![[Linux for Newbies]](tux.jpg)
Linux for Newbies, Part 14:
Home Networking, Part 3:
IP Masqueradingby Gene Wilburn
(The Computer Paper, Sep 2000. Copyright © Wilburn Communications Ltd. All rights reserved)
In the previous installments of this home networking mini-series we connected our Linux and Windows PCs into a local area network (LAN) with NICs, cables and a hub, and implemented a "private" TCP/IP network based on the IP range of 192.168.0.0-255. We then added name support in hosts files. In last month's installment we added Samba support to provide MS-compatible file and print services for all the PCs on the network.
In this final home networking installment we'll look at another option for our network: providing concurrent access to the Internet to any workstation on our LAN. In order to do this, our main Linux server must already be capable of linking to the Internet, as we covered in Part 8: "Connecting to the Internet".
The main reason for connecting a home network to the Internet is convenience. Being able to share the same connect to the Internet is useful when you have two or more family members who want to visit web pages or check email at the same time. It's easier to maintain a single modem than multiple modems, and a single Internet setup, rather than several.
Be aware, though, that the decision to connect your home network to the Internet has security implications. The Internet is bidirectional. If you can get out, others can, potentially, get in. As part of learning how to use Linux as an Internet gateway, we'll also touch on the basics of building a Linux firewall.
Network Address Translation (NAT)
So, how can our internal network, defined as 192.168.0.0, communicate to the world when these private numbers are not valid on the Internet? The secret lies in a networking technique called Network Address Translation or NAT. For some reason NAT picked up the name "IP Masquerading" in the Linux world and that colourful phrase has stuck.
IP Masquerading provides a mechanism for relaying a packet from your private network out to the Internet by encapsulating it in a packet with a valid public IP number. Masquerading stuffs your local workstation's real (private) IP address inside the packet, along with the rest of the packet's data, and then puts a public IP address on the outside of the packet. Hence your workstation's packet is said to "masquerade" as a packet with a valid IP address.
Where does the valid public IP address come from? From your ISP. When you connect to your ISP via PPP or a high-speed connect, you normally pick up a dynamically allocated IP number from your ISP's pool of numbers, unless your ISP has provided you with a fixed IP address.
The IP address from your ISP is then bound to your PPP or NIC device, providing one half of the equation. The other half is the NIC you installed to connect to the hub of your home network. As far as Linux is concerned, a PPP device (which uses a modem as its conduit) is a network device, just like a NIC.
What you now have is two network devices on the same Linux server: PPP and a NIC if you're using a dialup connect, or two NICs if you have cable modem or DSL. One device is "inward facing", to your home network, and the other is "outward facing", to the Internet (see fig. 1). These two devices can be gatewayed so that packets are permitted to flow, or be "forwarded", from one to the other.
However, we don't want raw packets to be forwarded between the two network devices without intervention. We want to process the packets as they pass through, using software that will masquerade our internal packets so they can travel to the Internet and then inspect the return packets, relaying return packets to the right PC on the internal network.
In addition we want to inspect incoming packets for packets that shouldn't be coming in. That is, we want to establish a set of rules that define which packets to let in, and which not to. We want to protect our internal network by filtering packets through a set of firewall rules.
Setting Up IP Masquerading
The tools you need to establish IP Masquerading and Firewalling were installed when you installed your Red Hat Linux 6.X system. Despite what some older Linux documentation suggests, there is no requirement to rebuild your Linux kernel for masquerading--the default installation kernel is already set up for this.
One key tool we'll use is called IPCHAINS. Older versions of Red Hat, such as the 5.x series, use a program called IPFWADM, but we'll concentrate on the newer IPCHAINS program that came in as the standard firewalling/masquerading program with the Linux 2.2 kernel (Red Hat 6.X series).
