| blob | 24757ac9a1fd70c66a3c7d2e29bcf79674a6af22 |
1 TITLE: Masquerading with linux-2.4.xx
2 LFS VERSION: 3.1+
3 AUTHOR: Pierre Cyr <pierre.cyr@mail.mcgill.ca>
5 SYNOPSIS:
6 Enabling a router for simple masquerading on a Linux 2.4 kernel
8 CREDITS:
9 Thanks to Tijmen Stam <tijmen@stamadvies.nl> for his input and his improved
10 startup script.
12 CHANGES:
13 - Changed the links that were no longer valid.
14 - Changed the menuconfig options to reflect kernel 2.4.17
15 - Changed the name of the startup script from "route" to "masquerade" as
16 suggested by Tijmen.
17 - Added Tijmen's improvements to the startup script
19 HINT:
20 First of all, the required (and relevant) documentation:
21 IP-Masquerading HOWTO
22 (http://www.linux.org/docs/ldp/howto/IP-Masquerade-HOWTO/index.html)
23 Linux-NAT-HOWTO (and other interesting texts...)
24 (http://www.iptables.org/documentation/index.html)
26 REQUIREMENTS:
27 You need a linux 2.4 kernel and the most recent iptables package (1.2.5 as of
28 this writing)
29 available from http://www.iptables.org
31 THE PROCESS:
32 Configuring the Kernel... Refer to the IP-Masquerading HOWTO for explanations.
34 This is what my networking options look like in a menuconfig:
36 x x <*> Packet socket
37 x x [ ] Packet socket: mmapped IO
38 x x < > Netlink device emulation
39 x x [*] Network packet filtering (replaces ipchains)
40 x x [ ] Network packet filtering debugging
41 x x [ ] Socket Filtering
42 x x <*> Unix domain sockets
43 x x [*] TCP/IP networking
44 x x [*] IP: multicasting
45 x x [*] IP: advanced router
46 x x [ ] IP: policy routing
47 x x [ ] IP: equal cost multipath
48 x x [ ] IP: use TOS value as routing key
49 x x [*] IP: verbose route monitoring
50 x x [ ] IP: large routing tables
51 x x [ ] IP: kernel level autoconfiguration
52 x x < > IP: tunneling
53 x x < > IP: GRE tunnels over IP
54 x x [ ] IP: multicast routing
55 x x [ ] IP: ARP daemon support (EXPERIMENTAL)
56 x x [ ] IP: TCP Explicit Congestion Notification support
57 x x [*] IP: TCP syncookie support (disabled per default)
58 x x IP: Netfilter Configuration --->
59 x x <*> The IPv6 protocol (EXPERIMENTAL)
60 x x IPv6: Netfilter Configuration --->
61 x x < > Kernel httpd acceleration (EXPERIMENTAL)
62 x x [ ] Asynchronous Transfer Mode (ATM) (EXPERIMENTAL)
63 x x < > 802.1Q VLAN Support (EXPERIMENTAL)
64 x x ---
65 x x < > The IPX protocol
66 x x < > Appletalk protocol support
67 x x < > DECnet Support
68 x x < > 802.1d Ethernet Bridging
69 x x < > CCITT X.25 Packet Layer (EXPERIMENTAL)
70 x x < > LAPB Data Link Driver (EXPERIMENTAL)
71 x x [ ] 802.2 LLC (EXPERIMENTAL)
72 x x [ ] Frame Diverter (EXPERIMENTAL)
73 x x < > Acorn Econet/AUN protocols (EXPERIMENTAL)
74 x x < > WAN router
75 x x [ ] Fast switching (read help!)
76 x x [ ] Forwarding between high speed interfaces
77 x x QoS and/or fair queueing --->
80 Don't forget to go in the IP: Netfilter Configuration --->
82 x x <*> Connection tracking (required for masq/NAT)
83 x x <*> FTP protocol support
84 x x <*> IRC protocol support
85 x x < > Userspace queueing via NETLINK (EXPERIMENTAL)
86 x x <*> IP tables support (required for filtering/masq/NAT)
87 x x < > limit match support
88 x x < > MAC address match support
89 x x < > netfilter MARK match support
90 x x < > Multiple port match support
91 x x < > TOS match support
92 x x < > LENGTH match support
93 x x < > TTL match support
94 x x < > tcpmss match support
95 x x < > Connection state match support
96 x x < > Unclean match support (EXPERIMENTAL)
97 x x < > Owner match support (EXPERIMENTAL)
98 x x < > Packet filtering
99 x x <*> Full NAT
100 x x <*> MASQUERADE target support
101 x x <*> REDIRECT target support
102 x x < > Basic SNMP-ALG support (EXPERIMENTAL)
103 x x < > Packet mangling
104 x x < > LOG target support
105 x x < > TCPMSS target support
108 And since I enabled IPv6 I went into IPv6: Netfilter Configuration
110 x x <*> IP6 tables support (required for filtering/masq/NAT)
111 x x < > limit match support
112 x x < > MAC address match support
113 x x < > Multiple port match support
114 x x < > Owner match support (EXPERIMENTAL)
115 x x < > netfilter MARK match support
116 x x < > Packet filtering
117 x x < > Packet mangling
120 Compile the kernel
122 Installing iptables:
124 If your linux kernel source is in /usr/src/linux then a simple:
126 make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man &&
127 make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man install
129 should suffice...
131 Now... at boot I use the /etc/init.d/masquerade script which looks like this:
132 You'll have to adapt the script to fit your network interface (in my case eth1)
134 Here are Tijmen's improvements over the script from the last version of this
135 hint:
137 1. in the script, in start) add an evaluate_retval after the echo "1" >
138 /proc/sys... because then it shows a [failed] if /proc isn'r mountet or
139 ip_forwarding is not embedded in the kernel.
141 2. the iptables -t nat -F flushes the masquerading rules, thus disabling
142 the masquerading...
144 #!/bin/sh
145 # Begin of /etc/init.d/masquerade
147 source /etc/init.d/functions
149 case "$1" in
150 start)
151 echo "Enabling masquerading..."
152 echo "1" > /proc/sys/net/ipv4/ip_forward
153 evaluate_retval
154 echo -n "Bringing up iptables..."
155 loadproc /usr/bin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
156 ;;
157 stop)
158 echo -n "Disabling masquerading..."
159 echo "0" > /proc/sys/net/ipv4/ip_forward
160 evaluate_retval
161 echo -n "stopping iptables ... "
162 /usr/bin/iptables -t nat -F
163 evaluate_retval
164 ;;
165 restart)
166 $0 stop
167 /usr/bin/sleep 1
168 $0 start
169 ;;
170 *)
171 echo "Usage: $0 {start|stop|restart}"
172 exit 1
173 ;;
174 esac
176 # End of /etc/init.d/masquerade
178 All that's left is to create the appropriate symbolic links in /etc/rc?.d
180 That's
181 it...