 |
|
|
IP-Masq Requirements
Believe it or not, it's easy to run 25 to 50 hosts behind a 66 MHz 486 Linux IP Masq server with as little as 16 MB of RAM. I even have a buddy who runs a small Masqed LAN behind a 40 MHz 486 with 8MB of RAM. And his network is connected via a 5Mb/s cable modem. Did I also mention that it's running a number of other services including DHCP, SMTP, DNS, POP-3, SMB, and NFS? So really, you should be fine with a decent 486-class or better machine.
With IP-Masq, you can connect your Linux box to the Internet any way you want. Internet connectivity options include PPP for modem users, Ethernet for xDSL and cable modem users, FDDI for corporate users, even packet radio for HAM users. Once connected, you just need to connect your internal network to the Linux box and you're ready to set up IP Masquerading.
Setting Up Linux IP Masquerade
Setting up Linux IP Masq really isn't that difficult. Modern Linux distributions, such as Redhat 5.0, SuSE 6.0, and many others support Linux IP Masquerade out of the box. My instructions make a few assumptions:
* You are running a 2.2.x Linux kernel that supports IP Masquerading by default. If your system isn't running a 2.2.x kernel or if you need to re-compile your kernel to support IP Masquerade, please consult the IP-MASQ-HOWTO (the URL for the HOWTO and other useful resources can be found on pg. 52). It has complete instructions on how to install IP Masq on the 2.0.x kernel and on how to re-compile your kernel to support IP Masquerade.
* You already have a working Internet connection to your Linux box. This also includes a working DNS lookup. For example, you need to be able to run the command ping www.yahoo. com on your Linux server and get ping replies. If you don't have either of these configured, please consult some of the excellent HOWTOs at the Linux Documentation Project homepage or the TrinityOS document.
* You already have a working internal network, which uses the 192.168.0.x addressing space (RFC-1918 - http:// www.cis.ohiostate.edu/htbin/rfc/ rfc1918.html). This RFC defines several TCP/IP address ranges that any person or organization can use on an internal network. These addresses (10.x.x.x, 172.16-31.x.x, 192.168.x.x) are the recommended ranges that any person or entity should use behind a NAT or Proxy server. You can also use any other internal addressing scheme but understand that you will have to make some minor changes to this guide to get things working.
* All of the internal machines use your Linux server as their default gateway (for this example, I used 192.168. 0.1). If you are unsure how to do this, the IP-MASQ-HOWTO covers this in detail for over ten different operating systems.
* All of your internal machines are configured to use your ISP's DNS servers or to use your Linux server as their DNS server.
Seven Steps to IP Masquerade
Step #1: Confirm that IP Masq is enabled on your machine.
Run the command ls /proc/net and make sure that the entry ip_ masquerade exists. If it doesn't, you will need to compile a new kernel. Instructions on how to do this can be found in the IP-Masq-HOWTO.
Step #2: Confirm that the ipchains firewall tool exists.
Run the command ls -la /sbin/ ipchains and make sure the file exists. If it doesn't exist, you will need to download ipchains as explained in the IP-Masq-HOWTO.
Step #3: Create the rc.firewall ruleset.
Create the file /etc/rc.d/rc. firewall and enter the minimal ruleset listed in Listing One.
Step #4: Make the /etc/rc.d/rc. firewall ruleset executable only by the root user.
Run the command chmod700 /etc/rc.d/rc.firewall.
Step #5: If you plan on having IP Masquerade run after each reboot of your Linux machine, add it to your Linux startup scripts.
Append the line /etc/rc.d/rc. firewall to the end of the /etc/ rc.d/rc. local file
Step #6: Enable IP Masquerade.
Run the command /etc/rc.d/ rc.firewall. Make sure that the script runs without any errors. If you do receive errors, check again to make sure that you passed all of the assumption tests at the beginning of this section.
Step #7: Test IP Masquerade.
Make sure that you can ping the Linux server's internal IP address:
ping 192.168.0.1
You should see output similar to Figure 3. Hit "Ctrl-C" to stop the ping. Make sure you can ping the Masq Linux server's external IP address (e.g.ping 123.123.123.123 -- you will need to substitute your own Internet TCP/IP address for this one). You can find your IP address by running the command /sbin/ifconfig tool and look for the TCP/IP address on your external interface.
Figure 3: IP Masquerade Test
PING 192.168.0.1 (192.168.0.1): 56 data bytes 64 bytes from 192.168.0.1: icmp_seq=0 ttl=64 time=1.5 ms 64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.6 ms --- 192.168.0.1 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.6/1.0/1.5 msMake sure you can ping the IP address of an external server. For connections to the Internet, see if you can ping the TCP/IP address of the Linux Documentation Project (LDP) server by typing ping 152.19.254.81.
If that doesn't work, try other TCP/ IP addresses. Sometimes the Internet breaks and you won't always be able to reach all servers. So try ping-ing a different IP address such as Yahoo's (204.71.200.67).
Make sure you can ping the name of an external server. For connections to the Internet, see if you can ping the TCP/IP address of the LDP server:
ping metalab.unc.edu
Running tests with the raw TCP/IP address and then later with the full Internet address isolates any problems you might have with DNS name resolution.
Make sure you can telnet to an external server. For connections to the Internet, see if you can telnet to the LDP server by typing telnet metalab.unc.edu.
If you receive a login: prompt, IP Masq is working! Don't bother with trying to log into this machine since you don't have a username or password on it. Please note that the LDP server can be very slow at times so don't take the response speed of this test as indicative of the performance of your Masq connection.
Finally, load a Web browser on a Masqed PC and see if you can browse the Internet. You should also find out if you can use other networked programs like FTP, RealAudio, or IRC.
|
|