While setting up masquerading you should reference the Linux HOWTO's in your /usr/doc/HOWTO directory. The IP-Masquerade HOWTO provides the definitive set of instructions for setting up NAT, and the IPCHAINS-HOWTO and Net3-4-HOWTO provide excellent supplementary information on firewall rules and networking. If the HOWTO's are not on your system, download them or read them online at www.linuxdocs.org.
The assumption being made from this point on is that you have your two network devices working properly. Your inward-facing NIC (e.g., eth0) is connected to your internal LAN and you can ping all the workstations on your home network. Your outward-facing NIC or PPP device (e.g., eth1 or ppp0) is connected to your ISP via cable modem, DSL, or standard modem, and you can connect to the Internet and ping servers external to your local network.
IP Forwarding
In order to route, or forward, network packets from your inward-facing device to your outward-facing device, and vice versa, you must turn on IP Forwarding. This is normally turned off by default.
There are a few different ways to turn on Forwarding. Under Red Hat 6.0 and 6.1, you can edit the configuration file /etc/sysconfig/network to include the line:
FORWARD_IPV4=YESOn Red Hat 6.2 this method has been deprecated. Instead you adjust the line in /etc/sysctl.conf to read:
net.ipv4.ip_forward = 1You can also switch on IP Forwarding by including the following line in a startup script, which works in any version of Linux:
echo "1" > /proc/sys/net/ipv4/ip_forwardrc.firewall
Because IP Masquerading and firewalling go together, we're going to create a special shell script that contains masquerading instructions and firewall rules. We'll invoke this script by adding these lines to the end of /etc/rc.d/rc.local:
# rc.firewall script - Start IPCHAINS and firewall /etc/rc.d/rc.firewallThe rc.local file, that gets executed at boot time, will in turn call a customized file called rc.firewall that contains IP Masquerading instructions and firewall rules.
We'll start with a basic, simple script that sets up masquerading. This script has no serious firewall rules yet, but it's a good script for testing your setup. Here's the script in its entirety, followed by an explanation of what the lines do:
#!/bin/sh # rc.firewall - IP Masquerade and firewall script /sbin/depmod -a /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_raudio /sbin/modprobe ip_masq_irc /sbin/modprobe ip_masq_quake /sbin/modprobe ip_masq_cuseeme /sbin/modprobe ip_masq_vdolive echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr /sbin/ipchains -M -S 7200 10 160 /sbin/ipchains -A input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0 /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQWhen you've finished writing this script, make it more secure by typing the following:
# chmod 700 /etc/rc.d/rc.firewallThe script starts out with bang-path statement "#!/bin/sh" which invokes the native Linux shell interpreter to process the rest of the script. As with all shell scripts, comments can be added by placing a pound sign at the beginning of a line, as in the second line of the script. White space is allowed--you may have as many blank lines as you wish.
The "depmod -a" line in the script is needed to load the kernel module lines that follow, invoked by the "modprobe" instructions. Each modprobe line enables a specialized kernel module required for services that need special handling to work with IP Masquerading. This includes FTP, RealAudio, IRC, Quake, CUSeeMe and VDOLive. If you don't need these services for the Windows, Linux or Mac workstations on your home LAN, you may exclude them or comment them out.
The "ip_forward" line has already been discussed--you must have forwarding enabled for masquerading to work. If you have used one of the other methods to make forwarding permanent, you can omit this line. The line that echoes a "1" to /proc/sys/net/ipv4/ip_dynaddr is recommended if you receive an IP address from your ISP via DHCP or PPP. Comment out this line if your ISP has provided you with a fixed IP address.
The first "ipchains" line sets timeouts: 2 hours for TCP/IP sessions, 10 seconds for traffic after a TCP/IP "FIN" packet is received and 160 seconds for UDP traffic. This last setting is important if you have ICQ users on your home LAN.
The long "ipchains" line that contains "bootp_clients..." is for those who receive their external IP address via DHCP, especially DSL and cable modem users. If you have a fixed IP address, comment out this line.
