3.2.1. Compiling Linux 2.4.x Kernels

• First of all, you need the kernel source for 2.4.x (preferably the latest kernel version)

  • NOTE #1: As the 2.4.x train and IPTABLES archive develoment progresses, the compile configurion options will probably keep changing. As of this version, this section reflects the settings for IPTABLES 1.2.4 and the 2.4.14 kernel. If you are compiling against a previous version, the dialogs will look different. It is recommended that you update to the newest versions for added capability, performance, and stability of the kernel.

• Next, you really need the IPTABLES archive to apply patches against the kernel. For example, the IPTABLES patches enable the masquerading of IRC and FTP traffic as well as other network applications. You can find this archive in the 2.4.x requirements chapter which is in Section 2.6.

• If this is your first time compiling the kernel, don't be scared. In fact, it's rather easy and it's covered in several URLs found in Section 2.6. Please note that the instructions included here is just one way to do build a kernel. Please see the Kernel HOWTO for full details.

  NOTE: Please notice that it isn't recommended to put the new kernel sources into /usr/src/linux. You should leave the original kernel sources that came with your Linux distribution in /usr/src/linux. For more details on this topic, please read the "README" file in the top level directory of your kernel sources.

• For this HOWTO example, create a directory called /usr/src/kernel. Next, "cd" into this directory and download the newest 2.4.x kernel sources into it. Once downloaded, issue the following command (if the file ends in a .tar.gz): tar xvzf linux-2.4.x.tar.gz or (if the file ends in a .tar.bzip2): tar xyvf linux-2.4.x.tar.bz2. Please substitute the "x" in the 2.4.x filename with the Linux 2.4 kernel version you downloaded.

  NOTE: Some Linux distributions use the "I" option instead of the "y" option to decompress bzip2 archives.

  Once uncompressed, I recommend that you rename the directory from "linux" to "linux-2.4.x" for clarity. To do this, run the command mv linux linux-2.4.x. Next, make sure there is a directory or symbolic link pointing to /usr/src/kernel/linux ie. run the command: ln -s /usr/src/kernel/linux-2.4.x /usr/src/kernel/linux again subsituting the "x" for your proper kernel version.

• Next, it is highly recommended that you apply any appropriate or optional patches to the kernel source code BEFORE you compile the kernel. As of 2.4.4, you can apply the IPTABLES patches to enable special protocol support for programs like IRC, FTP, etc. Ultimately, IP Masq does not require any specific patching in order for the system to work for NAT-friendly network applications. Please refer to Section 2.6 for URLs and the IP Masquerade Resources for up-to-date information and patch URLs.

• Applying the IPTABLES kernel patches

  Download the iptables package from the Section 2.6 and put it into a directory, say /usr/src/archive/netfilter. Next, go into this new netfilter directory and uncompress the iptables archive with the command:

  tar xyvf iptables-1.2.x.tar.bz2

  Now, go into the new iptables-1.2.x directory and run the command

  make pending-patches KERNEL_DIR=/usr/src/kernel/linux

  NOTE: this assumes that your 2.4.x kernel sources are in the /usr/src/kernel/linux directory.

  NOTE #2: If you append a "/" to the end of the command line, you will get an error stating: "make: *** [/usr/src/kernel/linux/include/asm/socket.h] Error 1". Remove the trailing "/" and try again.

  Here is an example of the prompts you might receive for a 2.4.14 kernel. Please note that these prompts WILL CHANGE over time.

• Making dependencies: please wait... ----------------------------------------------------------------- Welcome to Rusty's Patch-o-matic! Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so I don't recommend applying them all! ------------------------------------------------------- Testing... ipt_MIRROR-ttl.patch NOT APPLIED (3 rejects out of 3 hunks) The ipt_MIRROR-ttl patch: Author: Harald Welte Status: Compiles, yet untested This adds TTL decrementing (and checking/dropping) in case the MIRROR target is used in INPUT or PREROUTING chains/hooks. This is to avoid endless packet loops. Do you want to apply this patch [N/y/t/f/q/?] y ------------------------------------------------------- Already applied: ipt_MIRROR-ttl ipt_REJECT-checkentry Testing... ipt_LOG.patch NOT APPLIED (1 rejects out of 1 hunks) The ipt_LOG patch: Author: Jozsef Kadlecsik Status: Submitted for kernel inclusion The LOG target has a bug when attempting to print the inner ip packet in icmp error messages. This patch fixes the bug. Do you want to apply this patch [N/y/t/f/q/?] y ------------------------------------------------------- Already applied: ipt_MIRROR-ttl ipt_REJECT-checkentry ipt_LOG 2.4.1 tos-fix Already applied: tcp-MSS 2.4.4 ip6tables-export-symbols Testing... sackperm.patch ALREADY APPLIED (0 rejects out of 1 hunks). Excellent! Kernel is now ready for compilation.

• If everything patches fine, you should see something like the text

  Excellent! Kernel is now ready for compilation.

  towards the bottom of the screen.

• Ok, the kernel is ready to go but you should make sure that you also have the iptables program on your machine too. Run the command:

  • whereis iptables

  and make sure its installed on the machine (the default place is in /usr/local/sbin/iptables. If you cannot find it in that directory or some other directory, I recommend you just compile it up. Since you already patched the kernel with the IPTABLES patches, compiling IPTABLES itself is simple to do.

  Follow these simple steps:

  • make KERNEL_DIR=/usr/src/kernel/linux

  • make install KERNEL_DIR=/usr/src/kernel/linux

• Now that the kernel is patched up, here is the MINIMUM kernel configuration options required to enable IP Masquerade functionality. Please understand that this HOWTO illustrates just ONE way to compile a kernel. The main difference from this method vs. a different one is some people wish to compile things either as modules OR monolithically right into the kernel. Basically, compiling things as modules gives you added flexibility to what is or isn't installed into the kernel (reduces unneeded memory use and allow for drop-in upgrades [no need to reboot]) BUT they add more complexity to your configuration. On the flip side, compiling things directly into the kernel makes things simpler BUT you loose a level of flexibility. The following example is a mixture of both built-in AND modules.

  Side Note: It is assumed that you will also configure the kernel to use your other installed hardware such as network interfaces, optional SCSI controllers, etc as well. Please refer to the Linux Kernel HOWTO and the kernel source's README file and Documentation/ directory for detailed help on compiling a kernel.

Please note the YES or NO ANSWERS to the following. Not all options will be available without the proper kernel patches described later in this HOWTO.

Run the following commands to configure your kernel:

• cd /usr/src/kernel/linux

• make menuconfig

Please note the following kernel prompts reflect a 2.4.14 kernel:

