Ipchains: Easy Links to the Net

By: Andrew Chen
Tuesday, November 16, 1999 12:37:13 PM EST
URL: http://www.linuxplanet.com/linuxplanet/tutorials/1241/1/

Multiple Machines, A Single Connection

Now that the Internet has become a ubiquitous presence in our society, it seems only reasonable that every machine should have Internet access. And with a couple of Ethernet cards, some well-chosen software, and a little bit of brainpower, many people can manage to share a single Internet connection among more than one PC, whether that connection be a PPP dial-up connection, a DSL line, or a cable modem.

In this case, the well-chosen software is ipchains. As described by its author, Paul Russell, ipchains "is an update to [and hopefully an improvement upon] the 2.0 Linux packet-filtering code, for the 2.2 Linux kernel." In a nutshell, it's a pretty neat way to make a firewall out of a 2.2 kernel Linux box, as well as providing access for multiple PCs using a single Internet connection. In this article, we will be talking about how to setup IP masquerading, allowing transparent proxying to the Internet.

In order to get started with ipchains, you're going need a Linux box (in this case, we'll be using a freshly installed Slackware 4.0 distribution), preferably two NIC cards (one can be a PPP dialup interface), a copy ofipchains, and probably a copy of the source code for your kernel. Chances are most distributions of Linux should come preinstalled with ipchains; however, it can also be downloaded from here. A copy of the Linux kernel source may already be installed in /usr/src/linux. If you don't see a copy there, you can pick up a copy from here. At the time of this writing, the latest version of ipchains is 1.3.9 and the latest 2.2 kernel is 2.2.13. If you're trying to set up ipchains on Linux 2.0, you're going to need quite a bit more kernel configuration prior to setting up ipchains, a process that is outside the scope of this article. For the purpose of this article, we're going to assume you're doing everything as root, since most things here require it anyway.

Kernel Changes

Before you can actually set up ipchains, you may have to recompile your kernel to support IP masquerading. But fear not! Some distributions nowadays may already have IP masquerading enabled in their kernels. In our distribution of Slackware 4.0, the IP masquerading settings were already enabled in the 2.2.6 kernel built and included with the distribution. If you want to check to see if you already have IP masquerading enabled, simply check for the existence of the /proc/sys/net/ipv4/ip_forward file:

# cd /proc/sys/net/ipv4
# ls -la ip_forward
-rw-r--r-- 1 root root 0 Oct 24 23:36 ip_forward

The ip_forward file size being 0 is normal. If this file exists, your kernel is already set to do IP masquerading. If you don't see this, you're going to have to recompile your kernel. Recompiling your kernel isn't a terribly easy task, and we won't cover every step here (check your system documentation for more information). In brief, you will want to enable the following options:

Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL)
Enable loadable module support (CONFIG_MODULES)
Networking support (CONFIG_NET)
Packet socket (CONFIG_PACKET)
Kernel/User netlink socket (CONFIG_NETLINK)
Network firewalls (CONFIG_FIREWALL)
TCP/IP networking (CONFIG_INET)
IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE)
IP: firewalling (CONFIG_IP_FIREWALL)
IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK)
IP: always defragment (required for masquerading) (CONFIG_IP_ALWAYS_DEFRAG)
IP: masquerading (CONFIG_IP_MASQUERADE)
IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP)
IP: optimize as router not host (CONFIG_IP_ROUTER)
IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES)
Network device support (CONFIG_NETDEVICES)
/proc filesystem support (CONFIG_PROC_FS)

Remember, as general rule when compiling a new kernel, keep a back-up copy of your old kernel and maybe even a Linux bootdisk.

Starting Ipchains

In order to have IP masquerading configured and started every system boot, create a start-up script or an rc.d script. Every time a system starts up, a set of scripts residing in /etc/rc.d/ are run. In these scripts are essential system services like the telnet daemon, ftp daemon, mount daemon and more. For our setup, eth0 will be connected to the internal network and eth1 will be connected to the Internet. If using a dial-up connection, such as ppp0, make sure to enable the line for dynaddr below.

Here is a sample /etc/rc.d/rc.firewall file, where we'll keep all our IP masquerading startup commands.

#!/bin/sh
/sbin/depmod -a # allows loading of modules into the kernel

# The following are custom modules, which allows use of
# tricky protocols through the firewall. It's general rule
# to use only those really needed.

/sbin/modprobe ip_masq_ftp # to FTP out
/sbin/modprobe ip_masq_raudio # enable RealAudio
/sbin/modprobe ip_masq_irc # enable IRC DCC
/sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960 # Quake I/II/III
/sbin/modprobe ip_masq_cuseeme # CuSeeMe
/sbin/modprobe ip_masq_vdolive # VDO-live

echo "1" > /proc/sys/net/ipv4/ip_forward # Enables IP Forwarding! Important!
echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Do this if on a dialup (ppp0)

/sbin/ipchains -M -S 7200 10 160 # Set timeouts on masquerading sessions.
# Here, 2 hours idle for TCP sessions
# 10 seconds after a TCP FIN is received
# 2 minutes for UDP packets

/sbin/ipchains -P forward DENY # By default, deny packet forwarding
/sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ # Enable IP masquerading
# 192.168.0.0/24 is the subnet of our
# internal network. This must be changed
# to reflect the proper subnet of your
# internal network, otherwise masq'ing
# will fail. Try Daryl's Subnet Calc.
# ipprimer.windsorcs.com/subnet.html

/sbin/ipchains -N infilt # create a new "chain" named infilt
/sbin/ipchains -A input -i eth1 -j infilt # use infilt to check data from eth1
/sbin/ipchains -A infilt -s 192.168.0.0/24 -l -j DENY
# deny anything from eth1 (the Internet
# interface) that says it's coming
# from the internal network. This will
# help prevent spoofing.

Before adding this to our startup scripts, we will want to test it. To do this, simply execute /etc/rc.d/rc.firewall. If we see no output, it's pretty safe to say that the commands worked. To configure the client side, simply set the default gateway to that of your Linux machine.

There are several tools available to monitor your IP masquerader. One of them is netstat. This tool will give a quick rundown of who is masquerading to where. Output may be similar to something like this:

$ netstat -M
IP masquerading entries
prot expire source destination ports
tcp 46:01.49 ntbox www.netearth.com 2806 -> 3306 (63673)
tcp 118:00.35 macintoy 152.163.244.159 1038 -> 5190 (62427)
tcp 4:36.31 macintoy www.linuxplanet.com 55076 -> www (61675)
tcp 119:48.56 ntbox web2.netearth.com 4337 -> ssh (63658)
$

Another tool is ipchains -L -v. This will give some overall statistics on the IP masquerading connection, including some basic bandwidth usage reports.

So what's so cool about this? You can maintain a single Internet connection for multiple users on multiple operating systems, using Linux as the gateway to the Internet. Plus, because ipchains and Linux itself are low cost or free, creating and maintaining this setup is much easier, and in many cases more secure, than a more expensive Windows solution.