linux-ip-masq.html

Linus guide, Linus guide, Linus guide,

<HTML>
  <HEAD>
    <TITLE>
      Setting Up IP Masquerading
    </TITLE>
    <META NAME="author" CONTENT="jbm">
    <META NAME="description" CONTENT="Information on setting up IP masquerading under linux.">
    <META NAME="keywords" CONTENT="Linux, ip masq, ip masquerading, howto, how to, help, setting up, setup, linux, Josh's Linux Guide, jbm, jbm@intertek.net">
  </HEAD>

  <BODY BGCOLOR="#FFFFFF" TEXT="#000000">
    <H2><A NAME="0">Setting Up IP Masquerading</A></H2> 

    <P>

      <FONT SIZE="-1"><B>Author: <A
      HREF="http://www.oths.k12.il.us/~jbm/">jbm
      &lt;jbm@intertek.net&gt;</A></B></FONT><BR>

      <FONT SIZE="-1"><B>Created on: July 19, 1998</B></FONT><BR>

      <FONT SIZE="-1"><B>Last Modified: March 2, 1999</B></FONT><BR>

      <FONT SIZE="-1"><B>Status: Beta</B></FONT><BR>

    </P>

    <H3><A NAME="1">Introduction</A></H3> 

    <P>So - you've got your Linux up and running and you can use the
    LAN between Linux and Windows 95. Good for you. But you still
    can't get online with your Windows 95 box and your Linux at the
    same time. This is why they developed IP Masquerading. To begin
    with, you need a few things: the ability to compile your own
    kernel (see <A HREF="linux-kernel.html">Compiling a New Kernel</A>
    for more info on this), a working subnetwork (probably Ethernet -
    see <A HREF="linux-ethernet.html">Setting Up Ethernet</A> for more
    info. There are other ways to create a subnetwork, but if you can
    get those working, you probably don't need this guide ;^), and a
    way to get at the internet while on your Linux (either Ethernet or
    dial-up, there are special instructions for using two NICs at
    once, see <A
    HREF="ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/Ethernet-HOWTO"
    TARGET="_TOP">sunsite.unc.edu:/pub/Linux/docs/HOWTO/Ethernet-HOWTO</A>). A
    discussion of networking is beyond the scope of this document, as
    is setting up dial-up connections (discussed in <A
    HREF="linux-netconnect.html">Setting Up an internet
    Connection</A>.), so if you don't have those working yet, go ye
    forth and fix ye thee. If you're still with me, go grab the
    IP-Masquerading mini-howto, from your local sunsite
    mirror:Linux/docs/HOWTO/mini/IP-Masquerade or at <A
    HREF="ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/mini/IP-Masquerade"
    TARGET="_TOP">sunsite.unc.edu:/pub/Linux/docs/HOWTO/mini/IP-Masquerade</A>
    really quick. It's a more in-depth discussion of what this
    document covers. Also, <A HREF="http://ipmasq.cjb.net/"
    TARGET="_TOP">http://ipmasq.cjb.net/</A> is the official homepage
    of Linux IP Masquerading. hint hint.  </p>

    <H3><A NAME="2">Before You Begin...</A></H3> 

    <p>I'm no expert when it comes to this. I just got my setup
    working well enough, and I saw a definite need for a document like
    this one. The IP-Masquerading mini howto is too in-depth for the
    average Windows 95 --> Linux --> Internet setup. If you can add
    anything to this - please do! I'm currently working on on-demand
    dialup that's transparent to Windows 95. Any info that you need
    that's not covered here will most likely be found at <A
    HREF="http://ipmasq.cjb.net/"
    TARGET="_TOP">http://ipmasq.cjb.net/</A>. hint hint.</p>

    <P>This document is based on my personal setup - a Windows 95 box
    connected via eth0 to a Linux box which is connected to the
    internet by ppp0. I use Slackware, with kernel 2.0.34. I'll try
    and make everything usable under RedHat, but I can't make any
    guarantees. I take no responsibility if this document messes up
    your boxen. Or causes your dog to shed all over the couch. Feel
    free to <A HREF="mailto:jbm@intertek.net">mail
    me(jbm@intertek.net)</A>, but please only send me questions dealing
    with IP masquerading and/or this document (misspellings,
    etc). Please no questions about setting up PPP or Ethernet.</p>

