Linux IP Masquerade HOWTO David A. Ranch <[email protected]> May 22, 2005 May 22, 2005 This document describes how to enable the Linux IP Masquerade feature on a given Linux host. IP Masquerade is a form of Network Address Translation or NAT which NAT allows internally connected computers that do not have one or more registered Internet IP addresses to communicate to the Internet via the Linux server's Internet IP address. Linux IP Masquerade HOWTO Table of Contents Chapter 1. Introduction......................................................................................................................................1 1.1. Introduction to IP Masquerading or IP MASQ.................................................................................1 1.2. Foreword, Feedback & Credits.........................................................................................................1 1.3. Copyright & Disclaimer....................................................................................................................2 Chapter 2. Background Knowledge..................................................................................................................3 2.1. What is IP Masquerade?...................................................................................................................3 2.2. Current Status...................................................................................................................................3 2.3. Who Can Benefit From IP Masquerade?..........................................................................................4 2.4. Who Doesn't Need IP Masquerade?.................................................................................................4 2.5. How does IP Masquerade Work?.....................................................................................................4 2.6. Requirements for IP Masquerade on Linux 2.4.x.............................................................................6 2.7. Requirements for IP Masquerade on Linux 2.2.x.............................................................................9 2.8. Requirements for IP Masquerade on Linux 2.0.x...........................................................................11 Chapter 3. Setting Up IP Masquerade............................................................................................................13 3.1. Compiling a new kernel if needed..................................................................................................13 3.2. Checking your existing kernel for MASQ functionality.................................................................13 3.2.1. Compiling Linux 2.4.x Kernels.............................................................................................15 3.2.2. Compiling Linux 2.2.x Kernels.............................................................................................25 3.2.3. Compiling Linux 2.0.x Kernels.............................................................................................31 3.3. Assigning Private Network IP Addresses to the Internal LAN......................................................35 3.4. Configuring IP Forwarding Policies...............................................................................................36 3.4.1. Configuring IP Masquerade on Linux 2.6.x and 2.4.x Kernels.............................................36 3.4.2. Configuring IP Masquerade on Linux 2.2.x Kernels............................................................45 3.4.3. Configuring IP Masquerade on Linux 2.0.x Kernels............................................................52 Chapter 4. Configuring the other internal to−be MASQed machines.........................................................60 4.1. Configuring Microsoft Windows 95 and OSR2.............................................................................60 4.2. Configuring Windows NT..............................................................................................................62 4.3. Configuring Windows for Workgroup 3.11....................................................................................62 4.4. Configuring UNIX Based Systems.................................................................................................63 4.5. Configuring DOS using NCSA Telnet package.............................................................................63 4.6. Configuring MacOS Based System Running MacTCP..................................................................64 4.7. Configuring MacOS Based System Running Open Transport.......................................................64 4.8. Configuring Novell network using DNS........................................................................................65 4.9. Configuring OS/2 Warp..................................................................................................................66 4.10. Configuring OS/400 on a IBM AS/400........................................................................................67 4.11. Configuring Other Systems..........................................................................................................67 Chapter 5. Testing IP Masquerade.................................................................................................................68 5.1. Loading up the rc.firewall ruleset...................................................................................................68 5.2. Testing internal MASQ client PC connectivity..............................................................................69 5.3. Testing internal MASQ client to MASQ server connectivity.........................................................69 5.4. Testing internal MASQ server connectivity...................................................................................70 5.5. Testing internal MASQ server to MASQ client connectivity.........................................................70 5.6. Testing External MASQ server Internet connectivity....................................................................71 5.7. Testing internal MASQ client to external MASQ server connectivity...........................................72 i Linux IP Masquerade HOWTO Table of Contents Chapter 5. Testing IP Masquerade 5.8. Testing external MASQ ICMP forwarding.....................................................................................73 5.9. Testing MASQ functionality without DNS....................................................................................74 5.10. Testing MASQ functionality with DNS resolution......................................................................75 5.11. Testing more MASQ functionality with DNS..............................................................................75 5.12. Any remaining functional, performance, etc. issues.....................................................................76 Chapter 6. Other IP Masquerade Issues and Software Support..................................................................77 6.1. Problems with IP Masquerade........................................................................................................77 6.2. Incoming services...........................................................................................................................77 6.3. Supported Client Software and Other Setup Notes.........................................................................77 6.3.1. Network Clients that −Work− with IP Masquerade..............................................................77 6.3.2. Clients that do not have full support in IP MASQ:...............................................................80 6.4. Stronger firewall rulesets to run after initial testing.......................................................................80 6.4.1. Stronger IP Firewall (IPTABLES) rulesets...........................................................................80 6.4.2. Stronger IP Firewall (IPCHAINS) rulesets...........................................................................90 6.4.3. Stronger IP Firewall (IPFWADM) Rulesets.........................................................................98 6.5. IP Masquerading multiple internal networks................................................................................104 6.5.1. iptables support for multiple internal lans...........................................................................104 6.5.2. ipchains support for multiple internal lans..........................................................................104 6.5.3. ipfwadm support for multiple internal lans.........................................................................105 6.6. IP Masquerade and Dial−on−Demand Connections.....................................................................105 6.7. IPPORTFW, IPMASQADM, IPAUTOFW, REDIR, UDPRED, and other Port Forwarding tools.....................................................................................................................................................105 6.7.1. 2.4.x PORTFWD'ing: Using IPTABLE's PREROUTING option for 2.4.x kernels...........107 6.7.2. 2.2.x PORTFWD'ing: Using IPMASQADM with 2.2.x kernels........................................109 6.7.3. 2.0.x PORTFWD'ing: Using IPPORTFW on 2.0.x kernels................................................111 6.8. CU−SeeMe and Linux IP−Masquerade........................................................................................113 6.9.