February 21, 2019

Ipchains: Easy Links to the Net - page 3

Multiple Machines, A Single Connection

  • November 16, 1999
  • By Andrew Chen

In order to have IP masquerading configured and started every system boot, create a start-up script or an rc.d script. Every time a system starts up, a set of scripts residing in /etc/rc.d/ are run. In these scripts are essential system services like the telnet daemon, ftp daemon, mount daemon and more. For our setup, eth0 will be connected to the internal network and eth1 will be connected to the Internet. If using a dial-up connection, such as ppp0, make sure to enable the line for dynaddr below.

Here is a sample /etc/rc.d/rc.firewall file, where we'll keep all our IP masquerading startup commands.

/sbin/depmod -a # allows loading of modules into the kernel

# The following are custom modules, which allows use of
# tricky protocols through the firewall. It's general rule
# to use only those really needed.

/sbin/modprobe ip_masq_ftp # to FTP out
/sbin/modprobe ip_masq_raudio # enable RealAudio
/sbin/modprobe ip_masq_irc # enable IRC DCC
/sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960 # Quake I/II/III
/sbin/modprobe ip_masq_cuseeme # CuSeeMe
/sbin/modprobe ip_masq_vdolive # VDO-live

echo "1" > /proc/sys/net/ipv4/ip_forward # Enables IP Forwarding! Important!
echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Do this if on a dialup (ppp0)

/sbin/ipchains -M -S 7200 10 160 # Set timeouts on masquerading sessions.
# Here, 2 hours idle for TCP sessions
# 10 seconds after a TCP FIN is received
# 2 minutes for UDP packets

/sbin/ipchains -P forward DENY # By default, deny packet forwarding
/sbin/ipchains -A forward -s -j MASQ # Enable IP masquerading
# is the subnet of our
# internal network. This must be changed
# to reflect the proper subnet of your
# internal network, otherwise masq'ing
# will fail. Try Daryl's Subnet Calc.
# ipprimer.windsorcs.com/subnet.html

/sbin/ipchains -N infilt # create a new "chain" named infilt
/sbin/ipchains -A input -i eth1 -j infilt # use infilt to check data from eth1
/sbin/ipchains -A infilt -s -l -j DENY
# deny anything from eth1 (the Internet
# interface) that says it's coming
# from the internal network. This will
# help prevent spoofing.

Before adding this to our startup scripts, we will want to test it. To do this, simply execute /etc/rc.d/rc.firewall. If we see no output, it's pretty safe to say that the commands worked. To configure the client side, simply set the default gateway to that of your Linux machine.

There are several tools available to monitor your IP masquerader. One of them is netstat. This tool will give a quick rundown of who is masquerading to where. Output may be similar to something like this:

$ netstat -M
IP masquerading entries
prot expire source destination ports
tcp 46:01.49 ntbox www.netearth.com 2806 -> 3306 (63673)
tcp 118:00.35 macintoy 1038 -> 5190 (62427)
tcp 4:36.31 macintoy www.linuxplanet.com 55076 -> www (61675)
tcp 119:48.56 ntbox web2.netearth.com 4337 -> ssh (63658)

Another tool is ipchains -L -v. This will give some overall statistics on the IP masquerading connection, including some basic bandwidth usage reports.

So what's so cool about this? You can maintain a single Internet connection for multiple users on multiple operating systems, using Linux as the gateway to the Internet. Plus, because ipchains and Linux itself are low cost or free, creating and maintaining this setup is much easier, and in many cases more secure, than a more expensive Windows solution.

Most Popular LinuxPlanet Stories