[ Code maturity level options ] * Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?] - YES: though not required for IP MASQ, this option allows the kernel to create the MASQ modules and enable the option for port forwarding * Enable loadable module support (CONFIG_MODULES) [Y/n/?] - YES: allows you to load kernel IP MASQ modules * Set version information on all module symbols (CONFIG_MODVERSIONS) [Y/n/?] - YES: allows newer kernels to load older modules if possible * Kernel module loader (CONFIG_KMOD) [Y/n/?] - OPTIONAL: Recommended : allows the kernel to load various kernel modules as it needs them == Non-MASQ options skipped == (CPU type, memory, SMP, FPU, specific stuff) [ General setup ] * Networking support (CONFIG_NET) [Y/n/?] - YES: Enables the network subsystem == Non-MASQ options skipped == (specific hardware, PCI, kernel binaries, PCMCIA, etc.) * Sysctl support (CONFIG_SYSCTL) [Y/n/?] - YES: Enables the ability to enable disable options such as forwarding, dynamic IPs, etc. via the /proc interface [ Block devices ] == Non-MASQ options skipped == (kernel binaries, power management, PnP, RAID, etc.) == Don't forget to compile in support for hardware that you might need: == IDE controllers, HDs, CDROMs, etc. [ Networking options ] * Packet socket (CONFIG_PACKET) [Y/m/n/?] - YES: Though this is OPTIONAL, this recommended feature will allow you to use TCPDUMP to debug any problems with IP MASQ * Packet socket: mmapped IO (CONFIG_PACKET_MMAP) [N/y/?] y - YES: Speed up the packet protocol * Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?] - OPTIONAL: Recommended : this feature will allow the logging of advanced firewall issues such as routing messages, etc * Routing messages (CONFIG_RTNETLINK) [N/y/?] (NEW) y - OPTIONAL: Allows for support of advanced kernel routing messages if you enabled the CONFIG_NETLINK option * Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/m/?] (NEW) - NO: This option does not have anything to do with packet firewall logging * Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) [N/y/?] y - YES: Enable this option to let IPTABLES configure the TCP/IP subsection of the kernel. By enabling this, then you can turn on advanced routing mechanisms like IP Masq, packet filtering, etc. * Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) [N/y/?] (NEW) n - NO: Not required for Masquerading functionality though it may help for troubleshooting. There might be a performance penalty when enabling this. * Socket Filtering (CONFIG_FILTER) [Y/n/?] - OPTIONAL: Recommended : Though this doesn't have anything do with IPMASQ, if you plan on implimenting a DHCP server on the internal network, you WILL need to enable this option. * Unix domain sockets (CONFIG_UNIX) [Y/m/n/?] - YES: This enables the UNIX TCP/IP sockets mechanisms * TCP/IP networking (CONFIG_INET) [Y/n/?] - YES: Enables the TCP/IP protocol * IP: multicasting (CONFIG_IP_MULTICAST) [N/y/?] - OPTIONAL: You can enable this if you want to be able to receive Multicast traffic. Please note that your ISP must support Multicast as well for this all to work at all * IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?] - OPTIONAL: Though there is nothing in this section mandatory for Masquerade, some specific options might be useful == Non-MASQ options skipped == ( autoconf, tunneling ) * IP: multicast routing (CONFIG_IP_MROUTE) [N/y/?] n - OPTIONAL: Though not needed for IPMASQ, enabling this feature will let you route multicast traffic through your Linux box. Please note that this requires that your ISP be multicast enabled as well. == Non-MASQ options skipped == (ARPd) * IP: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) [N/y/?] n - NO: Though enabling this option would be great, there are many Internet sites out there that will block this. Hit the "?" when configuring the kernel to learn more about it but it is recommended to say NO for now. * IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [Y/n/?] - YES: Recommended : for basic TCP/IP network security [ Networking options --> IP: Netfilter Configuration ] * Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) [N/y/m/?] (NEW) m - YES: (Module) This enables the kernel to track various network connections. This option is required for Masquerading support as well as to enable Stateful tracking for various filewall mechanisms. Please note that if you compile this directly into the kernel, you cannot enable the legacy IPCHAINS or IPFWADM compatibility modules. * FTP protocol support (CONFIG_IP_NF_FTP) [M/n/?] (NEW) m - YES: (Module) This enables the proper Masquerading of FTP connections if CONFIG_IP_NF_CONNTRACK was enabled above * IRC protocol support (CONFIG_IP_NF_IRC) [M/n/?] (NEW) m - YES: (Module) This enables the proper Masquerading of IRC connections if CONFIG_IP_NF_CONNTRACK was enabled above * Userspace queueing via NETLINK (EXPERIMENTAL) (CONFIG_IP_NF_QUEUE) [N/y/m/?] (NEW) m - OPTIONAL: Though this is OPTIONAL, this feature will allow IPTABLES to copy specific packets to UserSpace tools for additional checks * IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES) [N/y/m/?] (NEW) m - YES: (Module) Enables IPTABLES support * limit match support (CONFIG_IP_NF_MATCH_LIMIT) [N/y/m/?] (NEW) y - OPTIONAL: (Module) Recommended : Though not required, this option can used to enable rate limiting of both traffic and loggin messages help slow down denial of service (DoS) attacks. * MAC address match support (CONFIG_IP_NF_MATCH_MAC) [N/y/m/?] (NEW) m - OPTIONAL: Though not required, the option can allow you to filter traffic based upon the SOURCE Ethernet MAC address. * netfilter MARK match support (CONFIG_IP_NF_MATCH_MARK) [N/y/m/?] (NEW) y - YES: (Module) Recommended : This enables IPTABLES to take action upon marked packets. This mechanism can allow for PORTFW functionality, TOS marking, etc. * Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) [N/y/m/?] (NEW) y - YES: (Module) Recommended : This enables IPTABLES to accept mutliple SRC/DST port ranges (non-contiguous) instead of one port range per IPTABLES statement. * TOS match support (CONFIG_IP_NF_MATCH_TOS) [Y/m/n/?] n - OPTIONAL: This allows IPTABLES to match packets based upon their DIFFSERV settings. * LENGTH match support (CONFIG_IP_NF_MATCH_LENGTH) [N/m/?] (NEW) n - OPTIONAL: This allows IPTABLES to match packets based upon their packet length. * TTL match support (CONFIG_IP_NF_MATCH_TTL) [N/m/?] (NEW) ? n - OPTIONAL: This allows IPTABLES to match packets based upon their TTL settings. * tcpmss match support (CONFIG_IP_NF_MATCH_TCPMSS) [N/y/m/?] m - OPTIONAL: (Module) Recommended : This option allows users to examine the MSS value in TCP SYN packets. This is an advanced knob but can be very valuable in troubleshooting MTU problems. * Connection state match support (CONFIG_IP_NF_MATCH_STATE) [M/n/?] m - YES: (Module) Recommended : This option allows for Stateful tracking of network connections. * Unclean match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_UNCLEAN) [N/y/m/?] y - YES: (Module) Recommended : This option allows for connection tracking on odd packets. It cal also help in the detection of possibly malicious packets. This can be a valuable tool in tracking hostile people on the network. * Owner match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_OWNER) [N/y/m/?] n - OPTIONAL: This option allows IPTABLES to match traffic based upon the user login, group, etc. who created the traffic. * Packet filtering (CONFIG_IP_NF_FILTER) [N/y/m/?] ? y - YES: (Module) This option allows for the kernel to be able filter traffic at the INPUT, FORWARDING, and OUTPUT traffic points. * REJECT target support (CONFIG_IP_NF_TARGET_REJECT) [N/y/m/?] (NEW) y - YES: (Module) With this option, a packet firewall can send an ICMP Reject packet back to the originator when a packet is blocked. * MIRROR target support (EXPERIMENTAL) (CONFIG_IP_NF_TARGET_MIRROR) [N/y/m/?] (NEW) n - OPTIONAL: This option allows the packet firewall to mirror the exact same network packet back to the originator when it is supposed to be blocked. This is similar to the REJECT option above but it actually sends the original packet back to the originator. i.e. a hostile user could actually portscan themselves. * Full NAT (CONFIG_IP_NF_NAT) [M/n/?] m - YES: (Module) This option enables the future menus to enable Masquerading, PORTFWing, Full (1:1) NAT, etc. * MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE) [M/n/?] (NEW) m - YES: (Module) This option specifically enables Masquerade into the kernel * REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT) [N/y/m/?] n - OPTIONAL: Not needed for normal MASQ functionality though people who want to do transparent proxy via Squid will want this. * Basic SNMP-ALG support (EXPERIMENTAL) (CONFIG_IP_NF_NAT_SNMP_BASIC) [N/m/?] n - OPTIONAL: This enables IPTABLES to properly NAT internal SNMP packets so that machines with duplicate addressing ranges can be properly managed. * Packet mangling (CONFIG_IP_NF_MANGLE) [N/y/m/?] y - YES: (Module) This option allows for advanced IPTABLES packet manipulation options. * TOS target support (CONFIG_IP_NF_TARGET_TOS) [N/y/m/?] (NEW) n - OPTIONAL: Enables the kernel to modify the TOS field in a packet before routing it on * MARK target support (CONFIG_IP_NF_TARGET_MARK) [N/y/m/?] (NEW) m - OPTIONAL: (Module) Recommended : This enables the kernel to manipulate packets based upon the MARK field. This can be used for PORTFW as well as many other things. * LOG target support (CONFIG_IP_NF_TARGET_LOG) [N/y/m/?] m - YES: (Module) This allows for the logging of packets before they are accepted, denied, rejected, etc. * TCPMSS target support (CONFIG_IP_NF_TARGET_TCPMSS) [N/y/m/?] ? m - YES: (Module) This option help some people with MTU problems. Typically, most users have to set their Internet connection's MTU to 1500 as well as ALL internal machines to 1500. With this option, this whole MTU issue might be finally solved. * ipchains (2.2-style) support (CONFIG_IP_NF_COMPAT_IPCHAINS) [N/y/m/?] m - OPTIONAL: (Module) Recommended : If you have an existing IPCHAINS ruleset (2.2.x kernels) and enable this option, you can continue to use the IPCHAINS program and the majority of your old ruleset except for the use of any 2.2.x kernel-specific modules. Please note that if this IPCHAINS module is loaded, ALL IPTABLES modules will be non- operational. This is an either/or deal only intended for legacy rulesets. * ipfwadm (2.0-style) support (CONFIG_IP_NF_COMPAT_IPFWADM) [N/y/m/?] n - OPTIONAL: If you have an existing IPFWADM ruleset (2.0.x kernels) and enable this option, you can continue to use the IPFWADM program and the majority of your old ruleset except for the use of any 2.0.x kernel-specific modules. Please note that if this IPFWADM module is loaded, ALL IPTABLES modules will be non operational. This is an either/or deal only intended to support legacy rulesets. == Non-MASQ options skipped == (IPv6, khttpd, ATM, IPX, AppleTalk, etc.) -- * Fast switching (read help!) (CONFIG_NET_FASTROUTE) [N/y/?] n - NO: This performance optimization is NOT compatible with IP MASQ and/or packet filtering == Non-MASQ options skipped == (QoS, Telephony, IDE, SCSI, 1394FW, I2O, etc) == Don't forget to compile in support for hardware that you might need: == IDE: HDs, CDROMs, etc. == SCSI: HDs, CDROMs, etc. [ Network device support ] * Network device support (CONFIG_NETDEVICES) [Y/n/?] - YES: Enables the Linux Network device sublayer == Non-MASQ options skipped == (Arcnet) * Dummy net driver support (CONFIG_DUMMY) [M/n/y/?] - YES: Though OPTIONAL, this option can help when debugging problems == Non-MASQ options skipped == (EQL, etc..) == Don't forget to compile in support for hardware that you might need: == NICs: eth, tr, etc. == MODEMs: ppp (ppp async) and/or slip == WANs: T1, T3, ISDN, etc. == ISDN: for internal ISDN modems == Non-MASQ options skipped == (Amateur Radio, IrDA, ISDN, USB, etc.) [ Character devices ] == Don't forget to compile in serial port support if you are a modem user == Don't forget to compile in mouse support == Non-MASQ options skipped == (I2C, Watchdog cards, Ftape, Video for Linux, etc. ) [ File systems ] == Non-MASQ options skipped == (Quota, ISO9660, NTFS, etc ) * /proc filesystem support (CONFIG_PROC_FS) [Y/n/?] - YES: Required to dynamically configure the Linux forwarding and NATing systems == Non-MASQ options skipped == (Console drivers, Sound, USB, Kernel Hacking)

So go ahead and select "exit" and you should be prompted to save your config.

NOTE: These are just the components you need for IP Masquerade. You will need to select whatever other options needed for your specific setup. If you want more information on what each one of these kernel modules does, please see the FAQ section of this HOWTO for details.

• Now compile the kernel (make dep; make clean; make bzImage; make modules; make modules_install) , etc. Again, it is beyond the scope of this HOWTO if you have problems compiling your kernel. Please see Section 2.6 for URLs to the KERNEL howto, etc.

• You will then have move over the kernel binary, update your bootloader (LILO, Grub, etc.), and reboot. If you have questions about kernel compiling, I highly recommend to consult some of the URLs above in this section.

• Then you should add a few lines towards the bottom of your /etc/rc.d/rc.local file to load the IP Masquerade ruleset automatically after each reboot:

  . . . #rc.firewall - Start IPMASQ and the firewall # This specific file will be discussed in the next section # /etc/rc.d/rc.firewall . . .

3.2.2. Compiling Linux 2.2.x Kernels

Please see Section 2.7 for any required software, patches, etc.

• First of all, you need the kernel source for 2.2.x (preferably the latest kernel version)

  • NOTE #1: --- UPDATE YOUR KERNEL --- Linux 2.2.x kernels less than version 2.2.20 contain several different security vulnerabilities (some were MASQ specific). Kernels less than 2.2.20 have a few local vulnerabilities. Kernel versions less than 2.2.16 have a TCP root exploit vulnerability and versions less than 2.2.11 have a IPCHAINS fragmentation bug. Because of these issues, users running a firewall with strong IPCHAINS rulesets are open to possible instrusion. Please upgrade your kernel to a fixed version.

  • NOTE #2: As the 2.2.x train progressed, the compile-time options keep on changing. As of this version, this section reflects the settings for a 2.2.20 kernel.

    If you are running either a newer or older kernel version, the dialogs will look different. It is recommended that you update to the newest kernel for added capability and stability of the system.

• If this is your first time compiling the kernel, don't be scared. In fact, it's rather easy and it's covered in several URLs found in Section 2.7. Please note that the instructions included here is just one way to do build a kernel. Please see the Kernel HOWTO for full details.

  NOTE: Please notice that it isn't recommended to put the new kernel sources into /usr/src/linux. You should leave the original kernel sources that came with your Linux distribution in /usr/src/linux. For more details on this topic, please read the "README" file in the top level directory of your kernel sources.

• For this HOWTO example, create a directory called /usr/src/kernel. Next, "cd" into this directory and download the newest 2.2.x kernel sources into it. Once downloaded, issue the following command (if the file ends in a .tar.gz): tar xvzf linux-2.2.x.tar.gz or (if the file ends in a .tar.bzip2): tar xyvf linux-2.2.x.tar.bz2. Please substitute the "x" in the 2.2.x filename with the Linux 2.2 kernel version you downloaded.

  NOTE: Some Linux distributions use the "I" option instead of the "y" option to decompress bzip2 archives.

  Once uncompressed, I recommend that you rename the directory from "linux" to "linux-2.2.x" for clarity. To do this, run the command mv linux linux-2.2.x. Next, make sure there is a directory or symbolic link pointing to /usr/src/kernel/linux ie. run the command: ln -s /usr/src/kernel/linux-2.2.x /usr/src/kernel/linuxo again subsituting the "x" for your proper kernel version.

• Apply any appropriate or optional patches to the kernel source code. By default, stock Linux kernels do not require any specific patching in order for the system to work. Features like PPTP/IPSEC masqurading are already built-in in the newest kernels but other tools like Xwindows forwarders are optional. Please refer to Section 2.7 for URLs and the IP Masquerade Resources for up-to-date information and patch URLs.

• Now that the kernel is patched up (if required), here are the MINIMUM kernel configuration options required to enable IP Masquerade functionality. Please understand that this HOWTO illustrates just ONE way to compile a kernel. The main difference from this method vs. a different one is some people wish to compile things either as modules OR monolithically right into the kernel. Basically, compiling things as modules gives you added flexibility to what is or isn't installed into the kernel (reduces unneeded memory use and allow for drop-in upgrades [no need to reboot]) BUT they add more complexity to your configuration. On the flip side, compiling things directly into the kernel makes things simpler BUT you loose a level of flexibility. The following example is a mixture of both built-in AND modules.

