Greek - Masquerading Made Simple HOWTO

John Tapsell

      <tapselj0@cs.man.ac.uk>

Thomas Spellman

      <thomas@resonance.org>

Matthias Grimm

      <DeadBull@gmx.net>

   : Sotiris Ganouris

      <topgan1@clug.gr>
    
    0.08 2002-07-11  jpt
    0.07 2002-02-27  jpt
    0.06 2001-09-08  jpt
    0.05 2001-09-07  jpt
    0.04 2001-09-01  jpt
    0.03 2001-07-06  jpt

             #debian 
   irc.opensource.net

     John  Tapsell  (JohnFlux)       
   how-to.

       Email  (John  Tapsell)     ,
   , ,  .

                  David Ranch -
   <dranch@trinnet.net>.

             IP-Masquerading HOWTO
           ,       
     .         
         HOWTO,        , 
        .   http://ipmasq.cjb.net 
      Masq-HOWTO     guides  
     .

                 IP
   Masquerade  feature    Linux host.  IP Masq
        Network Address Translation   
   NAT           
           Internet
   IP          
   Internet   Internet IP ()  Linux Box.

                    GNU  Free
   Documentation License.

   http://www.gnu.org/copyleft/fdl.html
     _________________________________________________________

    
   1. 
   2. : (      )
   3.   
   4. Post-install 
   5. FAQ's - Frequently Asked Compla Questions,  
          

1. 

           .

                   
   Internet:

   [network.png]
     _________________________________________________________

2. : (      )

               
   ()      eth0,         IP  
   123.12.23.43       ( )
     eth1,  :
$> modprobe ipt_MASQUERADE #       

$> iptables -F; iptables -t nat -F; iptables -t mangle -F
$> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43
$> echo 1 > /proc/sys/net/ipv4/ip_forward

       dial-up:
$> modprobe ipt_MASQUERADE #       

$> iptables -F; iptables -t nat -F; iptables -t mangle -F
$> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
$> echo 1 > /proc/sys/net/ipv4/ip_forward

       :
$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$> iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
$> iptables -P INPUT DROP   #       
$> iptables -A FORWARD -i eth0 -o eth0 -j REJECT

           dial-up (  eth0   
   ):
$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
$> iptables -P INPUT DROP   #only if the first two are succesful
$> iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT

       !       iptables 
   "iptables -t nat -L"
     _________________________________________________________

3.   

    compile  : (  2.4.x 
    )

        :

     *    Networking Options
          + Network packet filtering (CONFIG_NETFILTER)
     *    Networking Options->Netfilter Configuration
          + Connection tracking (CONFIG_IP_NF_CONNTRACK)
          + FTP Protocol support (CONFIG_IP_NF_FTP)
          + IP tables support (CONFIG_IP_NF_IPTABLES)
          + Connection state match support
            (CONFIG_IP_NF_MATCH_STATE)
          + Packet filtering (CONFIG_IP_NF_FILTER)
               o REJECT target support
                 (CONFIG_IP_NF_TARGET_REJECT)
          + Full NAT (CONFIG_IP_NF_NAT)
               o MASQUERADE target support
                 (CONFIG_IP_NF_TARGET_MASQUERADE)
               o REDIRECT target support
                 (CONFIG_IP_NF_TARGET_REDIRECT)
          + Packet mangling (CONFIG_IP_NF_MANGLE)
          + LOG target support (CONFIG_IP_NF_TARGET_LOG)

   ,      iptables     masq module   
   compile      ,  
    modules,    .   
   insmod  ipt_MASQUERADE     ip_tables, ip_conntrack
     iptable_nat.
$> modprobe ipt_MASQERADE

         Intranet  (  )    
   ,           
    Internet    .

          iptables, 
   :
$> iptables -F; iptables -t nat -F; iptables -t mangle -F

              iptables,
        .     
         'nat',   recompile    nat
   support.            'mangle', 
   ,        .   
       iptables        , 
      2.4.x      compile
    iptables support.

