Securing-Optimizing-RH-Linux-1_2_129
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
129
Linux Masquerading and Forwarding
Overview
Contrarily to the examples configuration in chapter 7, configuring a Linux Server to masquerade
and forward traffics generally from the inside private network that have an unregistered IP
addresses (e.i. 192.168.1.0/24) to the outside network (e.i. the Internet) require a special setup of
your kernel and of your firewall configuration scripts file. This kind of setting is also known as a
Gateway Server (a machine that serve as a gateway for internal traffics to external traffics). This
configuration must only be set if you have the intentions and the needs of this kind of service and
is for this reasons that the configuration of the script file for the Gateway Server is in his own
chapter.
Build a kernel with Firewall Masquerading and Forwarding support
Once again, the first thing you need to do is ensure that your kernel has been built with Network
Firewall support enabled and Firewalling. In the 2.2.14 kernel version you need ensure that you
have answered Y to the following questions:
Networking options:
Network firewalls (CONFIG_FIREFALL) [N] Y
IP:Firewalling (CONFIG_IP_FIREWALL) [N] Y
IP:TCP syncookie support (CONFIG_SYN_COOKIES) [N] Y
NOTE: If you are follow the Linux Kernel section and are recompiled your kernel, the options
Network firewalls, IP:Firewalling, and IP:TCP syncookie supports show above are already set.
IP Masquerading and IP ICMP Masquerading are requiring only for a Gateway Server.
IP:Masquerading (CONFIG_IP_MASQUERADE) [N] Y
IP:ICMP Masquerading (CONFIG_IP_MASQUERADE_ICMP) [N] Y
NOTE: Only your Gateway Server need to have IP:Masquerading and IP:ICMP Masquerading
kernel option enable. This is require to masquerade your Internal Network for the outside.
Masquerade means that if one of the computers on your local network for which your Linux box
(or gateway) acts as a firewall wants to send something to the outside, your box can
"masquerade" as that computer. In other words it forwards the traffic to the intended outside
destination, but makes it look like it came from the firewall box itself. It works both ways: if the
outside host replies, the Linux firewall will silently forward the traffic to the corresponding local
computer. This way, the computers on your local net are completely invisible to the outside world,
even though they can reach the outside and can receive replies. This makes it possible to have
the computers on the local network participate on the Internet even if they don't have officially
registered IP addresses.
The IP masquerading code will only work if IP forwarding is enabled on your system. This feature
is by default disable and you can enable it with the following command:
·
To enable IP forwarding feature on your server, execute the following command:
[root@deep /]# echo "1" > /proc/sys/net/ipv4/ip_forward
You can add the above line in your /etc/rc.d/rc.local script file so IP forwarding is enable
automatically for you even if your server is rebooted. In Red Hat Linux this can also be
accomplished by changing the line in /etc/sysconfig/network file from:
FORWARD_IPV4="false