  Side Note: It is assumed that you will also configure the kernel to use your other installed hardware such as network interfaces, optional SCSI controllers, etc. as well. Please refer to the Linux Kernel HOWTO and the kernel source's README file and Documentation/ directory for detailed help on compiling a kernel.

Please note the YES or NO ANSWERS to the following. Not all options will be available without the proper kernel patches described later in this HOWTO.

Run the following commands to configure your kernel:

• cd /usr/src/kernel/linux

• make menuconfig

The following kernel prompts reflect a 2.2.20 kernel:

[ Code maturity level options ] * Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?] - YES: though not entirely required for IP MASQ, this option allows the kernel to create possible additional MASQ modules such as PORTFW, etc. == Non-MASQ options skipped == (CPU, memory, MTRR, SMP, etc.) [ Loadable module support ] * Enable loadable module support (CONFIG_MODULES) [Y/n/?] y - YES: allows you to load kernel IP MASQ modules * Set version information on all symbols for modules (CONFIG_MODVERSIONS) [N/y/?] y - YES: allows newer kernels to load older modules if possible * Kernel module loader (CONFIG_KMOD) [Y/n/?] y - OPTIONAL: Recommended : allows the kernel to load various kernel modules as it needs them [ General setup ] * Networking support (CONFIG_NET) [Y/n/?] - YES: This enables the network subsystem == Non-MASQ options skipped == (PCI, kernel binaries, specific hardware options, etc.) * Sysctl support (CONFIG_SYSCTL) [Y/n/?] - YES: Enables the ability to enable disable options such as forwarding, dynamic IPs, etc. via the /proc interface [ Block devices ] == Non-MASQ options skipped == (kernel binaries, power management, PnP, IDE, SCSI, etc.) == Don't forget to compile in support for hardware that you might need: == IDE controllers, HDs, CDROMs, etc. [ Networking options ] * Packet socket (CONFIG_PACKET) [Y/m/n/?] y - YES: Though this is OPTIONAL, this recommended feature will allow you to use TCPDUMP to debug any problems with IP MASQ * Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?] y - OPTIONAL: Recommended : This feature will allow the logging of advanced firewall issues such as routing messages, etc * Routing messages (CONFIG_RTNETLINK) [Y/n/?] y - OPTIONAL: If you enabled the CONFIG_NETLINK option above, this option will send routing messages and other information to SYSLOG. * Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/m/?] (NEW) n - NO: This option does not have anything to do with packet firewall logging * Network firewalls (CONFIG_FIREWALL) [Y/n/?] y - YES: Enables the kernel to be comfigured by the IPCHAINS firewall tool * Socket Filtering (CONFIG_FILTER) [Y/n/?] y - OPTIONAL: Though this doesn't have anything do with IPMASQ, if you plan on implimenting a DHCP server on the internal network, you WILL need this option. * Unix domain sockets (CONFIG_UNIX) [Y/m/n/?] y - YES: This enables the UNIX TCP/IP sockets mechanisms * TCP/IP networking (CONFIG_INET) [Y/n/?] y - YES: Enables the TCP/IP protocol * IP: multicasting (CONFIG_IP_MULTICAST) [N/y/?] y - OPTIONAL: You can enable this if you want to be able to receive Multicast traffic. Please note that your ISP must support Multicast as well for this all to work * IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?] n - OPTIONAL: Though there is nothing in this section mandatory for Masquerade, some specific options might be useful * IP: kernel level autoconfiguration (CONFIG_IP_PNP) [N/y/?] ? - NO: Not needed for normal MASQ functionality * IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] y - YES: This enables the kernel to support packet filtering, NAT, etc. * IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK) [Y/n/?] n - OPTIONAL: Though this is OPTIONAL, this feature will allow IPCHAINS to copy some packets to UserSpace tools for additional checks * IP: transparent proxy support (CONFIG_IP_TRANSPARENT_PROXY) [N/y/?] n - OPTIONAL: Not needed for normal MASQ functionality though people who want to do transparent proxy via Squid will want this. Please note that there is a PERFORMANCE PENALTY enabling this feature. * IP: masquerading (CONFIG_IP_MASQUERADE) [Y/n/?] y - YES: Enable IP Masquerade to re-address specific internal to external TCP/IP packets * IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?] y - YES: Enable support for masquerading ICMP ping packets (ICMP error codes will be MASQed regardless). This is an important feature for troubleshooting connections. * IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD) [Y/n/?] y - YES: Though OPTIONAL, this enables the option to later enable other modules like the PORTFW to give external computers a directly connection to specified internal MASQed machines. * IP: ipautofw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [N/y/m/?] n - NO: NOT recommended : IPautofw is a legacy method of port forwarding. It is mainly old code and has been found to have some issues. * IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/m/n/?] y - OPTIONAL: Recommended : This enables PORTFW which allows external computers on the Internet to directly communicate to specified internal MASQed machines. This feature is typically used to allow access to internal SMTP, TELNET, and WWW servers. Please note that FTP port forwarding needs an additional patch, as described in the FAQ section of the MASQ HOWTO. Please see the this FAQ section in the HOWTO for additional information. * IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW) [Y/m/n/?] y - OPTIONAL: This is a NEW method of performing PORTFW-like functionality which is similar to how the new 2.4.x kernels do things. With this option, IPCHAINS can mark packets that should have additional work done upon it. Using a UserSpace tool, much like IPMASQADM or IPPORFW, IPCHAINS would then do things like re-address the packets, change their TOS value, etc. Currently, this code is less tested than PORTFW but it looks promising. For now, this HOWTO recommends to use IPMASQADM and IPPORTFW. If you have specific thoughts or comments on MFW, please email dranch. * IP: optimize as a router not host (CONFIG_IP_ROUTER) [Y/n/?] y - YES: This optimizes the kernel for the network subsystem, though it isn't well known if this makes a siginificant performance difference or not. == Non-MASQ options skipped == ( autoconf, tunneling, GRE ) * IP: multicast routing (CONFIG_IP_MROUTE) [N/y/?] n - OPTIONAL: Though not needed for IPMASQ, enabling this feature will let you route multicast traffic through your Linux box. Please note that this requires that your ISP be multicast enabled as well. == Non-MASQ options skipped == (Aliasing, ARPd) * IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [Y/n/?] - YES: Recommended : for basic TCP/IP network security * IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?] - NO: This OPTIONAL selection is to enable PPTP and GRE tunnels through the IP MASQ box == Non-MASQ options skipped == (aliasing, ARPd) * IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES) [Y/n/?] - YES: HIGHLY recommended for basic TCP/IP network security == Non-MASQ options skipped == (RARP) * IP: Allow large windows (not recommended if <16Mb of memory) * (CONFIG_SKB_LARGE) [Y/n/?] - YES: This is recommended to optimize Linux's TCP window == Non-MASQ options skipped == (IPv6, IPX, WAN router, etc.) * Fast switching (read help!) (CONFIG_NET_FASTROUTE) [N/y/?] n - NO: This performance optimization is NOT compatible with IP MASQ and/or packet filtering == Non-MASQ options skipped == (Slow CPU, Telephony, SCSI, I2O, etc. ) == Don't forget to compile in support for hardware that you might need: == SCSI: HDs, CDROMs, etc. [ Network device support ] * Network device support (CONFIG_NETDEVICES) [Y/n/?] - YES: Enables the Linux Network device sublayer == Non-MASQ options skipped == (Arcnet) * Dummy net driver support (CONFIG_DUMMY) [M/n/y/?] - YES: Though OPTIONAL, this option can help when debugging problems == Non-MASQ options skipped == (EQL, NICs, Wireless, IrDA, ISDN, etc..) == Don't forget to compile in support for hardware that you might need: == NICs: eth, tr, etc. == MODEMs: ppp and/or slip == WANs: T1, T3, ISDN, etc. == ISDN: for internal ISDN modems [ Character devices ] == Don't forget to compile in serial port support for modem users == Don't forget to compile in mouse support == Non-MASQ options skipped == (I2C, Watchdog cards, Ftape, Video for Linux, USB, etc. ) [ File systems ] == Non-MASQ options skipped == (Quota, ISO9660, NTFS, etc ) * /proc filesystem support (CONFIG_PROC_FS) [Y/n/?] - YES: Required to dynamically configure the Linux forwarding and NATing systems == Non-MASQ options skipped == (network fs, NLS, video section, sound, kernel hacking)

So go ahead and "exit" and you should be prompted to save your config.

NOTE: These are just the components you need for IP Masquerade. You will need to select whatever other options needed for your specific setup.

• Now compile the kernel (make dep; make clean; make bzImage; make modules; make modules_install) , etc. Again, it is beyond the scope of this HOWTO if you have problems compiling your kernel. Please see Section 2.7 for URLs to the KERNEL howto, etc.

• You will then have move over the kernel binary, update your bootloader (LILO, Grub, etc.), and reboot. If you have questions about kernel compiling, I highly recommend to consult some of the URLs above in this section.

• Then you should add a few lines towards the bottom of your /etc/rc.d/rc.local file to load the IP Masquerade ruleset automatically after each reboot:

  . . . #rc.firewall - Start IPMASQ and the firewall # This specific file will be discussed in the next section # /etc/rc.d/rc.firewall . . .

3.2.3. Linux 2.0.x Kernels

Please see Section 2.8 for any required software, patches, etc.

• First of all, you need the kernel source for 2.0.x (preferably the latest kernel version)

  • As the 2.0.x train progress, the compile-time options keep on changing. As of this version, this section reflects the settings for a 2.0.39 kernel.

• If this is your first time compiling the kernel, don't be scared. In fact, it's rather easy and it's covered in several URLs found in Section 2.8. Please note that the instructions included here is just one way to do build a kernel. Please see the Kernel HOWTO for full details.

  NOTE: Please notice that it isn't recommended to put the new kernel sources into /usr/src/linux. You should leave the original kernel sources that came with your Linux distribution in /usr/src/linux. For more details on this topic, please read the "README" file in the top level directory of your kernel sources.

• For this HOWTO example, create a directory called /usr/src/kernel. Next, "cd" into this directory and download the newest 2.0.x kernel sources into it. Once downloaded, issue the following command: tar xvzf linux-2.0.x.tar.gz . Please substitute the "x" in the 2.0.x filename with the Linux 2.0 kernel version you downloaded.

  Once uncompressed, I recommend that you rename the directory from "linux" to "linux-2.0.x" for clarity. To do this, run the command mv linux linux-2.0.x. Next, make sure there is a directory or symbolic link pointing to /usr/src/kernel/linux ie. run the command: ln -s /usr/src/kernel/linux-2.0.x /usr/src/kernel/linuxo again subsituting the "x" for your proper kernel version.

• Apply any appropriate or optional patches to the kernel source code. By default, stock Linux kernels do not require any specific patching in order for the system to work. Features like IPPORTFW, PPTP, and Xwindows forwarders are optional but very useful. Please refer to Section 2.8 for URLs and the IP Masquerade Resources for up-to-date information and patch URLs.

• Now that the kernel is patched up (if required), here are the MINIMUM kernel configuration options required to enable IP Masquerade functionality. Please understand that this HOWTO illustrates just ONE way to compile a kernel. The main difference from this method vs. a different one is some people wish to compile things either as modules OR monolithically right into the kernel. Basically, compiling things as modules gives you added flexibility to what is or isn't installed into the kernel (reduces unneeded memory use and allow for drop-in upgrades [no need to reboot]) BUT they add more complexity to your configuration. On the flip side, compiling things directly into the kernel makes things simpler BUT you loose a level of flexibility. The following example is a mixture of both built-in AND modules.

