction
-
- This is intentionally short and to the point.
-
-
-
-
- If you have a network, that you want to attach to the outside:
-
-
-
-
-
-
-
-
-
-
-
-----
-!!!2. Summary: (I like doing summaries first)
-
- Assuming external internet card is eth0, and external IP is 123.12.23.43
-and the internal network card is eth1, then:
-
-
-
-$b __modprobe ipt_MASQUERADE__ # If this fails, try continuing anyway
-$b __iptables -F; iptables -t nat -F; iptables -t mangle -F__
-$b __iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43__
-$b __echo 1 b /proc/sys/net/ipv4/ip_forward__
-
- Or for a dial-up connection:
-
-
-
-$b __modprobe ipt_MASQUERADE__ # If this fails, try continuing anyway
-$b __iptables -F; iptables -t nat -F; iptables -t mangle -F__
-$b __iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE__
-$b __echo 1 b /proc/sys/net/ipv4/ip_forward__
-
- Then to secure it:
-
-
-
-$b __iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT__
-$b __iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT__
-$b __iptables -P INPUT DROP__ #only if the first two are succesful
-$b __iptables -A FORWARD -i eth0 -o eth0 -j REJECT__
-
- Or for a dial-up connection (with eth0 as the internal network card):
-
-
-
-$b __iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT__
-$b __iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT__
-$b __iptables -P INPUT DROP__ #only if the first two are succesful
-$b __iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT__
-
- And thats it! To view the rules do "__iptables -t nat -L__"
-
-
-----
-!!!3. Bitmore indepth version
-
- Compiling the kernel: (Use a 2.4.x kernel or greater)
-
-
-
-
- You need the following support in the kernel:
-
-
-
-
-
-
-
-*
-
- Under Networking Options
-
-
-
-
-
-
-
-**
-
- Network packet filtering (CONFIG_NETFILTER)
-
-
-
-**
-*
-*
-
- Under Networking Options-bNetfilter Configuration
-
-
-
-
-
-
-
-**
-
- Connection tracking (CONFIG_IP_NF_CONNTRACK)
-
-
-
-**
-**
-
- FTP Protocol support (CONFIG_IP_NF_FTP)
-
-
-
-**
-**
-
- IP tables support (CONFIG_IP_NF_IPTABLES)
-
-
-
-**
-**
-
-
-Connection state match support (CONFIG_IP_NF_MATCH_STATE)
-
-
-
-**
-**
-
- Packet filtering (CONFIG_IP_NF_FILTER)
-
-
-
-
-
-
-
-***
-
- REJECT target support (CONFIG_IP_NF_TARGET_REJECT)
-
-
-
-***
-**
-**
-
- Full NAT (CONFIG_IP_NF_NAT)
-
-
-
-
-
-
-
-***
-
- MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE)
-
-
-
-***
-***
-
- REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT)
-
-
-
-***
-**
-**
-
- Packet mangling (CONFIG_IP_NF_MANGLE)
-
-
-
-**
-**
-
- LOG target support (CONFIG_IP_NF_TARGET_LOG)
-
-
-
-**
-*
-
- First, if the iptable and masq modules are not compiled into the kernel and
-not installed, but do exist as modules, we need to install them.
-If you insmod ipt_MASQUERADE it will load ip_tables, ip_conntrack and
-iptable_nat.
-
-
-
-$b __modprobe ipt_MASQERADE__
-
- Now either your Intranet is large, or you're just trying to get two or three
-machines to work on the internet - it doesn't make much difference either way.
-
-
-
-
- Okay, I'm assuming that you have no other rules, so do:
-
-
-
-$b __iptables -F; iptables -t nat -F; iptables -t mangle -F__
-
- If you get an error saying can't find iptables, go find it and install it.
-If it says no such table 'nat', recompile the kernel with nat support. If
-it says no such table as 'mangle', don't worry about it, it's not necessary
-for MASQ'ing. If it says iptables is incompatible with your kernel, go get b 2.4
-and compile that with iptables support.