The last two lines, the ipchains "forward" commands, provide a start for building a packet-filter firewall. The "DENY" line denies the use of your outward-facing network device for forwarding by someone on the Internet. The second line, with "MASQ", switches on IP Masquerading for your home network's entire 192.168.0.0 range. Additional firewall rules would follow these two statements.
Testing the Setup
To configure a Windows 95/98 workstation to use your Linux gateway, go to Control Panel, Network. If you've already set up your local IP address you only need to go to TCP/IP Protocol and select the Gateway tab. Click add, and enter the internal IP address of your Linux gateway (192.168.0.1 in our example).
On the DNS tab, enter the name of your W95 workstation and use the fictitious domain name you assigned to your network. In our house we name our computers after famous scientists. My Windows workstation is Wallace (the co-founder of evolutionary theory) and my Linux gateway is Darwin. Hence I would put wallace.mynet.all in the Windows DNS tab.
In addition, enter the primary and secondary IP addresses for the DNS servers of your ISP. (Refer to the IP-Masquerading HOWTO for instructions on how to configure Macintosh, Windows NT, OS/2 workstations.)
After your workstations are configured (and rebooted if necessary), return to your Linux server and make certain that it is connected to the Internet. Test by pinging an address on the Internet, e.g., "ping www.yahoo.com".
Now, as root, type "/etc/rc.d/rc.firewall". Check that there are no error messages. If all is correctly configured, you should now have an active gateway.
Go to your Windows or Mac workstation and try pinging an external server, e.g. "ping www.yahoo.com". If you get a reply, bingo! you're on the net. You can now browse the web, read newsgroups, fetch email, use ICQ, or play Quake on a Internet Quake server from all the machines on your home network, all at the same time. Throughput speed is better, naturally, if your home LAN is sharing a high-speed connect, but even sharing a dial-up modem is handy.
Firewall Rules
The firewall rules in our script are minimal and you should spend some time beefing them up. Understanding firewalls is an advanced topic, but well within the grasp of anyone who puts in some effort and study.
It is best to understand the firewall rules you put into your rc.firewall script, but if you're feeling a bit nervous about having your home network exposed to the Internet and want something in place prior to studying and understanding IPCHAINS, the IP Masquerading HOWTO contains an excellent template for stronger firewall rules. Just read the comments and carefully type in all the rules that seem appropriate, adjusting the entries in the template to your own IP address. Pay special attention to upper/lower case distinctions.
Problems with IP Masquerading
Linux IP Masquerading is a mature, seasoned service. It has been part of Linux for many years (as far back as the 1.X kernel era) and has been continually improved and refined. It works impressively well for Internet gaming, ICQ, RealAudio and other Internet services that sometimes pose a challenge to NAT'ed gateways. In my personal experience, overall throughput speed with IP Masquerading is noticeably faster than with Windows-only products, such as WinGate. And unlike Windows products, there is no licensing fee and no special software client required. IP Masquerading works with all workstations of all operating systems, as long as they can do basic TCP/IP networking.
If your Linux system is configured correctly, you normally won't have any trouble getting IP Masquerading to work. If you're experiencing difficulties, go back over your configurations and make sure that the networking and Internet connect components on your Linux box are okay. Networking and Internet connectivity have to be working correctly before IP Masquerading will work.
If you need additional help with IP Masquerading, networking, or Internet connectivity, you can find it on the Internet. Type in "IP Masquerading" on a search engine such as Google and you'll find excellent online tutorials. If you have questions, avail yourself of the peer support available in newsgroups such as comp.os.linux.misc and comp.os.linux.networking, or the Red Hat mailing lists. The deja.com site also provides an excellent way of locating discussion threads on Linux topics.
This concludes our home networking mini-series. These short columns only scratch the surface of all the topics inherent in home networking, IP masquerading, and firewall rules. Networking is an engaging topic of study that can keep you amused for years. Bonne chance, mes amis.
Next time: Linux shell scripting.
Gene Wilburn (gene@wilburn.ca) is a Toronto-based IT specialist, musician and writer who operates a small farm of Linux servers.
-30-