  Side Note: It is assumed that you will also configure the kernel to use your other installed hardware such as network interfaces, optional SCSI controllers, etc. as well. Please refer to the Linux Kernel HOWTO and the kernel source's README file and Documentation/ directory for detailed help on compiling a kernel.

Please note the YES or NO ANSWERS to the following options. Not all options will be available without the proper kernel patches described later in this HOWTO:

Run the following commands to configure your kernel:

• cd /usr/src/kernel/linux

• make menuconfig

The following kernel prompts reflect a 2.0.39 kernel:

[ Code maturity level options ] * Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?] - YES: this will allow you to later select the IP Masquerade feature code [ Loadable module support ] * Enable loadable module support (CONFIG_MODULES) [Y/n/?] y - YES: allows you to load kernel IP MASQ modules * Set version information on all module symbols (CONFIG_MODVERSIONS) [N/y/?] y - YES: allows newer kernels to load older modules if possible * Kernel daemon support (e.g. autoload of modules) (CONFIG_KERNELD) [N/y/?] y - OPTIONAL: Recommended : allows the kernel to load various kernel modules as it needs them [ General setup ] == Non-MASQ options skipped == (FPU, memory) * Networking support (CONFIG_NET) [Y/n/?] y - YES: Enables the network subsystem == Non-MASQ options skipped == (memory, PCI, binary format, APM, etc.) == Don't forget to compile in support for hardware that you might need: == IDE controllers, HDs, CDROMs, etc. [ Networking options ] * Network firewalls (CONFIG_FIREWALL) [Y/n/?] y - YES: Enables the IPFWADM firewall tool == Non-MASQ options skipped == (Aliasing) * TCP/IP networking (CONFIG_INET) [Y/n/?] y - YES: Enables the TCP/IP protocol * IP: forwarding/gatewaying (CONFIG_IP_FORWARD) [N/y/?] y - YES: Enables Linux network packet forwarding and routing - Controlled by IPFWADM * IP: multicasting (CONFIG_IP_MULTICAST) [N/y/?] y - OPTIONAL: You can enable this if you want to be able to receive Multicast traffic. Please note that your ISP must support Multicast as well for this all to work * IP: syn cookies (CONFIG_SYN_COOKIES) [Y/n/?] y - YES: HIGHLY recommended for basic network security * IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] y - YES: Enable the packet firewall features * IP: firewall packet logging (CONFIG_IP_FIREWALL_VERBOSE) [Y/n/?] y - YES: Allows the kernel to report back on various packets traversing the firewall. * IP: masquerading (CONFIG_IP_MASQUERADE [Y/n/?] y - YES: Enable the kernel to perform IP MASQ NAT functionality * IP: ipautofw masquerade support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [Y/n/?] n - NO: NOT Recommended : IPautofw is a legacy method of TCP/IP port forwarding. Though IPautofw works, IPPORTFW is a better choice. * IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/n/?] y - YES: This option is ONLY AVAILABLE VIA A PATCH for the 2.0.x kernels. With this option, external computers on the Internet can directly communicate to specified internal MASQed machines. This feature is typically used to access internal SMTP, TELNET, and WWW servers. FTP port forwarding sometimes might require an additional patch as described in the FAQ section. Additional information on port forwarding is available in the Forwards section of this HOWTO. * IP: MS PPTP masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_PPTP) [N/y/?] (NEW) n - OPTIONAL: Enabling this feature will allow internal MASQ clients to properly connect to PPTP servers on the Internet. * IP: MS PPTP Call ID masq support (CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT) [N/y/?] (NEW) n - OPTIONAL: If you enabled the CONFIG_IP_MASQUERADE_PPTP above, this option will allow for multiple internal PPTP clients behind the MASQ server to communicate to the same PPTP server. * IP: MS PPTP masq debugging (DEBUG_IP_MASQUERADE_PPTP) [N/y/?] n - OPTIONAL: NOT recommended : This is not required for IP MASQ or MASQing PPTP connections unless you need additional troubleshooting help. If enabled, this can fill up your logs quickly. * IP: MS PPTP masq verbose debugging (DEBUG_IP_MASQUERADE_PPTP_VERBOSE) [N/y/?] (NEW) n - OPTIONAL: NOT Recommended : If you enabled the DEBUG_IP_MASQUERADE_PPTP option above, this will make the logging even more verbose. * IP: IPSEC ESP & ISAKMP masq support (EXPERIMENTAL) * (CONFIG_IP_MASQUERADE_IPSEC) [N/y/?] m - OPTIONAL: This option allows for some forms of IPSEC tunnels to be masquraded * IP: IPSEC masq table lifetime (minutes) (CONFIG_IP_MASQUERADE_IPSEC_EXPIRE) * [30] (NEW) - OPTIONAL: This feature allows to change the MASQ table timeouts so that idle IPSEC tunnels won't be prematurely disconnected. * IP: Disable inbound ESP destination guessing * (CONFIG_IP_MASQUERADE_IPSEC_NOGUESS) [N/y/?] n - OPTIONAL: This feature allows the kernel to guess where the fully encrypted IPSEC VPN might be going and add it to the MASQ table. * IP: IPSEC masq debugging (DEBUG_IP_MASQUERADE_IPSEC) [N/y/?] ? n - OPTIONAL: NOT recommended : This is not required for IP MASQ or MASQing IPSEC connections unless you need additional troubleshooting help. If enabled, this can fill up your logs quickly. * IP: IPSEC masq verbose debugging (DEBUG_IP_MASQUERADE_IPSEC_VERBOSE) [N/y/?] (NEW) n - OPTIONAL: NOT Recommended : If you enabled the DEBUG_IP_MASQUERADE_IPSEC option above, this will make the logging even more verbose. * IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?] - YES: Enable support for masquerading ICMP packets. Though thought of as optional, many programs will NOT function properly with out ICMP support. * IP: transparent proxy support (EXPERIMENTAL) (CONFIG_IP_TRANSPARENT_PROXY) [N/y/?] n - OPTIONAL: Not needed for normal MASQ functionality though people who want to do transparent proxy via Squid will want this. Please note that there is a PERFORMANCE PENALTY enabling this feature. * IP: loose UDP port managing (EXPERIMENTAL) (CONFIG_IP_MASQ_LOOSE_UDP) [Y/n/?] - YES: This option is ONLY AVAILABLE VIA A PATCH for the 2.0.x kernels. With this option, internally masqueraded computers can play NAT-friendly games over the Internet. Explicit details are given in the FAQ section of this HOWTO. * IP: always defragment (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?] - YES: This feature optimizes IP MASQ connections == Non-MASQ options skipped == (Accounting) * IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?] - YES: This optimizes the kernel for the network subsystem == Non-MASQ options skipped == (Tunneling, Mcast routing, RARP, PMTU, etc.) * IP: Drop source routed frames (CONFIG_IP_NOSR) [Y/n/?] - YES: HIGHLY recommended for basic network security == Non-MASQ options skipped == (IPX, Bridging, SCSI, etc.) == Don't forget to compile in support for hardware that you might need: == SCSI controllers, HDs, CDROMs, etc. [ Network device support ] * Network device support (CONFIG_NETDEVICES) [Y/n/?] - YES: Enables the Linux Network device sublayer == Non-MASQ options skipped == (Dummy, EQL, PPP, SLIP, NICs, Wireless, etc.) == Don't forget to compile in support for hardware that you might need: == NICs: eth, tr, etc. == MODEMs: ppp and/or slip == WANs: T1, T3, ISDN, etc. == ISDN: for internal ISDN modems [ File systems ] == Non-MASQ options skipped == (Quota, ISO9660, Codepages, NTFS, etc ) * /proc filesystem support (CONFIG_PROC_FS) [Y/n/?] - YES: Required to dynamically configure the Linux forwarding and NATing systems [ Character devices ] == Non-MASQ options skipped == (multi-port serial, parallel, mice, Ftape, Sound, etc. ) == Don't forget to compile in serial port support for modem users == Don't forget to compile in mouse support

So go ahead and "exit" and you should be prompted to save your config.

NOTE: These are only components for IP Masquerade functionality. You may need to also select additional options to match your specific network and hardware setup.

• Now compile the kernel (make dep; make clean; make bzImage; make modules; make modules_install) , etc. Again, it is beyond the scope of this HOWTO if you have problems compiling your kernel. Please see Section 2.8 for URLs to the KERNEL howto, etc.

• You will then have move over the kernel binary, update your bootloader (LILO, Grub, etc.), and reboot. If you have questions about kernel compiling, I highly recommend to consult some of the URLs above in this section.

• Then you should add a few lines towards the bottom of your /etc/rc.d/rc.local file to load the IP Masquerade ruleset automatically after each reboot:

  . . . #rc.firewall script - Start IPMASQ and the firewall /etc/rc.d/rc.firewall . . .

3.4.1. Configuring IP Masquerade on Linux 2.4.x Kernels

Please note that IPCHAINS is no longer the primary firewall configuration tool for the 2.4.x kernels. The new kernels now use the IPTABLES toolkit though the new 2.4.x kernels CAN still read and enable old IPCHAINS or IPFWADM rulesets via a compatiblity module. It should be noted that when in this mode, NO IPTABLES modules can be loaded. It should also be noted that none of the 2.2.x IPMASQ modules are compatible with 2.4.x kernels. For a more detailed reason for these changes, please see the Chapter 7 section.

Ok, as mentioned before, the /etc/rc.d/rc.local script will load the script called /etc/rc.d/rc.firewall once after every reboot. The script will load all required IPMASQ modules as well as enable the IPMASQ function. In advanced setups, this same file would contain very secure firewall rulesets as well.

Anyway, create the file /etc/rc.d/rc.firewall-2.4 with the following initial SIMPLE ruleset:

<rc.firewall-2.4 START>

#!/bin/sh # # rc.firewall-2.4 FWVER=0.63 # # Initial SIMPLE IP Masquerade test for 2.4.x kernels # using IPTABLES. # # Once IP Masquerading has been tested, with this simple # ruleset, it is highly recommended to use a stronger # IPTABLES ruleset either given later in this HOWTO or # from another reputable resource. # # # # Log: # 0.63 - Added support for the IRC IPTABLES module # 0.62 - Fixed a typo on the MASQ enable line that used eth0 # instead of $EXTIF # 0.61 - Changed the firewall to use variables for the internal # and external interfaces. # 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP # all forwarded packets but it didn't have a rule to ACCEPT # any packets to be forwarded either # - Load the ip_nat_ftp and ip_conntrack_ftp modules by default # 0.50 - Initial draft # echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" # The location of the 'iptables' program # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # #IPTABLES=/sbin/iptables IPTABLES=/usr/local/sbin/iptables #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the natting will occur and the internal network # should preferably be addressed with a RFC1918 private address # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # EXTIF="ppp0" # # if you are a modem user. # EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" #====================================================================== #== No editing beyond this line is required for initial MASQ testing == echo -en " loading modules: " # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" /sbin/depmod -a # With the new IPTABLES code, the core MASQ functionality is now either # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES # options as MODULES. If your kernel is compiled correctly, there is # NO need to load the kernel modules manually. # # NOTE: The following items are listed ONLY for informational reasons. # There is no reason to manual load these modules unless your # kernel is either mis-configured or you intentionally disabled # the kernel module autoloader. # # Upon the commands of starting up IP Masq on the server, the # following kernel modules will be automatically loaded: # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ # modules are shown below but are commented out from loading. # =============================================================== #Load the main body of the IPTABLES module - "iptable" # - Loaded automatically when the "iptables" command is invoked # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_tables, " /sbin/insmod ip_tables #Load the IPTABLES filtering module - "iptable_filter" # - Loaded automatically when filter policies are activated #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_conntrack, " /sbin/insmod ip_conntrack #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_ftp, " /sbin/insmod ip_conntrack_ftp #Load the IRC tracking mechanism for full IRC tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_irc, " /sbin/insmod ip_conntrack_irc #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "iptable_nat, " /sbin/insmod iptable_nat #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_nat_ftp, " /sbin/insmod ip_nat_ftp # Just to be complete, here is a list of the remaining kernel modules # and their function. Please note that several modules should be only # loaded by the correct master kernel module for proper operation. # -------------------------------------------------------------------- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. # # iptable_mangle - this target allows for packets to be manipulated # for things like the TCPMSS option, etc. echo ". Done loading modules." #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable this following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. # echo " enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable simple IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on external interface "eth0". This # example will MASQ internal traffic out to the Internet but not # allow non-initiated traffic into your internal network. # # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is DROP # echo " clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