-
-
-
-
- Then if you have a static ip do (e.g. network card not using DHCP):
-
-
-
-$b __iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43__
-
- or for dynamic (e.g. a modem - you have to call a number first):
-
-
-
-$b __iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE__
-
- Then finally to tell the kernel yes, you really do want to start forwarding
-packets: (This only needs to be done once per reboot - but dosen't hurt to
-do it lots)
-
-
-
-$b __echo 1 b /proc/sys/net/ipv4/ip_forward__
-
- Once you have checked this all works (See under Post-install) only allow
-masquerading from the internal network - you don't want to allow people on
-the internet to use it after all :)
-
-
-
-
- First, allow any existing connections, or anything related (e.g. ftp server
-connecting back to you)
-
-
-
-$b __iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT__
-
- If this gives an error, then you most likely don't have state tracking in
-the kernel - go recompile. Then allow new connections only from our
-intranet (local/internal network). Replace the ppp0 with eth0 or
-whatever your ''external'' device is. (The ! means anything but)
-
-
-
-$b __iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT__
-
- And now deny everything else:
-
-
-
-$b __iptables -P INPUT DROP__ #only if the first two are succesful
-
- If either of the first two rules failed, then this last rule with prevent
-the masquerading from working at all. To undo this rule do
-"__iptables -P INPUT ACCEPT__".
-
-
-----
-!!!4. Post-install Instructions
-
- And it should all work now. Don't forget to:
-
-
-
-
-
-
-
-*
-
- Setup all the clients on the internal network to point to the Linux
-internal IP address as their gateway.
-(In windows right-click network neighbourhood-bproperties-bgateway
-then change it to the Linux gateway internal ip.)
-
-
-
-*
-*
-
- Setup all the clients to use your ISP's HTTP proxy if they have one,
-use a transparent proxy (WARNING - I've heard reports of transparent
-proxying to be very slow on very big networks), or run squid on your
-new linux gateway. (This is optional, but preferrable for large networks)
-
-
-
-*
-*
-
- Now you should start securing it! First turn off forwarding in general:
-"__iptables -P FORWARD DROP__", and then learn how to use
-iptables and /etc/hosts.allow and
-/etc/hosts.deny to secure your system. WARNING
-- Don't try this mentioned iptables rule until you have the masquerading
-working. You have to explicitely allow every packet through that you want
-if you are going to set the last rule to be DENY.
-(Undo with "__iptables -P FORWARD ACCEPT__")
-
-
-
-*
-*
-
- Allow through any services you do want the internet to see.
-
-
-
-
- For an example, to allow access to your web server do:
-
-
-
-$b __iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT__
-$b __iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT__
-
- To allow ident (For connecting to irc etc) do
-
-
-
-$b __iptables -A INPUT --protocol tcp --dport 113 -j ACCEPT__
-*
-
- To test it:
-
-
-
-
-
-
-
-*
-
- Try connecting from a client to the web using an IP. Google's IP is
-216.239.33.100 (well that's one of them) and you should be able to get a
-reply from that. e.g. "__ping 216.239.33.100__"
-"__lynx 216.239.33.100__".
-
-
-
-*
-*
-
- Try a full out connection by name. e.g. "__ping google.com__"
-"__lynx google.com__" or from Internet Explorer / netscape.
-
-
-
-*
-
- Where eth0 is the external Internet card, and 123.12.23.43 is the external
-ip of that machine.
-
-
-----
-!!!5. FAQ's - Frequently Asked Compla^H^H^H^H^H^H Questions
-
-
-
-
-*
-
- How do I list the rules I've got so far?
-
-
-
-
- - Try
-
-$b __iptables -L__
-$b __iptables -t nat -L__
-
-
-
-*
-*
-
-
-It don't work! It doesn't like iptables / NAT / SNAT / MASQ
-
-
-
-
- - Go get the latest kernel, and compile with iptables and full NAT support.
-
-
-
-*
-*
-
- It don't work! The masquerading doesn't work at all! Die scum!
-
-
-
-
- - Try __echo 1 b /proc/sys/net/ipv4/ip_forward__
-
-
-
-*
-*
-
- It don't work! I can't use the network at all and I hate you!
-
-
-
-
- - Try
-
-$b __iptables -F__
-$b __iptables -t nat -F__
-$b __iptables -t mangle -F__
-
-
-
-
- (all rules went bye-bye) then rerun the other iptables rules.
