420 lines
17 KiB
Plaintext
420 lines
17 KiB
Plaintext
|
Masquerading Made Simple HOWTO
|
|||
|
|
|||
|
John Tapsell
|
|||
|
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><tapselj0@cs.man.ac.uk>
|
|||
|
|
|||
|
Thomas Spellman
|
|||
|
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><thomasNO@SPAMresonancePLEASE.org>
|
|||
|
|
|||
|
Matthias Grimm
|
|||
|
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><DeadBull@gmx.net>
|
|||
|
Revision History
|
|||
|
Revision 0.09 2004-07-21 Revised by: ts
|
|||
|
Revision 0.08 2002-07-11 Revised by: jpt
|
|||
|
Revision 0.07 2002-02-27 Revised by: jpt
|
|||
|
Revision 0.06 2001-09-08 Revised by: jpt
|
|||
|
Revision 0.05 2001-09-07 Revised by: jpt
|
|||
|
Revision 0.04 2001-09-01 Revised by: jpt
|
|||
|
Revision 0.03 2001-07-06 Revised by: jpt
|
|||
|
|
|||
|
|
|||
|
All of the authors are available on #debian on irc.opensource.net
|
|||
|
|
|||
|
John Tapsell (JohnFlux) is the official maintainer.
|
|||
|
|
|||
|
Email me (John Tapsell) for any query, flame, feedback, a date, etc.
|
|||
|
|
|||
|
Shamelessly stealing from David Ranch's work - <dranch@trinnet.net>.
|
|||
|
|
|||
|
This is NOT a replacement for the IP-Masquerading HOWTO - it is to complement
|
|||
|
it, and the two should be read side by side. I do not include things in here
|
|||
|
that are covered by the the other HOWTO, nor do I explain what it all means,
|
|||
|
or what it is all about. See [http://ipmasq.cjb.net] http://ipmasq.cjb.net
|
|||
|
and the standard Masq-HOWTO for a much better guides.
|
|||
|
|
|||
|
This document describes how to enable the Linux IP Masquerade feature on a
|
|||
|
given Linux host. IP Masq is a form of Network Address Translation or NAT
|
|||
|
that allows internally networked computers that do not have one or more
|
|||
|
registered Internet IP addresses to have the ability to communicate to the
|
|||
|
Internet via your Linux boxes single Internet IP address.
|
|||
|
|
|||
|
This is all under the GNU Free Documentation License
|
|||
|
|
|||
|
http://www.gnu.org/copyleft/fdl.html
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
Table of Contents
|
|||
|
1. Introduction
|
|||
|
2. Summary: (I like doing summaries first)
|
|||
|
3. Bitmore indepth version
|
|||
|
4. Post-install Instructions
|
|||
|
5. FAQ's - Frequently Asked Compla^H^H^H^H^H^H Questions
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
This is intentionally short and to the point.
|
|||
|
|
|||
|
If you have a network, that you want to attach to the outside:
|
|||
|
|
|||
|
[network]
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2. Summary: (I like doing summaries first)
|
|||
|
|
|||
|
Assuming external internet card is eth0, and external IP is 123.12.23.43 and
|
|||
|
the internal network card is eth1, then:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|$> modprobe ipt_MASQUERADE # If this fails, try continuing anyway |
|
|||
|
|$> iptables -F; iptables -t nat -F; iptables -t mangle -F |
|
|||
|
|$> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43 |
|
|||
|
|$> echo 1 > /proc/sys/net/ipv4/ip_forward |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
Or for a dial-up connection:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|$> modprobe ipt_MASQUERADE # If this fails, try continuing anyway |
|
|||
|
|$> iptables -F; iptables -t nat -F; iptables -t mangle -F |
|
|||
|
|$> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE |
|
|||
|
|$> echo 1 > /proc/sys/net/ipv4/ip_forward |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
Then to secure it:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
|||
|
|$> iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT |
|
|||
|
|$> iptables -P INPUT DROP #only if the first two are succesful |
|
|||
|
|$> iptables -A FORWARD -i eth0 -o eth0 -j REJECT |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
Or for a dial-up connection (with eth0 as the internal network card):
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
|||
|
|$> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT |
|
|||
|
|$> iptables -P INPUT DROP #only if the first two are succesful |
|
|||
|
|$> iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
And thats it! To view the rules do "iptables -t nat -L"
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3. Bitmore indepth version
|
|||
|
|
|||
|
Compiling the kernel: (Use a 2.4.x kernel or greater)
|
|||
|
|
|||
|
You need the following support in the kernel:
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Under Networking Options
|
|||
|
|