<rc.firewall-2.4 STOP>

Once you are finished with editing the /etc/rc.d/rc.firewall ruleset, make it executable by typing in chmod 700 /etc/rc.d/rc.firewall-2.4

Now that the firewall ruleset is ready, you need to let it run after every reboot. You could either do this by running it by hand everytime (such a pain) or add it to the boot scripts. We have covered two methods below:

1. Redhat and Redhat-derived distros:

• There are two ways to automatically load things in Redhat: /etc/rc.d/rc.local or a init script in /etc/rc.d/init.d/. The first method is the easiest. All you have to do is add the line:

  echo "Loading the rc.firewall ruleset.. " /etc/rc.d/rc.firewall-2.4

  to the end of the /etc/rc.d/rc.local file and thats it (as described earlier in the HOWTO).

  The problem with this approach is that the firewall isn't executed until the last stages of booting. The preferred approach is to have the firewall loaded just after the networking subsystem is loaded. To do this, copy the following file into the /etc/rc.d/init.d directory:

  <firewall-2.4 START>

  #!/bin/sh # # chkconfig: 2345 11 89 # # description: Loads the rc.firewall-2.4 ruleset. # # processname: firewall-2.4 # pidfile: /var/run/firewall.pid # config: /etc/rc.d/rc.firewall # probe: true # ---------------------------------------------------------------------------- # v02/09/02 # # Part of the copyrighted and trademarked TrinityOS document. # http://www.ecst.csuchico.edu/~dranch # # Written and Maintained by David A. Ranch # dranch@trinnet.net # # Updates # ------- # # ---------------------------------------------------------------------------- # Source function library. . /etc/rc.d/init.d/functions # Check that networking is up. # This line no longer work with bash2 #[ ${NETWORKING} = "no" ] && exit 0 # This should be OK. [ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0 [ -x /sbin/ifconfig ] || exit 0 # The location of various iptables and other shell programs # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPTABLES=/usr/local/sbin/iptables # See how we were called. case "$1" in start) /etc/rc.d/rc.firewall-2.4 ;; stop) echo -e "\nFlushing firewall and setting default policies to DROP\n" $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat # Delete all User-specified chains $IPTABLES -X # # Reset all IPTABLES counters $IPTABLES -Z ;; restart) $0 stop $0 start ;; status) $IPTABLES -L ;; mlist) cat /proc/net/ip_conntrack ;; *) echo "Usage: firewall-2.4 {start|stop|status|mlist}" exit 1 esac exit 0

  <firewall-2.4 STOP>

  With this script in place, run the command:

  chkconfig --level=345 firewall-2.4 on

  That's it! Now upon boot, the firewall will be loaded automatically.

2. Slackware:

• There are two ways to load things in Slackware: /etc/rc.d/rc.local or editing the /etc/rc.d/rc.inet2 file. The first method is the easiest. All you have to do is add the line:

  echo "Loading the rc.firewall ruleset.." /etc/rc.d/rc.firewall-2.4

Notes on how users might want to change the above firewall ruleset:

You could also have IP Masquerading enabled on a PER MACHINE basis instead of the above method, which is enabling an ENTIRE TCP/IP network. For example, say if I wanted only the 192.168.0.2 and 192.168.0.8 hosts to have access to the Internet and NOT any of the other internal machines. I would change the in the "Enable simple IP forwarding and Masquerading" section (shown above) of the /etc/rc.d/rc.firewall ruleset.

#!/bin/sh # # Partial 2.4.x config to enable simple IP forwarding and Masquerading # v0.61 # # NOTE: The following is an example to allow only IP Masquerading for the # 192.168.0.2 and 192.168.0.8 machines with a 255.255.255.0 or a # "/24" subnet mask connecting to the Internet on interface eth0. # # ** Please change the network number, subnet mask, and the Internet # ** connection interface name to match your internal LAN setup # echo " - Setting the default FORWARD policy to DROP" $IPTABLES -P FORWARD DROP echo " - Enabling SNAT (IPMASQ) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.0.2/32 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.0.8/32 -j MASQUERADE echo " - Setting the FORWARD policy to 'DROP' all incoming / unrelated traffic" $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP

Common mistakes:

It appears that a common mistake with new IP Masq users is to make the first command simply the following:

IPTABLES: --------- iptables -t nat -A POSTROUTING -j MASQUERADE

Do NOT make your default policy MASQUERADING. Otherwise, someone can manipulate their routing tables to tunnel straight back through your gateway, using it to masquerade their OWN identity!

Again, you can add these lines to the /etc/rc.d/rc.firewall file, one of the other rc files you prefer, or do it manually every time you need IP Masquerade.

Please see Section 6.4.1 for a detailed guide on a strong IPTABLES ruleset example. For additional details on IPTABLES usage, please refer to http://netfilter.filewatcher.org/ (mirror at Samba.org) for the primary IPTABLES site.

3.4.2. Configuring IP Masquerade on Linux 2.2.x Kernels

Please note that IPFWADM is no longer the firewall tool for manipulating IP Masquerading rules for both the 2.1.x and 2.2.x kernels. These new kernels now use the IPCHAINS toolkit. For a more detailed reason for this change, please see Chapter 7.

Create the file /etc/rc.d/rc.firewall-2.2 with the following initial SIMPLE ruleset:

<rc.firewall-2.2 START>

#!/bin/sh # # rc.firewall-2.2 FWVER="1.01" # # - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels # using IPCHAINS. # # Once IP Masquerading has been tested, with this simple # ruleset, it is highly recommended to use a stronger # IPTABLES ruleset either given later in this HOWTO or # from another reputable resource. # echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the NATing will occur and the internal network # should preferably be addressed with a RFC1918 private addressing # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # EXTIF="ppp0" # # if you are a modem user. # # ** Please change this to reflect your specific configuration ** # EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" # Network Address of the Internal Network # # This example rc.firewall file uses the 192.168.0.0 network # with a /24 or 255.255.255.0 netmask. # # ** Change this variable to reflect your specific setup ** # INTLAN="192.168.0.0/24" echo -e " Internal Interface: $INTLAN\n" # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented out from loading. echo " loading required IPMASQ kernel modules.." # Needed to initially load modules # /sbin/depmod -a echo -en " Loading modules: " # Supports the proper masquerading of FTP file transfers using the PORT method # echo -en "FTP, " /sbin/modprobe ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # #echo -en "RealAudio, " #/sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #echo -en "Irc, " #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. This modules is # for for multiple users behind the Linux MASQ server. If you are going to # play Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #echo -en "Quake, " #Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #echo -en "CuSeeme, " #/sbin/modprobe ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #echo -en "VdoLive " #/sbin/modprobe ip_masq_vdolive echo ". Done loading modules." #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmenting since it is disabled by default # in 2.2.x kernels. This used to be a compile-time option but the # behavior was changed in 2.2.12 # echo " enabling AlwaysDefrag.." echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this # following option. This enables dynamic-ip address hacking in IP MASQ, # making the life with Diald and similar programs much easier. # #echo " enabling DynamicAddr.." #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable the LooseUDP patch which some Internet-based games require # # If you are trying to get an Internet game to work through your IP MASQ box, # and you have set it up to the best of your ability without it working, try # enabling this option (delete the "#" character). This option is disabled # by default due to possible internal machine UDP port scanning # vulnerabilities. # #echo " enabling LooseUDP.." #echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is REJECT # echo " clearing any existing rules and setting default policy.." /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward REJECT /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # echo " setting default timers.." /sbin/ipchains -M -S 7200 10 160 # DHCP: For people who receive their external IP address from either DHCP or # BOOTP such as ADSL or Cablemodem users, it is necessary to use the # following before the deny command. # # This example is currently commented out. # # #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -s 0/0 67 -d 0/0 68 -p udp # Enable simple IP forwarding and Masquerading # # NOTE: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on interface eth0. # # ** Please change this network number, subnet mask, and your Internet # ** connection interface name to match your internal LAN setup # echo " enabling IPMASQ functionality on $EXTIF" /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i $EXTIF -s $INTLAN -j MASQ echo -e "\nrc.firewall-2.2 v$FWVER done.\n"

<rc.firewall-2.2 STOP>

Once you are finished with editing the /etc/rc.d/rc.firewall ruleset, make it executable by typing in chmod 700 /etc/rc.d/rc.firewall

Now that the firewall ruleset is ready, you need to let it run after every reboot. You could either do this by running it by hand everytime (such a pain) or add it to the boot scripts. We have covered two methods below:

1. Redhat and Redhat-derived distros:

• There are two ways to automatically load things in Redhat: /etc/rc.d/rc.local or a init script in /etc/rc.d/init.d/. The first method is the easiest. All you have to do is add the line:

  echo "Loading the rc.firewall ruleset.." /etc/rc.d/rc.firewall-2.2

  to the end of the /etc/rc.d/rc.local file and thats it (as described earlier in the HOWTO).

  The problem with this approach is that the firewall isn't executed until the last stages of booting. The preferred approach is to have the firewall loaded just after the networking subsystem is loaded. To do this, copy the following file into the /etc/rc.d/init.d directory:

  <firewall-2.2 START>

  #!/bin/sh # # chkconfig: 2345 11 89 # # description: Loads the rc.firewall-2.2 ruleset. # # processname: firewall-2.2 # pidfile: /var/run/firewall.pid # config: /etc/rc.d/rc.firewall # probe: true # ---------------------------------------------------------------------------- # v02/09/02 # # Part of the copyrighted and trademarked TrinityOS document. # http://www.ecst.csuchico.edu/~dranch # # Written and Maintained by David A. Ranch # dranch@trinnet.net # # Updates # ------- # # ---------------------------------------------------------------------------- # Source function library. . /etc/rc.d/init.d/functions # Check that networking is up. # This line no longer work with bash2 #[ ${NETWORKING} = "no" ] && exit 0 # This should be OK. [ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0 [ -x /sbin/ifconfig ] || exit 0 # The location of various iptables and other shell programs # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPCHAINS=/sbin/ipchains # See how we were called. case "$1" in start) /etc/rc.d/rc.firewall-2.4 ;; stop) echo -e "\nFlushing firewall and setting default policies to REJECT\n" $IPCHAINS -P input REJECT $IPCHAINS -P output REJECT $IPCHAINS -P forward REJECT $IPCHAINS -F input $IPCHAINS -F output $IPCHAINS -F forward ;; restart) $0 stop $0 start ;; status) $IPCHAINS -L ;; mlist) $IPCHAINS -M -L ;; *) echo "Usage: firewall-2.2 {start|stop|status|mlist}" exit 1 esac exit 0

  <firewall-2.2 STOP>

  With this script in place, run the command:

  chkconfig --level=345 firewall-2.2 on

  That's it! Now upon boot, the firewall will be loaded automatically.

