IP Masquerading, Firewalling and Forwarding
by David Johns and Jonathan Arehart
1999.11.21.04


It is unfortunately necessary to step outside of the bounds of linuxconf to discuss proper firewalling and ip masquerading rules. Linuxconf is a very useful tool, but it is sometimes necessary to get to the "guts" of the machine. In Linux, this is done on the command line.

The actual task of setting up IP masquerading is very simple. It consists of setting one forwarding rule, sending a command to the kernel, and loading some helpers for specific protocols. It is best to begin this particular portion of the firewall's task only AFTER the computer is otherwise fully functional, so it is best to add the IP masquerade rule and the kernel command at the end of rc.local, which is the last script executed before the "login" prompt appears. In other words, we do this as the last step of booting your machine.

  1. As root, run "pico /etc/rc.d/rc.local" (This is equivalent to "edit autoexec.bat" in DOS.)
  2. Go to the end of the document.
  3. Insert these lines:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    /sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0
    /sbin/insmod ip_masq_ftp
    /sbin/insmod ip_masq_raudio
    /sbin/insmod ip_masq_vdolive
    /sbin/insmod ip_masq_cuseeme
    /sbin/insmod ip_masq_irc

    These lines do several important things. The first tells the core of Linux (the kernel) that it should look for a rule to tell it how to route network data. The second line is that rule.

    The rule says that the Linux kernel should accept network data and that it should be forwarded by masquerading, as long as said data comes from your private network (192.168.1.x). The destination for the data can by anywhere. Masquerading is also called network address translation, since the address of the computer from which the data was originally sent is changed by your Linux machine to be the single public address (in the case of our class 207.101.59.176 or so). This change is reversed when responses are received from other computers on the Internet, so that neither end can tell what happened; only the Linux machine knows.

    The last five lines add some helping rules so that Internet software with special requirements can also work transparently through your Linux machine. The ones enabled here, are ftp, irc, Real Audio, CUseeMe, and VDO Live.
  4. Press Ctrl-X to save a file and exit in pico

Protecting your computer

IPChains and firewalling

If you want more information about ipchains, take a look at the ipchains howto.

We're not really going to discuss ipchains rules in depth in this curriculum, since that discussion would take a great deal more time than we are devoting to this course. However, if you want to take advantage of ipchains rules, the simplest place to do so is at the end of rc.local. Ipchains allows you to control packet input, output, and masquerading; it will also log events that you choose with "accounting" rules. Ipchains can be added or deleted from the command line, and if you wish to make changes permanent you should add them to the end of rc.local. These rules are far outside the scope of this course, however. If you wish to use more stringent firewalling rules, then please consult the ipchains howto and add them in rc.local.

Needless services

Another method for dealing with security involves turning off unused services. For instance, most computers have the "time" service running, which, while very few people use it, can be attacked. There are several places where services can and should be disabled; for the sake of this class, we'll focus on disabling services in linuxconf. This should be handled exclusively by collaboration with the instructor, since the choice of which services are important to you determines exactly what should be done.


See Also: hosts.allow, hosts.deny, inetd.conf, inetd
Related pages: Security Howto