-
-
-
-
- - Try __iptables -P FORWARD ACCEPT__
-
-
-
-*
-*
-
- It still don't work!
-
-
-
-
- - Hmm, does "__dmesg | tail__" give any errors?
-or "__cat /var/log/messages | tail__" ? Like I care tho...
-
-
-
-*
-*
-
- I don't get, it just ain't working!
-
-
-
-
- - I dunno.. but you should be able to:
-
-
-
- 1) From the gateway machine, ping the outside
-2) From the gateway ping your internal machines
-3) From the internal machines ping the gateway
-
- And this is ''before'' you play with masq'ing
-
-
-
-*
-*
-
- Where do I put this stuff?
-
-
-
-
- - In the /etc/network/interfaces file, or
-firewall.rc. If you put it in the interfaces file, then put
-it as a pre-up to the external interface, and have
-"__iptables -t nat -F__" as the post-down.
-
-
-
-*
-*
-
- How do I get it to only bring the ppp up on demand?
-
-
-
-
- - Assuming your ISP gateway IP is say 23.43.12.43 for arguments sake, then
-append a line like this:
-
-
-
-
-
-__:23.43.12.43__
-
-
-
-
- to /etc/ppp/peers/provider at the end.
-(this is for dynamic IP - static IP would be
-my.__external.ip.number:23.43.12.43__ )
-
-
-
-
- Then at the end of that file add on a newline:
-
-
-
-
- __demand__
-
-
-
-
- Pppd will remain in the background to redial the connection on demand
-if it's dropped until you do an "__ifdown ppp0__" or
-a "__poff__", unless you add
-a "__nopersist__" option, in which case pppd will exit after the connection
-is up. You can also add on a new line "__idle 600__" to disconnect after 10
-mins of idleness.
-
-
-
-
-
-
-
-*
-*
-
- The connection keeps dropping!
-
-
-
-
- - First, do you have demand dialing? Is it just doing what it is supposed
-to?
-Check /etc/ppp/peers/provider, and make sure your dial up works fine
-before attempting masq'ing.
-
-
-
-
- - Secondly, if not, then perhaps, like me, something is going weird, and
-you need to fall back to Linux 2.4.3 and see if that works instead.. dunno
-why.
-
-
-
-*
-*
-
- I hate doing this myself! I want a pre-made script and GUI and stuff.
-
-
-
-
- - Sure: http://shorewall.sourceforge.net/
-
-
-
-
- Eat your heart out!
-
-
-
-*
-*
-
- Do I count Cable modems as static or dynamic IP's?
-
-
-
-
- - Good question.. might as well make it dynamic.
-
-
-
-*
-*
-
- Do I count DHCP network cards as static or dynamic IP's?
-
-
-
-
- - They are dynamic.
-
-
-
-*
-*
-
- How do I handle incomming services?
-
-
-
-
- - Try forwarding or redirecting the IP ports - again make
-sure you firewall this if needed.
-
-
-
-*
-*
-
- From the clients, I can ping the linux gateway's external IP
-address, but can't access the internet.
-
-
-
-
- - Okay, try doing "__rmmod iptable_filter__" - more
-info on this as I get it.
-
-
-
-
- - Make sure your not running ''routed'' or
-''gated'' - to check run
-"__ps aux | grep -e routed -e gated__".
-
-
-
-
- - Look at http://ipmasq.cjb.net
-
-
-
-*
-*
-
- How can I view the connections establish? Something like netstat..
-
-
-
-
- - Try cat /proc/net/ip_conntrack
-
-
-
-*
-*
-
- I need more squid info and routing and stuff!
-
-
-
-
- - Try the Advanced Routing HOWTO
-http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html
-
-
-
-*
-*
-
- This howto is crap! How do I yell at the guys who wrote this?
-
-
-
-
- - Go to #debian on irc.opensource.net and find and locate !JohnFlux.
-
-
-
-*
-*
-
- This howto is crap! How can I see better versions?
-
-
-
-
- - Try http://ipmasq.cjb.net
-
-
-
-
- - Consult the LDP Masq-HOWTO
.
-
-
-
-*
+Describe [HowToMasqueradingSimpleHOWTO]
here.