2. Slackware:

• There are two ways to load things in Slackware: /etc/rc.d/rc.local or editing the /etc/rc.d/rc.inet2 file. The first method is the easiest. All you have to do is add the line:

  echo "Loading the rc.firewall ruleset.." /etc/rc.d/rc.firewall-2.2

  to the end of the /etc/rc.d/rc.local file and thats it. The problem with this approach is that if you are running a STRONG firewall ruleset, the firewall isn't executed until the last stages of booting. The preferred approach is to have the firewall loaded just after the networking subsystem is loaded. For now, the HOWTO only covers how to do so using /etc/rc.d/rc.local. If you want a stronger system, I recommend you check out Section 10 of TrinityOS found in the links section at the bottom of this HOWTO.

Notes on how users might want to change the above firewall ruleset:

You could also have IP Masquerading enabled on a PER MACHINE basis instead of the above method, which is enabling an ENTIRE TCP/IP network. For example, say if I wanted only the 192.168.0.2 and 192.168.0.8 hosts to have access to the Internet and NOT any of the other internal machines. I would change the in the "Enable simple IP forwarding and Masquerading" section (shown above) of the /etc/rc.d/rc.firewall ruleset.

#!/bin/sh # # Enable simple IP forwarding and Masquerading # v1.01 # # NOTE: The following is an example used in addition to the simple # IPCHAINS ruleset anove to allow only IP Masquerading for the # 192.168.0.2 and 192.168.0.8 machines with a 255.255.255.0 or a # "24" bit subnet mask connecting to the Internet on interface $EXTIF. # # ** Please change the network number, subnet mask, and the Internet # ** connection interface name to match your internal LAN setup # /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i $EXTIF -s 192.168.0.2/32 -j MASQ /sbin/ipchains -A forward -i $EXTIF -s 192.168.0.8/32 -j MASQ

Common mistakes:

What appears to be a common mistake with new IP MASQ users is to make the first command:

/sbin/ipchains -P forward masquerade

Do NOT make your default policy MASQUERADING. Otherwise, someone can manipulate their routing tables to tunnel straight back through your gateway, using it to masquerade their OWN identity!

Again, you can add these lines to the /etc/rc.d/rc.firewall file, one of the other rc files you prefer, or do it manually every time you need IP Masquerade.

Please see Section 6.4.2 for a detailed guide on IPCHAINS and a strong IPCHAINS ruleset example. For additional details on IPCHAINS usage, please refer to http://netfilter.filewatcher.org/ipchains/ (mirror at Samba.org) for the primary IPCHAINS site or the Linux IP CHAINS HOWTO Backup site

3.4.3. Configuring IP Masquerade on Linux 2.0.x Kernels

Create the file /etc/rc.d/rc.firewall with the following initial SIMPLE ruleset: <rc.firewall-2.0 START>

#!/bin/sh # # rc.firewall-2.0 FWVER="2.01" # # - Initial SIMPLE IP Masquerade setup for 2.0.x kernels using # IPFWADM # # Once IP Masquerading has been tested, with this simple # ruleset, it is highly recommended to use a stronger # IPTABLES ruleset either given later in this HOWTO or # from another reputable resource. # echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the NATing will occur and the internal network # should preferably be addressed with a RFC1918 private addressing # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # EXTIF="ppp0" # # if you are a modem user. # # ** Please change this to reflect your specific configuration ** # EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" # Network Address of the Internal Network # # This example rc.firewall file uses the 192.168.0.0 network # with a /24 or 255.255.255.0 netmask. # # ** Change this variable to reflect your specific setup ** # INTLAN="192.168.0.0/24" echo -e " Internal Interface: $INTLAN\n" # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current available IP # MASQ modules are shown below but are commented out from loading. echo -en "Loading modules: " # Needed to initially load modules # /sbin/depmod -a # Supports the proper masquerading of FTP file transfers using the PORT method # echo -en "FTP, " /sbin/modprobe ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # #echo -en "RealAudio, " #/sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #echo -en "Irc, " #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. These modules # are for multiple users behind the Linux MASQ server. If you are going to # play Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #echo -en "Quake, " #Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #echo -en "CuSeeme, " #/sbin/modprobe ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #echo -en "VdoLive, " #/sbin/modprobe ip_masq_vdolive echo ". Done loading modules." #CRITICAL: Enable IP forwarding since it is disabled by default # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmenting since it is disabled by default # # This used to be a compile-time option but the behavior was changed # in 2.2.12. This option is required for both 2.0 and 2.2 kernels. # echo " enabling AlwaysDefrag.." echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Dynamic IP users: # # If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, # enable the following option. This enables dynamic-ip address hacking in # IP MASQ, making the life with DialD, PPPd, and similar programs much easier. # #echo " enabling DynamicAddr.." #echo "1" > /proc/sys/net/ipv4/ip_dynaddr #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is REJECT # echo " clearing any existing rules and setting default policy.." /sbin/ipfwadm -I -p accept /sbin/ipfwadm -O -p accept /sbin/ipfwadm -F -p reject /sbin/ipfwadm -I -f /sbin/ipfwadm -O -f /sbin/ipfwadm -F -f # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # echo " setting default timers.." /sbin/ipfwadm -M -s 7200 10 160 # DHCP: For people who receive their external IP address from either DHCP or # BOOTP such as ADSL or Cablemodem users, it is necessary to use the # following before the deny command. # # This example is currently commented out. # # #/sbin/ipfwadm -I -a accept -S 0/0 67 -D 0/0 68 -W $EXTIF -P udp # Enable simple IP forwarding and Masquerading # # NOTE: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on interface eth0. # # ** Please change this network number, subnet mask, and your Internet # ** connection interface name to match your internal LAN setup. # echo " enabling IPMASQ functionality on $EXTIF" /sbin/ipfwadm -F -p deny /sbin/ipfwadm -F -a m -W $EXTIF -S $INTLAN -D 0.0.0.0/0 echo -e "\nrc.firewall-2.0 v$FWVER done.\n"

<rc.firewall-2.0 STOP>

Once you are finished with editing the /etc/rc.d/rc.firewall ruleset, make it executable by typing in "chmod 700 /etc/rc.d/rc.firewall"

Now that the firewall ruleset is ready to go, you need to let it run after every reboot. You could either do this by running it by hand everytime (such a pain) or add it to the boot scripts. We have covered two methods below:

Redhat and Redhat-derived distros:

• There are two ways to automatically load things in Redhat: /etc/rc.d/rc.local or a init script in /etc/rc.d/init.d/. The first method is the easiest. All you have to do is add the line:

  echo "Loading the rc.firewall ruleset.." /etc/rc.d/rc.firewall

  The problem with this approach is that the firewall isn't executed until the last stages of booting. The preferred approach is to have the firewall loaded just after the networking subsystem is loaded. To do this, copy the following file into the /etc/rc.d/init.d directory:

  <firewall-2.0 START>

  #!/bin/sh # # chkconfig: 2345 11 89 # # description: Loads the rc.firewall-2.0 ruleset. # # processname: firewall-2.0 # pidfile: /var/run/firewall.pid # config: /etc/rc.d/rc.firewall # probe: true # ---------------------------------------------------------------------------- # v02/09/02 # # Part of the copyrighted and trademarked TrinityOS document. # http://www.ecst.csuchico.edu/~dranch # # Written and Maintained by David A. Ranch # dranch@trinnet.net # # Updates # ------- # # ---------------------------------------------------------------------------- # Source function library. . /etc/rc.d/init.d/functions # Check that networking is up. # This line no longer work with bash2 #[ ${NETWORKING} = "no" ] && exit 0 # This should be OK. [ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0 [ -x /sbin/ifconfig ] || exit 0 # The location of various iptables and other shell programs # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPFWADM=/sbin/ipfwadm # See how we were called. case "$1" in start) /etc/rc.d/rc.firewall-2.0 ;; stop) echo -e "\nFlushing firewall and setting default policies to REJECT\n" $IPFWADM -I -p REJECT $IPFWADM -O -p REJECT $IPFWADM -F -p REJECT $IPFWADM -I -f $IPFWADM -O -f $IPFWADM -F -f ;; restart) $0 stop $0 start ;; status) $IPFWADM -l ;; mlist) $IPFWADM -M -l ;; *) echo "Usage: firewall-2.0 {start|stop|status|mlist}" exit 1 esac exit 0

  <firewall-2.0 STOP>

  With this script in place, run the command:

  chkconfig --level=345 firewall-2.0 on

  That's it! Now upon boot, the firewall will be loaded automatically.

Slackware:

• There are two ways to automatically load things in Slackware: /etc/rc.d/rc.local or editing the /etc/rc.d/rc.inet2 file. The first method is the easiest. All you have to do is add the line:

  echo "Loading the rc.firewall ruleset.." /etc/rc.d/rc.firewall-2.0

  to the end of the /etc/rc.d/rc.local file and thats it. The problem with this approach is that if you are running a STRONG firewall ruleset, the firewall isn' t executed until the last stages of booting. The preferred approach is to have the firewall loaded just after the networking subsystem is loaded. For now, the HOWTO only covers how to do so using /etc/rc.d/rc.local. If you want the strong er system, I recommend you check out Section 10 of TrinityOS found in the links section at the bottom of this HOWTO.

Notes on how users might want to change the above firewall ruleset:

You could have also enabled IP Masquerading on a PER MACHINE basis instead of the above method enabling an ENTIRE TCP/IP network. For example, say if I wanted only the 192.168.0.2 and 192.168.0.8 hosts to have access to the Internet and NOT any of the other internal machines. I would change the in the "Enable simple IP forwarding and Masquerading" section (shown above) of the /etc/rc.d/rc.firewall ruleset.

# Enable simple IP forwarding and Masquerading # v2.01 # # NOTE: The following is an example to only allow IP Masquerading for the # 192.168.0.2 and 192.168.0.8 machines with a 255.255.255.0 or a "24" # bit subnet mask connected to the Internet on interface eth0. # # ** Please change this network number, subnet mask, and your Internet # ** connection interface name to match your internal LAN setup # # Please use the following in ADDITION to the simple rulesets above for # specific MASQ networks. # /sbin/ipfwadm -F -p deny /sbin/ipfwadm -F -a m -W $EXTIF -S 192.168.0.2/32 -D 0.0.0.0/0 /sbin/ipfwadm -F -a m -W $EXTIF -S 192.168.0.8/32 -D 0.0.0.0/0

Common mistakes:

What appears to be a common mistake with new IP Masq users is to make the first command:

ipfwadm -F -p masquerade

Do NOT make your default policy MASQUERADING. Otherwise, someone who has the ability to manipulate their routing tables will be able to tunnel straight back through your gateway, using it to masquerade their OWN identity!

Again, you can add these lines to the /etc/rc.d/rc.firewall file, one of the other rc files (if you prefer), or manually add those lines every time you need IP Masquerade.

Please see Section 6.4.2 and Section 6.4.3for a detailed guide and stronger examples of IPCHAINS and IPFWADM ruleset examples.