    <H3><A NAME="3">Begin</A></H3>

    <P>Make sure your ethernet works ('ping' back and forth), make
    sure that your PPP dialup works ('ping' somebody on the net), and
    make sure they both work at once ('ping' back and forth locally
    and some internet site while online). If this is all ok, move
    on. If not, you need to fix it before you proceed. Check the
    related docs on this site, then try re-doing things (if you need
    to recompile your kernel, <B>don't</B> include the IP Masq
    changes. It's best to change one or two things at once, so you can
    find exactly what's not working. After you get ethernet and PPP
    working side-by-side you can try to get them working
    hand-in-hand.)</P>

    <H3><A NAME="4">Setting Up Linux</A></H3>

    <P>To get Linux ready for IP Masquerade, you only need to do three
    things:

    <UL>

      <LI>Remake your kernel</LI>

      <LI> Set up <TT>/etc/&lt;rc&gt;/rc.modules</TT> (more on this
	later)</LI>

      <LI>Set up <TT>ipfwadm</TT> in the Right Place
	(rc.local)</LI>

    </UL>
  </P>


    <H4><A NAME="5">Kernel Stuff:</A></H4>

    <P>If you're not comfortable recompiling your kernel, stop
    now. You really need to be able to do this to be a Linux user, so
    go learn how to at <A HREF="linux-kernel.html">Compiling a New
    Kernel</A>. Go through and configure your kernel for all the
    things you normally need (*modules*, filesystems, SCSI if you need
    it, PPP/SLIP, networking, etc), and then add the following things
    (in older kernels you may need enable experimental things):

    <UL>

      <LI>Networking Support (CONFIG_NET) (required)</LI>

      <LI> Network Firewalls (CONFIG_FIREWALLS) (required)</LI>

      <LI> TCP/IP Networking (CONFIG_INET) (required)</LI>

      <LI> IP: Forwarding/Gatewaying (CONFIG_IP_FORWARD)
      (required)</LI>

      <LI> IP: Masquerading (CONFIG_IP_MASQUERADE) (may be
      experimental) (required)</LI>

      <LI> IP: ipautofw (CONFIG_IP_MASQUERADE_IPAUTOFW) (may be
      experimental) (recommended)</LI>

      <LI> IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP)
      (optional, i use it ;^)</LI>

      <LI> IP: always defragment (CONFIG_IP_ALWAYS_DEFRAG) (highly
      recommended)</LI>

      <LI> Dummy Net Driver Support (CONFIG_DUMMY) (recommended)</LI>

    </UL>
  </P>

    <P> Now do the whole kernel building process... <TT>make dep; make
    clean; make zImage (go watch tv); make modules; make
    modules_install</TT>. The modules part is required because certain
    protocals (ftp, irc, realaudio to name just a few) need special
    configuration to work correctly through masquerade.
    <H4><A NAME="6">rc.modules Fun:</A></H4> For this, you need to edit your
    rc.modules file - <TT>/etc/rc.d/rc.modules</TT> in Slackware and
    <TT>/etc/rc.d/rc.local</TT> in Red Hat - and add the following
    lines: </P>

    <PRE>
depmod -a  #if there's already a line containing this, don't add it.
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_vdolive  
    </PRE>

    <P> And any other modules you see in
    <TT>/lib/modules/2.0.xx/ipv4</TT> that start with
    ip_masq. According to the mini-howto, <TT>kerneld</TT>
    won't work. Sorry to those of you who use it.</P>

    <H4><A NAME="7">'ipfwadm':</A></H4> 

    <P><em>Note: if you are using a 2.2.x series kernel (or late
    2.1.xx), you need to use IP chains, see below for more
    details. Skip this section and go on to the next.</em></P>