|||
|
<20><>+<2B>Network packet filtering (CONFIG_NETFILTER)
|
|||
|
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Under Networking Options->Netfilter Configuration
|
|||
|
|
|||
|
<20><>+<2B>Connection tracking (CONFIG_IP_NF_CONNTRACK)
|
|||
|
|
|||
|
<20><>+<2B>FTP Protocol support (CONFIG_IP_NF_FTP)
|
|||
|
|
|||
|
<20><>+<2B>IP tables support (CONFIG_IP_NF_IPTABLES)
|
|||
|
|
|||
|
<20><>+<2B>Connection state match support (CONFIG_IP_NF_MATCH_STATE)
|
|||
|
|
|||
|
<20><>+<2B>Packet filtering (CONFIG_IP_NF_FILTER)
|
|||
|
|
|||
|
<20><>o<EFBFBD>REJECT target support (CONFIG_IP_NF_TARGET_REJECT)
|
|||
|
|
|||
|
|
|||
|
<20><>+<2B>Full NAT (CONFIG_IP_NF_NAT)
|
|||
|
|
|||
|
<20><>o<EFBFBD>MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE)
|
|||
|
|
|||
|
<20><>o<EFBFBD>REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT)
|
|||
|
|
|||
|
|
|||
|
<20><>+<2B>Packet mangling (CONFIG_IP_NF_MANGLE)
|
|||
|
|
|||
|
<20><>+<2B>LOG target support (CONFIG_IP_NF_TARGET_LOG)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
First, if the iptable and masq modules are not compiled into the kernel and
|
|||
|
not installed, but do exist as modules, we need to install them. If you
|
|||
|
insmod ipt_MASQUERADE it will load ip_tables, ip_conntrack and iptable_nat.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|$> modprobe ipt_MASQERADE |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
Now either your Intranet is large, or you're just trying to get two or three
|
|||
|
machines to work on the internet - it doesn't make much difference either
|
|||
|
way.
|
|||
|
|
|||
|
Okay, I'm assuming that you have no other rules, so do:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|$> iptables -F; iptables -t nat -F; iptables -t mangle -F |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
If you get an error saying can't find iptables, go find it and install it. If
|
|||
|
it says no such table 'nat', recompile the kernel with nat support. If it
|
|||
|
says no such table as 'mangle', don't worry about it, it's not necessary for
|
|||
|
MASQ'ing. If it says iptables is incompatible with your kernel, go get > 2.4
|
|||
|
and compile that with iptables support.
|
|||
|
|
|||
|
Then if you have a static ip do (e.g. network card not using DHCP):
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|$> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43 |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
or for dynamic (e.g. a modem - you have to call a number first):
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|$> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
Then finally to tell the kernel yes, you really do want to start forwarding
|
|||
|
packets: (This only needs to be done once per reboot - but dosen't hurt to do
|
|||
|
it lots)
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|$> echo 1 > /proc/sys/net/ipv4/ip_forward |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
Once you have checked this all works (See under Post-install) only allow
|
|||
|
masquerading from the internal network - you don't want to allow people on
|
|||
|
the internet to use it after all :)
|
|||
|
|
|||
|
First, allow any existing connections, or anything related (e.g. ftp server
|
|||
|
connecting back to you)
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
If this gives an error, then you most likely don't have state tracking in the
|
|||
|
kernel - go recompile. Then allow new connections only from our intranet
|
|||
|
(local/internal network). Replace the ppp0 with eth0 or whatever your
|
|||
|
external device is. (The ! means anything but)
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|$> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
And now deny everything else:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|$> iptables -P INPUT DROP #only if the first two are succesful |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
If either of the first two rules failed, then this last rule with prevent the
|
|||
|
masquerading from working at all. To undo this rule do "iptables -P INPUT
|
|||
|
ACCEPT".
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
4. Post-install Instructions
|
|||
|
|
|||
|
And it should all work now. Don't forget to:
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Setup all the clients on the internal network to point to the Linux
|
|||
|
internal IP address as their gateway. (In windows right-click network
|
|||
|
neighbourhood->properties->gateway then change it to the Linux gateway
|
|||
|
internal ip.)