6.3.1. Network Clients that -Work- with IP Masquerade

General Clients:

Multimedia and Communication Clients:

Games - See Section 6.10for more details on the LooseUDP patch

Other Clients:

6.3.2. Clients that do not have full support in IP MASQ:

6.4.1. Stronger IP Firewall (IPTABLES) rulesets

<rc.firewall-2.4-stronger START>

#!/bin/sh # # rc.firewall-2.4-stronger FWVER=0.73s # An example of a stronger IPTABLES firewall with IP Masquerade # support for 2.4.x kernels. # # Log: # 0.73s - Added comments in the output section that DHCPd is optional # and changed the default settings to disabled # 0.72s - Changed the filter from the INTNET to the INTIP to be # stateful; moved the command VARs to the top and made the # rest of the script to use them # 0.70s - Added a disabled examples for allowing internal DHCP # and external WWW access to the server # 0.63s - Added support for the IRC module # 0.62s - Initial version based upon the basic 2.4.x rc.firewall echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n" # The location of various iptables and other shell programs # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # #IPTABLES=/sbin/iptables IPTABLES=/usr/local/sbin/iptables # LSMOD=/sbin/lsmod DEPMOD=/sbin/depmod INSMOD=/sbin/insmod GREP=/bin/grep AWK=/bin/awk SED=/bin/sed IFCONFIG=/sbin/ifconfig #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the natting will occur and the internal network # should preferably be addressed with a RFC1918 private address # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # EXTIF="ppp0" # # if you are a modem user. # EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" echo " ---" # Specify your Static IP address here or let the script take care of it # for you. # # If you prefer to use STATIC addresses in your firewalls, un-# out the # static example below and # out the dynamic line. If you don't care, # just leave this section alone. # # If you have a DYNAMIC IP address, the ruleset already takes care of # this for you. Please note that the different single and double quote # characters and the script MATTER. # # # DHCP users: # ----------- # If you get your TCP/IP address via DHCP, **you will need ** to enable the # #ed out command below underneath the PPP section AND replace the word # "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0, # etc) on the lines for "ppp-ip" and "extip". You should also note that the # DHCP server can and will change IP addresses on you. To deal with this, # users should configure their DHCP client to re-run the rc.firewall ruleset # everytime the DHCP lease is renewed. # # NOTE #1: Some DHCP clients like the original "pump" (the newer # versions have been fixed) did NOT have the ability to run # scripts after a lease-renew. Because of this, you need to # replace it with something like "dhcpcd" or "dhclient". # # NOTE #2: The syntax for "dhcpcd" has changed in recent versions. # # Older versions used syntax like: # dhcpcd -c /etc/rc.d/rc.firewall eth0 # # Newer versions execute a file called /etc/dhcpc/dhcpcd-eth0.exe # # NOTE #3: For Pump users, put the following line in /etc/pump.conf: # # script /etc/rc.d/rc.firewall # # PPP users: # ---------- # If you aren't already aware, the /etc/ppp/ip-up script is always run when # a PPP connection comes up. Because of this, we can make the ruleset go and # get the new PPP IP address and update the strong firewall ruleset. # # If the /etc/ppp/ip-up file already exists, you should edit it and add a line # containing "/etc/rc.d/rc.firewall" near the end of the file. # # If you don't already have a /etc/ppp/ip-up sccript, you need to create the # following link to run the /etc/rc.d/rc.firewall script. # # ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up # # * You then want to enable the #ed out shell command below * # # # Determine the external IP automatically: # ---------------------------------------- # EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | \ $SED -e 's/.*://'`" # For users who wish to use STATIC IP addresses: # # # out the EXTIP line above and un-# out the EXTIP line below # #EXTIP="your.static.PPP.address" echo " External IP: $EXTIP" echo " ---" # Assign the internal TCP/IP network and IP address INTNET="192.168.1.0/24" INTIP="192.168.1.1/24" echo " Internal Network: $INTNET" echo " Internal IP: $INTIP" echo " ---" # Setting a few other local variables # UNIVERSE="0.0.0.0/0" #====================================================================== #== No editing beyond this line is required for initial MASQ testing == # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo -en " Loading kernel modules: " # With the new IPTABLES code, the core MASQ functionality is now either # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES # options as MODULES. If your kernel is compiled correctly, there is # NO need to load the kernel modules manually. # # NOTE: The following items are listed ONLY for informational reasons. # There is no reason to manual load these modules unless your # kernel is either mis-configured or you intentionally disabled # the kernel module autoloader. # # Upon the commands of starting up IP Masq on the server, the # following kernel modules will be automatically loaded: # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ # modules are shown below but are commented out from loading. # =============================================================== #Load the main body of the IPTABLES module - "ip_tables" # - Loaded automatically when the "iptables" command is invoked # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_tables, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then $INSMOD ip_tables fi #Load the IPTABLES filtering module - "iptable_filter" # # - Loaded automatically when filter policies are activated #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_conntrack, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then $INSMOD ip_conntrack fi #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -e "ip_conntrack_ftp, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then $INSMOD ip_conntrack_ftp fi #Load the IRC tracking mechanism for full IRC tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en " ip_conntrack_irc, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then $INSMOD ip_conntrack_irc fi #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "iptable_nat, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then $INSMOD iptable_nat fi #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo -e "ip_nat_ftp" # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then $INSMOD ip_nat_ftp fi echo " ---" # Just to be complete, here is a list of the remaining kernel modules # and their function. Please note that several modules should be only # loaded by the correct master kernel module for proper operation. # -------------------------------------------------------------------- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. # # iptable_mangle - this target allows for packets to be manipulated # for things like the TCPMSS option, etc. #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable the following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. # echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " ---" ############################################################################# # # Enable Stronger IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the # 192.168.1.x network with a 255.255.255.0 or a "24" bit subnet # mask connecting to the Internet on external interface "eth0". # This example will MASQ internal traffic out to the Internet # but not allow non-initiated traffic into your internal network. # # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # #Clearing any previous configuration # # Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP. # # You CANNOT change this to REJECT as it isn't a vaild setting for a # policy. If you want REJECT, you must explictly REJECT at the end # of a giving INPUT, OUTPUT, or FORWARD chain # echo " Clearing any existing rules and setting default policy to DROP.." $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat #Not needed and it will only load the unneeded kernel module #$IPTABLES -F -t mangle # # Flush the user chain.. if it exists if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then $IPTABLES -F drop-and-log-it fi # # Delete all User-specified chains $IPTABLES -X # # Reset all IPTABLES counters $IPTABLES -Z #Configuring specific CHAINS for later use in the ruleset # # NOTE: Some users prefer to have their firewall silently # "DROP" packets while others prefer to use "REJECT" # to send ICMP error messages back to the remote # machine. The default is "REJECT" but feel free to # change this below. # # NOTE: Without the --log-level set to "info", every single # firewall hit will goto ALL vtys. This is a very big # pain. # echo " Creating a DROP chain.." $IPTABLES -N drop-and-log-it $IPTABLES -A drop-and-log-it -j LOG --log-level info $IPTABLES -A drop-and-log-it -j DROP echo -e "\n - Loading INPUT rulesets" ####################################################################### # INPUT: Incoming traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # loopback interfaces are valid. # $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interface, local machines, going anywhere is valid # $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT # remote interface, claiming to be local machines, IP spoofing, get lost # $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it # external interface, from any source, for ICMP traffic is valid # # If you would like your machine to "ping" from the Internet, # enable this next line # #$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT # remote interface, any source, going to permanent PPP address is valid # #$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT # Allow any related traffic coming back to the MASQ server in # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \ ESTABLISHED,RELATED -j ACCEPT # ----- Begin OPTIONAL Section ----- # # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server # #$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT #$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT # HTTPd - Enable the following lines if you run an EXTERNAL WWW server # #echo -e " - Allowing EXTERNAL access to the WWW server" #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ #-p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT # # ----- End OPTIONAL Section ----- # Catch all rule, all other incoming is denied and logged. # $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo -e " - Loading OUTPUT rulesets" ####################################################################### # OUTPUT: Outgoing traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # loopback interface is valid. # $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interfaces, any source going to local net is valid # $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT # local interface, any source going to local net is valid # $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny # $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it # anything else outgoing on remote interface is valid # $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT # ----- Begin OPTIONAL Section ----- # # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server # #$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \ -d 255.255.255.255 --dport 68 -j ACCEPT #$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \ -d 255.255.255.255 --dport 68 -j ACCEPT # # ----- End OPTIONAL Section ----- # Catch all rule, all other outgoing is denied and logged. # $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo -e " - Loading FORWARD rulesets" ####################################################################### # FORWARD: Enable Forwarding and thus IPMASQ # echo " - FWD: Allow all connections OUT and only existing/related IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Catch all rule, all other forwarding is denied and logged. # $IPTABLES -A FORWARD -j drop-and-log-it echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF" # #More liberal form #$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # #Stricter form $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP ####################################################################### echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"

<rc.firewall-2.4-stronger STOP>

To automatically start this stronger firewall ruleset at the proper time, please see the end of the Section 3.4.2 section for full details. Please make sure you make the correct "rc.firewall-2.4" to "rc.firewall-2.4-stronger" substitutions!!

6.4.2. Stronger IP Firewall (IPCHAINS) rulesets

This section provides a more in-depth guide to using the 2.2.x firewall tool, IPCHAINS. See above sections for IPFWADM rulesets.

This example is for a firewall/masquerade system behind a PPP link with a static PPP address (dynamic PPP instructions are included but disabled). The trusted interface is 192.168.0.1 and the PPP interface IP address has been changed to protect the guilty :-). I have listed each incoming and outgoing interface individually to catch IP spoofing as well as stuffed routing and/or masquerading. A nything not explicitly allowed is FORBIDDEN (well.. rejected actually). If your IP MASQ box breaks after implementing this rc.firewall script, be sure that you edit it for your configuration and check your /var/log/messages or /var/adm/messages SYSLOG file for any firewall errors.

For more comprehensive examples of a strong IP Masqueraded IPFWADM rulesets for PPP, Cablemodem users, etc., please see TrinityOS - Section 10 and GreatCircle's Firewall WWW page

NOTE #1: --- UPDATE YOUR KERNEL --- Linux 2.2.x kernels less than version 2.2.20 contain several different security vulnerabilities (some were MASQ specific). Kernels less than 2.2.20 have a few local vulnerabilities. Kernel versions less than 2.2.16 have a TCP root exploit vulnerability and versions less than 2.2.11 have a IPCHAINS fragmentation bug. Because of these issues, users running a firewall with strong IPCHAINS rulesets are open to possible instrusion. Please upgrade your kernel to a fixed version.

NOTE #2: If you get a dynamically assigned TCP/IP address from your ISP (PPP, ADSL, Cablemodems, etc.), you CANNOT load this strong ruleset upon booting. You will either need to reload this firewall ruleset EVERY TIME you get a new IP address or make your /etc/rc.d/rc.firewall ruleset more intelligent. To do this for PPP users, carefully read and un-comment out the proper lines in the "Dynamic PPP IP fetch" section below. You can also find more details in the TrinityOS - Section 10 doc for more details on Strong rulesets and Dynamic IP addresses.

Please also be aware that there are several GUI Firewall creation tools available as well. Please see Chapter 7for full details.

Lastly, if you are using a STATIC PPP IP address, change the "ppp_ip="your.static.PPP.address"" line to reflect your address.

