"Linux Gazette...making Linux just a little more fun!"

IP MASQ Setup with Ipchains Quick Start

By Terry 'Mongoose' Hendrix II and Anderson Silva

Last Month, my brother and I decided that we were going to setup a small network at my house, so that we could connect more than one computer to the internet with only one modem and one phone line.  My machine is the one with the modem and it is also running Linux (server) . My brother's machine is running Windows 95 (Client). I did some research and found some documentation about private networking on the web. I decided to try the technique of IP Masquerading with our little network at home.
IP Masquerading is the technique to assign your computers internal IP addresses (in my case for the server and for the client) and share your machines internet connection with the other clients without having to assign them a external IP address. I read a lot of the documentation and I did actually understand the whole process, but I could not get it running right on my computer. So, I entered the #Linux IRC channel on Undernet.org and found a guy nicknamed Mongoose to help me.
He gave me a link to a quick tutorial he had written to get IP MASQ running with ipchains* in no time.

* Ipchains is a program that is bundled with RedHat 6.0 and is used to set up firewalls and ip masquerading.

After reading Mongoose's tutorial I had my private network running in less than 10 minutes. That is why I got in touch with him and he agreed to let me publish his tutorial to the Linux Gazette.

Bellow is the Tutorial:

The following example has: the IP of the gateway to the internet. the IP of the ip masq gateway's eth0. the IP of the ip masq client0's eth0. the IP of the ip masq client1's eth0.

1. Load ethernet card modules ( if needed ).

        /sbin/modprobe ne2k-pci   (each card has a specific name)

2. Bring up the device.
   ( add to /etc/rc.d/rc.local if you don't have standard interface scripts)

        /sbin/ifconfig eth0 netmask up
        /sbin/route add -net netmask eth0
        /sbin/route add default gw eth0

3. Allow your IP MASQ clients to use your inet.
   A. Add this to /etc/hosts.allow at the end:


   B. Add the ips to any other configs it requires.
      i. I suggest you use the squid ftp/http proxy for speed.

1. Load ethernet card modules ( if needed ).

        /sbin/modprobe ne2k-pci

2. Bring up the device. ( add this to /etc/rc.d/rc.local if you don't have standard interface scripts)

        /sbin/ifconfig eth0 netmask up
        /sbin/route add -net netmask eth0
        /sbin/route add default gw eth0

1. Ping from the the clients and vice versa.

2. Use /sbin/ifconfig to see packet traffic from each host.

3. You should be able to use telnet/ftp between machines now.
   A. If you can't telnet from clients to gateway, then check hosts.allow.

1. IP forwarding setup.
   A. Enable ip forwarding for the IP MASQ gateway.

         echo "1" > proc/sys/net/ipv4/ip_forward

   B. Make ip forwarding enabled every boot:
      i. For RedHat modify /etc/sysconfig/network as follows:


     ii. For other distros add this to /etc/rc.d/rc.local at the end:

         echo "1" > proc/sys/net/ipv4/ip_forward

   C. To make sure no one smurfs your network add this to rc.local:

         echo "1" > /proc/sys/net/ipv4/tcp_syncookies

2. Now setup routing.  You can add these to rc.local to load every time.
   A. Deny all ip forwarding by default.

         /sbin/ipchains -P forward DENY

   B. Allow ip forwarding for your IP MASQ machines and

         /sbin/ipchains -A forward -s -j MASQ
         /sbin/ipchains -A forward -s -j MASQ

   C. Add any masq modules you'll need.

         /sbin/modprobe ip_masq_ftp
         /sbin/modprobe ip_masq_quake
         /sbin/modprobe ip_masq_irc
         /sbin/modprobe ip_masq_user
         /sbin/modprobe ip_masq_raudio

If you follow this tutorial your network should work just fine. One other problem that I encountered after setting up my IP MASQ was that my client could only access servers on the net with their IP addresses. So, I set up DNS on my linux box, so my clents could do a domain lookup. All you need to do is to set /etc/resolv.conf with your nameservers, and make sure that you have the named daemon is activated. And that should solve the problem.

And if you have done all of these steps you should be all set to run your private network. If you want to learn more about IP MASQ and Firewalling please refer to the HOWTOs Documentation at: http://metalab.unc.edu/linux/HOWTO/HOWTO-INDEX-3.html#ss3.1

Copyright © 1999, Terry 'Mongoose' Hendrix II and Anderson Silva
Published in Issue 43 of Linux Gazette, July 1999