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Setup all the clients to use your ISP's HTTP proxy if they have one, use
|
|||
|
a transparent proxy (WARNING - I've heard reports of transparent proxying
|
|||
|
to be very slow on very big networks), or run squid on your new linux
|
|||
|
gateway. (This is optional, but preferrable for large networks)
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Be sure to specify a DNS when setting up your clients. Otherwise you will
|
|||
|
get errors on the clients saying 'cannot resolve address' etc. If DNS
|
|||
|
used to work (URL address worked) but doesn't after you setup
|
|||
|
Masquerading, this is because your ISP's/network's DHCP server can no
|
|||
|
longer tell you what the DNS address is.
|
|||
|
|
|||
|
[Offtopic] I wonder if you could simply send out a dhcp broadcast that
|
|||
|
just forwards on the dns server (and http_proxy while you're at it)
|
|||
|
without having to setup a dhcp server (or even if you do). Can someone
|
|||
|
mail me about this? :)
|
|||
|
|
|||
|
Thanks to Richard Atcheson for pointing this out.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Now you should start securing it! First turn off forwarding in general: "
|
|||
|
iptables -P FORWARD DROP", and then learn how to use iptables and /etc/
|
|||
|
hosts.allow and /etc/hosts.deny to secure your system. WARNING - Don't
|
|||
|
try this mentioned iptables rule until you have the masquerading working.
|
|||
|
You have to explicitely allow every packet through that you want if you
|
|||
|
are going to set the last rule to be DENY. (Undo with "iptables -P
|
|||
|
FORWARD ACCEPT")
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Allow through any services you do want the internet to see.
|
|||
|
|
|||
|
For an example, to allow access to your web server do:
|
|||
|
+---------------------------------------------------------------+
|
|||
|
|$> iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT |
|
|||
|
|$> iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT |
|
|||
|
+---------------------------------------------------------------+
|
|||
|
|
|||
|
To allow ident (For connecting to irc etc) do
|
|||
|
+---------------------------------------------------------------+
|
|||
|
|$> iptables -A INPUT --protocol tcp --dport 113 -j ACCEPT |
|
|||
|
+---------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
To test it:
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Try connecting from a client to the web using an IP. Google's IP is
|
|||
|
216.239.33.100 (well that's one of them) and you should be able to get a
|
|||
|
reply from that. e.g. "ping 216.239.33.100" "lynx 216.239.33.100".
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Try a full out connection by name. e.g. "ping google.com" "lynx
|
|||
|
google.com" or from Internet Explorer / netscape.
|
|||
|
|
|||
|
|
|||
|
Where eth0 is the external Internet card, and 123.12.23.43 is the external ip
|
|||
|
of that machine.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
5. FAQ's - Frequently Asked Compla^H^H^H^H^H^H Questions
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>How do I list the rules I've got so far?
|
|||
|
|
|||
|
- Try
|
|||
|
+---------------------------------------------------------------+
|
|||
|
|$> iptables -L |
|
|||
|
|$> iptables -t nat -L |
|
|||
|
+---------------------------------------------------------------+
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>It won't resolve IP's! I'm typing 'www.microsoft.com' in and it says it
|
|||
|
can't find it!
|
|||
|
|
|||
|
- Make sure you add the dns server ip to all the clients.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>It don't work! It doesn't like iptables / NAT / SNAT / MASQ
|
|||
|
|
|||
|
- Go get the latest kernel, and compile with iptables and full NAT
|
|||
|
support.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>It don't work! The masquerading doesn't work at all! Die scum!
|
|||
|
|
|||
|
- Try echo 1 > /proc/sys/net/ipv4/ip_forward
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>It don't work! I can't use the network at all and I hate you!
|
|||
|
|
|||
|
- Try
|
|||
|
+---------------------------------------------------------------+
|
|||
|
|$> iptables -F |
|
|||
|
|$> iptables -t nat -F |
|
|||
|
|$> iptables -t mangle -F |
|
|||
|
+---------------------------------------------------------------+
|
|||
|
|
|||
|
(all rules went bye-bye) then rerun the other iptables rules.
|
|||
|
|
|||
|
- Try iptables -P FORWARD ACCEPT
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>It still don't work!
|
|||
|
|
|||
|
- Hmm, does "dmesg | tail" give any errors? or "cat /var/log/messages |
|
|||
|
tail" ? Like I care tho...
