Before you can actually set up ipchains, you may have to recompile your kernel to support IP masquerading. But fear not! Some distributions nowadays may already have IP masquerading enabled in their kernels. In our distribution of Slackware 4.0, the IP masquerading settings were already enabled in the 2.2.6 kernel built and included with the distribution. If you want to check to see if you already have IP masquerading enabled, simply check for the existence of the /proc/sys/net/ipv4/ip_forward file:

# cd /proc/sys/net/ipv4
# ls -la ip_forward
-rw-r--r-- 1 root root 0 Oct 24 23:36 ip_forward

The ip_forward file size being 0 is normal. If this file exists, your kernel is already set to do IP masquerading. If you don't see this, you're going to have to recompile your kernel. Recompiling your kernel isn't a terribly easy task, and we won't cover every step here (check your system documentation for more information). In brief, you will want to enable the following options:

Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL)
Enable loadable module support (CONFIG_MODULES)
Networking support (CONFIG_NET)
Packet socket (CONFIG_PACKET)
Kernel/User netlink socket (CONFIG_NETLINK)
Network firewalls (CONFIG_FIREWALL)
TCP/IP networking (CONFIG_INET)
IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE)
IP: firewalling (CONFIG_IP_FIREWALL)
IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK)
IP: always defragment (required for masquerading) (CONFIG_IP_ALWAYS_DEFRAG)
IP: masquerading (CONFIG_IP_MASQUERADE)
IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP)
IP: optimize as router not host (CONFIG_IP_ROUTER)
IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES)
Network device support (CONFIG_NETDEVICES)
/proc filesystem support (CONFIG_PROC_FS)

Remember, as general rule when compiling a new kernel, keep a back-up copy of your old kernel and maybe even a Linux bootdisk.

Next: Starting Ipchains »