---

---

Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 129 Linux Masquerading and Forwarding Overview Contrarily to the examples configuration in chapter 7, configuring a Linux Server to masquerade and forward traffics generally from the inside private network that have an unregistered IP addresses (e.i. 192.168.1.0/24) to the outside network (e.i. the Internet) require a special setup of your kernel and of your firewall configuration scripts file. This kind of setting is also  known as a Gateway Server (a machine that serve as a gateway for internal traffics to external traffics). This configuration must only be set if you have the intentions and the needs of this kind of service and is for this reasons that the configuration of the script file for the Gateway Server is in his own chapter. Build a kernel with Firewall Masquerading and Forwarding support Once again, the first thing you need to do is ensure that your kernel has been built with Network Firewall support enabled and Firewalling. In the 2.2.14 kernel version you need ensure that you have answered Y to the following questions: Networking options: Network firewalls (CONFIG_FIREFALL) [N] Y IP:Firewalling (CONFIG_IP_FIREWALL) [N] Y IP:TCP syncookie support (CONFIG_SYN_COOKIES) [N] Y NOTE: If you are follow the Linux Kernel section and are recompiled your kernel, the options “Network firewalls, IP:Firewalling, and IP:TCP syncookie supports” show above are already set. IP Masquerading and IP ICMP Masquerading are requiring only for a Gateway Server. IP:Masquerading (CONFIG_IP_MASQUERADE) [N] Y IP:ICMP Masquerading (CONFIG_IP_MASQUERADE_ICMP) [N] Y NOTE: Only your  Gateway Server need to have “IP:Masquerading” and “IP:ICMP Masquerading” kernel option enable. This is require to masquerade your Internal Network for the outside. Masquerade means that if one of the computers on your local network for which your Linux box (or gateway) acts as a firewall wants to send something to the outside, your box can "masquerade" as that computer. In other words it forwards the traffic to the intended outside destination, but makes it look like it came from the firewall box itself. It works both ways: if the outside host replies, the Linux firewall will silently forward the traffic to the corresponding local computer. This way, the computers on your local net are completely invisible to the outside world, even though they can reach the outside and can receive replies. This makes it possible to have the computers on the local network participate on the Internet even if they don't have officially registered IP addresses. The IP masquerading code will only work if IP forwarding is enabled on your system. This feature is by default disable and you can enable it with the following command: · To enable IP forwarding feature on your server, execute the following command: [root@deep /]# echo "1" > /proc/sys/net/ipv4/ip_forward You can add the above line in your “/etc/rc.d/rc.local” script file so IP forwarding is enable automatically for you even if your server is rebooted. In Red Hat Linux this can also be accomplished by changing the line in “/etc/sysconfig/network” file from: FORWARD_IPV4="false”