    <P>You need to stick

    <PRE>
ipfwadm -F -p deny
ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
    </PRE>

    in your /etc/&lt;rc.d&gt;rc.local file, it only needs to be run
    once (i was mis-informed at last writing. My apologies).  Due to
    the nature of this file, these lines won't automatically be
    executed until you reboot.  You can, however, just paste these
    into the commandline using <tt>gpm</tt> and set it up on a running
    system.</P>

    <P> This should complete the Linux side of the setup.</P>

    <H4><A NAME="8">IP Chains</A></H4>
    
    <P>IP chains is the &quot;new&quot; way to set IP masq things
    up. If you are using a 2.0.xx series kernel, you don't need to
    worry about it just yet; if you are using 2.2.x, however, you do.</p>

    <P>The use is just like for '<tt>ipfwadm</tt>', except you place

    <PRE>
ipchains -P forward DENY
ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
    </PRE>

    in your /etc/&lt;rc.d&gt;rc.local file.  Due to the nature of this
    file, these lines won't automatically be executed until you
    reboot.  You can, however, just paste these into the commandline
    using <tt>gpm</tt> and set it up on a running system.</P>


    <H3><A NAME="9">Configuring Windows 95</A></H3> 

    <P>This is by far easier. If you've got the ethernet adaptor
    installed right, just open up Start->Settings->Control Panel, then
    go to Networking. Open up TCP/IP -&gt;&lt;name of your ethernet
    adaptor&gt;. Go to the Gateway Tab, and enter the Subnet IP
    address of your Linux (probably 192.168.1.1). Add the appropriate
    settings under the DNS Configuration tab. You don't need the
    suffix search thing, but it's kinda nice. Click OK through all the
    dialogs and restart Windows. This should be all you need to
    do.</P>

    <P>This should complete the Windows side of the configuration.</p>

    <H3><A NAME="10">Setting Up Other OSs</A></H3> 

    <P>See the <A
    HREF="ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/mini/IP-Masquerade"
    TARGET="_TOP">IP Masquerade mini-HOWTO</a> for instructions on
    setting up other OSs capable of TCP/IP networking (or UDP/IP. but
    i think UDP is more complicated setup...).  </P>

    <H3><A NAME="11">Test it</A></H3>

    <P>Well.. that should be it. Try it out - reboot your Linux box,
    start up your PPP connection, run the ipfwadm script (if you need
    one), and trying getting onto the net with Windows. If it doesn't
    work, make sure you ran the <TT>ipfwadm</TT> stuff after you
    connected with PPP (ie - after you actually got an IP address
    assigned).If that doesn't fix things, try going through the IP
    Masquerade mini-howto. It'smuch more in-depth and thorough, so
    your problem will likely be addressed there.  </P>

    <H3><A NAME="12">PPP Stops Working After You Install IP Masquerade</A></H3>

    <P>This confused me very much so. If you compiled PPP as a module,
    make sure you do <TT><TT>/sbin/modprobe</TT> slhc.o</TT>
    before <TT><TT>/sbin/modprobe</TT> ppp.o</TT>. Try doing
    <TT>depmod -e ppp</TT> to see what error messages your
    kernel is having problems with. I personally recommend compiling
    PPP into the kernel, as it's used fairly often. If that looks ok,
    try recompiling it, after printing out the configuration
    information above and double check all your settings. If it's
    still broken, triple check your settings. If it still doesn't
    work, try setting up PPP by itself. If that's broken, see <A
    HREF="linux-netconnect.html">Setting Up an Internet
    Connection</A>. After you get that working, try the IP masq setup
    again. This should solve most problems.</P>

    <P><em>Thanks to Tom M. Schenkenberg for pointing out the new
    ip-masq site, and keeping me from getting dead link complaints
    =).</em></P>

    <HR>

    <P><B><FONT SIZE="-1">Copyright (c)1998 <A
    HREF="http://www.oths.k12.il.us/~jbm/">jbm
    (jbm@intertek.net)</A>. All rights reserved. Permission to use,
    distribute, and copy this document is hereby granted.  You may
    modify this document as long as credit to me is
    given.</FONT></B></P>
  </BODY>
</HTML>