       (static) ip  (..    
     DHCP):
$> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43

         (dynamic)  (..   modem   
       (dialup):
$> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

                 ,    
       forwarding  (  )    :  (
                 reboot  
         )
$> echo 1 > /proc/sys/net/ipv4/ip_forward

              ( 
     Post-install  )     
                 
     Internet     :)

   ,          ,    
         (..     server ftp 
     )
$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

        ,      
          state tracking   
   recompile.              
   intranet  (/ ).   ppp0 
   eth0              . ( !
      )
$> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT

       :
$> iptables -P INPUT DROP   #only if the first two are succesful

            , 
                 
     .       
     "iptables -P INPUT ACCEPT".
     _________________________________________________________

4. Post-install 

        .   :

     *             
           P    Linux  server    gateway. (
       windows -  network
       neighbourhood->properties->gateway      
        IP  Linux server(gateway)).
     *          
       proxy   ISP  (   transparent
       proxy),   (              
       transparent  proxying            
       ),      squid  linux server . (
             ).
     *      DNS   
         .        
                    resolving  IP
       address.
       [Offtopic]  I  wonder  if you could simply send out a dhcp
       broadcast  that  just  forwards  on  the  dns  server (and
       http_proxy  while  you're at it) without having to setup a
       dhcp server (or even if you do). Can someone mail me about
       this? :)
       Thanks to Richard Atcheson for pointing this out.
     *             
       .            forwarding:
       "iptables  -P  FORWARD DROP",     
             iptables        /etc/hosts.allow  
       /etc/hosts.deny       . 
               iptables  
                 
                   
            ( iptables)
         DENY.  (          
       "iptables -P FORWARD ACCEPT")
     *   services     internet.
              access  web server 
       :
$> iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT
$> iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT
           ident (   irc ) 
$> iptables -A INPUT --protocol tcp --dport 113 -j ACCEPT

      :

     *         web
             IP.      IP      Google  
       216.239.33.100  (     )    
              .. "ping 216.239.33.100"
       "lynx 216.239.33.100".
     *       resolve  hostname ..
       "ping www.google.com" "lynx google.com"    Internet
       Explorer   netscape

      eth0                 Internet
   (),   123.12.23.43    ip  
   .
     _________________________________________________________

5. FAQ's - Frequently Asked Compla Questions,   

     *      ?
       - 
$> iptables -L
$> iptables -t nat -L
     *     resolve   IP!  'www.microsoft.com' 
           
       -        dns  
        -.
     *   !      iptables / NAT / SNAT /
       MASQ
       -        ,   compile 
        iptables  NAT
     *   !     (masquerading)  
       !   
       -  echo 1 > /proc/sys/net/ipv4/ip_forward
     *  !       
          !
       - 
$> iptables -F
$> iptables -t nat -F
$> iptables -t mangle -F
       (      ).   
           .
       -  iptables -P FORWARD ACCEPT
     *   
       -  H,   "dmesg | tail"    ? 
         "cat /var/log/messages | tail" ?   
         :)
     *  ,  !
       -    ..        :
        1)       Linux box
        2)    Linux Box   
        3)        Linux box
               .
     * Where do I put this stuff?
       -  In the /etc/network/interfaces file, or firewall.rc. If
       you put it in the interfaces file, then put it as a pre-up
       to  the  external interface, and have "iptables -t nat -F"
       as the post-down.
     *             
       ?(ppp up on demand)
       -        gateway  ISP    
       23.43.12.43 ,       :
       :23.43.12.43
           /etc/ppp/peers/provider. ( 
           dynamic    IP    -       static   IP      
       my.external.ip.number:23.43.12.43 )
                :
       demand
     *    !
       -  ,     dialing on demand? 
          ?  
       /etc/ppp/peers/provider,        
       dial up      .
       -  ,         
            (Linux 2.4.3)   
           ...
     *                 !  
         GUI.
       -  http://shorewall.sourceforge.net/
         ...
     *  Cable modems  static  dynamic IP?
       -  ..       dynamic.
     *       DHCP?
       -  dynamic.
     *     services?
       -     forwarding  redirecting  
        IP       
     *              
           ip    linux  gateway,     
         internet.
       -,    "rmmod  iptable_filter"  - more info on
       this as I get it.
       -      routed   gated  
         "ps aux | grep -e routed -e gated".
       -   http://ipmasq.cjb.net
     *               
        (established)?    netstat..
       -  cat /proc/net/ip_conntrack
     *         squid  
       routing !
       -           Advanced  Routing  HOWTO
       http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html
     *   howto  !     
         ?
       -     #debian  irc.opensource.net  
          JohnFlux.   -        Mail  (JohnFlux)  
       tapselj0@cs.man.ac.uk
     *   howto  !     
       -  http://ipmasq.cjb.net
       -   LDP Masq-HOWTO.
     *     ?
                        linux  
       anti-missile-missiles-made-simple.        
              . :)