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>I don't get, it just ain't working!
|
|||
|
|
|||
|
- I dunno.. but you should be able to:
|
|||
|
+---------------------------------------------------------------+
|
|||
|
| 1) From the gateway machine, ping the outside |
|
|||
|
| 2) From the gateway ping your internal machines |
|
|||
|
| 3) From the internal machines ping the gateway |
|
|||
|
+---------------------------------------------------------------+
|
|||
|
|
|||
|
And this is before you play with masq'ing
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Where do I put this stuff?
|
|||
|
|
|||
|
- In the /etc/network/interfaces file, or firewall.rc. If you put it in
|
|||
|
the interfaces file, then put it as a pre-up to the external interface,
|
|||
|
and have "iptables -t nat -F" as the post-down.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>How do I get it to only bring the ppp up on demand?
|
|||
|
|
|||
|
- Assuming your ISP gateway IP is say 23.43.12.43 for arguments sake,
|
|||
|
then append a line like this:
|
|||
|
|
|||
|
:23.43.12.43
|
|||
|
|
|||
|
to /etc/ppp/peers/provider at the end. (this is for dynamic IP - static
|
|||
|
IP would be my.external.ip.number:23.43.12.43 )
|
|||
|
|
|||
|
Then at the end of that file add on a newline:
|
|||
|
|
|||
|
demand
|
|||
|
|
|||
|
Pppd will remain in the background to redial the connection on demand if
|
|||
|
it's dropped until you do an "ifdown ppp0" or a "poff", unless you add a
|
|||
|
"nopersist" option, in which case pppd will exit after the connection is
|
|||
|
up. You can also add on a new line "idle 600" to disconnect after 10 mins
|
|||
|
of idleness.
|
|||
|
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>The connection keeps dropping!
|
|||
|
|
|||
|
- First, do you have demand dialing? Is it just doing what it is supposed
|
|||
|
to? Check /etc/ppp/peers/provider, and make sure your dial up works fine
|
|||
|
before attempting masq'ing.
|
|||
|
|
|||
|
- Secondly, if not, then perhaps, like me, something is going weird, and
|
|||
|
you need to fall back to Linux 2.4.3 and see if that works instead..
|
|||
|
dunno why.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>I hate doing this myself! I want a pre-made script and GUI and stuff.
|
|||
|
|
|||
|
- Sure: [http://shorewall.sourceforge.net/] http://
|
|||
|
shorewall.sourceforge.net/
|
|||
|
|
|||
|
Eat your heart out!
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Do I count Cable modems as static or dynamic IP's?
|
|||
|
|
|||
|
- Good question.. might as well make it dynamic.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Do I count DHCP network cards as static or dynamic IP's?
|
|||
|
|
|||
|
- They are dynamic.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>How do I handle incomming services?
|
|||
|
|
|||
|
- Try forwarding or redirecting the IP ports - again make sure you
|
|||
|
firewall this if needed.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>From the clients, I can ping the linux gateway's external IP address, but
|
|||
|
can't access the internet.
|
|||
|
|
|||
|
- Okay, try doing "rmmod iptable_filter" - more info on this as I get it.
|
|||
|
|
|||
|
- Make sure your not running routed or gated - to check run "ps aux |
|
|||
|
grep -e routed -e gated".
|
|||
|
|
|||
|
- Look at [http://ipmasq.cjb.net] http://ipmasq.cjb.net
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>How can I view the connections establish? Something like netstat..
|
|||
|
|
|||
|
- Try cat /proc/net/ip_conntrack
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>I need more squid info and routing and stuff!
|
|||
|
|
|||
|
- Try the Advanced Routing HOWTO http://www.linuxdoc.org/HOWTO/
|
|||
|
Adv-Routing-HOWTO.html
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>This howto is crap! How do I yell at the guys who wrote this?
|
|||
|
|
|||
|
- Go to #debian on irc.opensource.net and find and locate JohnFlux. -
|
|||
|
Mail me (JohnFlux) at tapselj0@cs.man.ac.uk
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>This howto is crap! How can I see better versions?
|
|||
|
|
|||
|
- Try [http://ipmasq.cjb.net] http://ipmasq.cjb.net
|
|||
|
|
|||
|
- Consult the LDP Masq-HOWTO.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>What else are you working on?
|
|||
|
|
|||
|
Currently I'm writing a guide on linux on
|
|||
|
anti-missile-missiles-made-simple. There's no good guides on protecting
|
|||
|
your system from nuclear attacks for newbies. People seem to think its
|
|||
|
rocket science or something..
|
|||
|
|
|||
|
|