----------------------------------------------------------------

<rc.firewall-2.2-stronger START>

#!/bin/sh # # /etc/rc.d/rc.firewall: An example of a Semi-Strong IPCHAINS firewall ruleset. # PATH=/sbin:/bin:/usr/sbin:/usr/bin # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented from loading. # Needed to initially load modules # /sbin/depmod -a # Supports the proper masquerading of FTP file transfers using the PORT method # /sbin/modprobe ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # /sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. These modules are # for multiple users behind the Linux MASQ server. If you are going to # play Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #/sbin/modprobe ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #/sbin/modprobe ip_masq_vdolive #CRITICAL: Enable IP forwarding since it is disabled by default # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmentation since it is disabled by default # in 2.2.x kernels # # This used as a compile-time option but the behavior was changed # in 2.2.12. It should also be noted that some distributions have # removed this option from the /proc table. If this entry isn't # present in your /proc, don't worry about it. # echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this # following option. This enables dynamic-ip address hacking in IP MASQ, # making life with Diald and similar programs much easier. # #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable the LooseUDP patch which some Internet-based games require # # If you are trying to get an Internet game to work through your IP MASQ box, # and you configured it to the best of your ability without it working, try # enabling this option (delete the "#" character). This option is disabled # by default due to possible internal machine UDP port scanning # vulnerabilities. # #echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose # Specify your Static IP address here. # # If you have a DYNAMIC IP address, you need to make this ruleset recognize # your IP address everytime you get a new IP. To do this, enable the # following one-line script. (Please note that the different single and # double quote characters MATTER). # # # DHCP users: # ----------- # If you get your TCP/IP address via DHCP, **you will need ** to enable the # #ed out command below underneath the PPP section AND replace the word # "ppp0" with the name of your EXTERNAL Internet connection (eth0, eth1, etc) # on the lines for "ppp-ip" and "extip". You should note that the # DHCP server can change IP addresses on you. To fix this, users should # configure their DHCP client to re-run the firewall ruleset everytime the # DHCP lease is renewed. # # NOTE #1: Some DHCP clients like the original "pump" (the newer # versions have been fixed) did NOT have the ability to run # scripts after a lease-renew. Because of this, you need to # replace it with something like "dhcpcd" or "dhclient". # # NOTE #2: The syntax for "dhcpcd" has changed in recent versions. # # Older versions used syntax like: # dhcpcd -c /etc/rc.d/rc.firewall eth0 # # Newer versions use syntax like: # dhcpcd eth0 /etc/rc.d/rc.firewall # # NOTE #3: For Pump users, put the following line in /etc/pump.conf: # # script /etc/rc.d/rc.firewall # # PPP users: # ---------- # If you aren't already aware, the /etc/ppp/ip-up script is always run when # a PPP connection comes up. Because of this, we can make the ruleset go and # get the new PPP IP address and update the strong firewall ruleset. # # If the /etc/ppp/ip-up file already exists, you should edit it and add a line # containing "/etc/rc.d/rc.firewall" near the end of the file. # # If you don't already have a /etc/ppp/ip-up sccript, you need to create the # following link to run the /etc/rc.d/rc.firewall script. # # ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up # # * You then want to enable the #ed out shell command below * # # # PPP and DHCP Users: # ------------------- # Remove the # on the line below and place a # in front of the line after that. # #extip="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" # For PPP users with STATIC IP addresses: # extip="your.static.PPP.address" # ALL PPP and DHCP users must set this for the correct EXTERNAL interface name extint="ppp0" # Assign the internal IP intint="eth0" intnet="192.168.0.0/24" # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec # firewall timeout in ICQ itself) # ipchains -M -S 7200 10 60 ############################################################################# # Incoming, flush and set default policy of reject. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # ipchains -F input ipchains -P input REJECT # local interface, local machines, going anywhere is valid # ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT # remote interface, claiming to be local machines, IP spoofing, get lost # ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT # remote interface, any source, going to permanent PPP address is valid # ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT # loopback interface is valid. # ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # catch all rule, all other incoming is denied and logged. pity there is no # log option on the policy but this does the job instead. # ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT ############################################################################# # Outgoing, flush and set default policy of reject. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # ipchains -F output ipchains -P output REJECT # local interface, any source going to local net is valid # ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny # ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT # outgoing from local net on remote interface, stuffed masquerading, deny # ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT # anything else outgoing on remote interface is valid # ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT # loopback interface is valid. # ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # catch all rule, all other outgoing is denied and logged. pity there is no # log option on the policy but this does the job instead. # ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT ############################################################################# # Forwarding, flush and set default policy of deny. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # ipchains -F forward ipchains -P forward DENY # Masquerade from local net on local interface to anywhere. # ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ # # catch all rule, all other forwarding is denied and logged. pity there is no # log option on the policy but this does the job instead. # ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT #End of file.

<rc.firewall-2.2-stronger STOP>

To automatically start this stronger firewall ruleset at the proper time, please see the end of the Section 3.4.2 section for full details. Please make sure you make the correct "rc.firewall-2.2" to "rc.firewall-2.2-stronger" substitutions!!

With IPCHAINS, you can block traffic to a particular site using the "input", "output", and/or "forward" rules. Remember that the set of rules are scanned from top to bottom and "-A" tells IPCHIANS to "append" this new rule to the existing set of rules. So with this in mind, any specific restrictions need to come before any global rules. For example:

Using "input" rules:

Probably the fastest and most efficient method to block traffic, but this method only stops the MASQed machines and NOT the firewall machine itself. Of course, you might want to allow that combination.

Anyway, to block 204.50.10.13:

In the /etc/rc.d/rc.firewall ruleset: ... start of "input" rules ... # reject and log local interface, local machines going to 204.50.10.13 # ipchains -A input -s 192.168.0.0/24 -d 204.50.10.13/32 -l -j REJECT # local interface, local machines, going anywhere is valid # ipchains -A input -s 192.168.0.0/24 -d 0.0.0.0/0 -l -j ACCEPT ... end of "input" rules ...

Using "output" rules:

This is the slower method to block traffic because the packets must go through masquerading before they are dropped. Yet, this rule even stops the firewall machine from accessing the forbidden site.

... start of "output" rules ... # reject and log outgoing to 204.50.10.13 # ipchains -A output -s $ppp_ip/32 -d 204.50.10.13/32 -l -j REJECT # anything else outgoing on remote interface is valid # ipchains -A output -s $ppp_ip/32 -d 0.0.0.0/0 -l -j ACCEPT ... end of "output" rules ...

Using "forward" rules:

Probably slower than "input" rules for blocking traffic, this only stops masqueraded machines (e.g. internal machines). The firewall machine can still reach forbidden site(s).

... start of "forward" rules ... # Reject and log from local net on PPP interface to 204.50.10.13. # ipchains -A forward -i ppp0 -s 192.168.0.0/24 -d 204.50.10.13/32 -l -j REJECT # Masquerade from local net on local interface to anywhere. # ipchains -A forward -i ppp0 -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQ ... end of "forward" rules ...

No need for a special rule to allow machines on the 192.168.0.0/24 network to go to 204.50.11.0. Why? It is already covered by the global MASQ rule.

NOTE: Unlike IPFWADM, IPCHIANS has only one way of coding the interfaces name. IPCHAINS uses the "-i eth0" option where as IPFWADM had both "-W" for the interface name and "-V" for the interface's IP address.

6.4.3. Stronger IP Firewall (IPFWADM) Rulesets

This section provides a more in-depth guide on using the 2.0.x firewall tool, IPFWADM. See below for IPCHAINS rulesets

This example is for a firewall/masquerade system behind a PPP link with a static PPP address (dynamic PPP instructions are included but disabled). The trusted interface is 192.168.0.1 and the PPP interface IP address has been changed to protect the guilty :). I have listed each incoming and outgoing interface individually to catch IP spoofing as well as stuffed routing and/or masquerading. Anything not explicitly allowed is FORBIDDEN (well.. rejected, actually). If your IP MASQ box breaks after implementing this rc.firewall script, be sure that you edit it for your configuration and check your /var/log/messages or /var/adm/messages SYSLOG file for any firewall errors.

For more comprehensive examples of a strong IP Masqueraded IPFWADM rulesets for PPP, Cablemodem users, etc., please see TrinityOS - Section 10 and GreatCircle's Firewall WWW page

NOTE: If you get a dynamically assigned TCP/IP address from your ISP (PPP, ADSL, Cablemodems, etc.), you CANNOT load this strong ruleset upon boot. You will either need to reload this firewall ruleset EVERY TIME you get a new IP address or make your /etc/rc.d/rc.firewall ruleset more intelligent. To do this for PPP users, carefully read and un-comment out the proper lines in the "Dynamic PPP IP fetch" section below. You can also find more details on Strong rulesets and Dynamic IP addresses in the TrinityOS - Section 10 docs.

Please also be aware that there are several GUI Firewall creation tools available as well. Please see Chapter 7for full details.

Lastly, if you are using a STATIC PPP IP address, change the "ppp_ip="your.static.PPP.address"" line to reflect your address.

----------------------------------------------------------------

<rc.firewall-2.0-stronger START>

#!/bin/sh # # /etc/rc.d/rc.firewall: An example of a semi-STRONG IPFWADM firewall ruleset # PATH=/sbin:/bin:/usr/sbin:/usr/bin # testing, wait a bit then clear all firewall rules. # uncomment the following lines if you want the firewall to automatically # disable after 10 minutes. # (sleep 600; \ # ipfwadm -I -f; \ # ipfwadm -I -p accept; \ # ipfwadm -O -f; \ # ipfwadm -O -p accept; \ # ipfwadm -F -f; \ # ipfwadm -F -p accept; \ # ) & # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented from loading. # Needed to initially load modules # /sbin/depmod -a # Supports the proper masquerading of FTP file transfers using the PORT method # /sbin/modprobe ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # #/sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. This modules is # for multiple users behind the Linux MASQ server. If you are going to # play Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #/sbin/modprobe ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #/sbin/modprobe ip_masq_vdolive #CRITICAL: Enable IP forwarding, since it is disabled by default # # Redhat Users: you may try changing the options in /etc/sysconfig/network # from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmenting since it is disabled by default # in 2.2.x kernels # # This used to be a compile-time option but the behavior was changed # in 2.2.12 # echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this # following option. This allows dynamic-ip address hacking in IP MASQ, # making the life with Diald and similar programs much easier. # #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Specify your Static IP address here. # # If you have a DYNAMIC IP address, you need to make this ruleset understand # your IP address everytime you get a new IP. To do this, enable the # following one-line script. (Please note that the different single and # double quote characters MATTER). # # # DHCP users: # ----------- # If you get your TCP/IP address via DHCP, **you will need ** to enable the # #ed out command below underneath the PPP section AND replace the word # "ppp0" with the name of your EXTERNAL Internet connection (eth0, eth1, # etc). It should be also noted that the DHCP server can change IP # addresses on you. To fix this, users should configure their DHCP client # to re-run the firewall ruleset everytime the DHCP lease is renewed. # # NOTE #1: Some DHCP clients like the older version of "pump" (the newer # versions have been fixed) did NOT have the ability to run # scripts after a lease-renew. Because of this, you need to # replace it with something like "dhcpcd" or "dhclient". # # NOTE #2: The syntax for "dhcpcd" has changed in recent versions. # # Older versions used syntax like: # dhcpcd -c /etc/rc.d/rc.firewall eth0 # # Newer versions use syntax like: # dhcpcd eth0 /etc/rc.d/rc.firewall # # NOTE #3: For Pump users, put the following line in /etc/pump.conf: # # script /etc/rc.d/rc.firewall # # PPP users: # ---------- # If you aren't already aware, the /etc/ppp/ip-up script is always run when # a PPP connection comes up. Because of this, we can make the ruleset go # and get the new PPP IP address and update the strong firewall ruleset. # # If the /etc/ppp/ip-up file already exists, you should edit it and add a line # containing "/etc/rc.d/rc.firewall" near the end of the file. # # If you don't already have a /etc/ppp/ip-up sccript, you need to create the # following link to run the /etc/rc.d/rc.firewall script. # # ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up # # * You then want to enable the #ed out shell command below * # # # PPP and DHCP Users: # ------------------- # Remove the # on the line below and place a # in front of the line after that. # #ppp_ip="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" # ppp_ip="your.static.PPP.address" # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec # firewall timeout in ICQ itself) # /sbin/ipfwadm -M -s 7200 10 60 ############################################################################# # Incoming, flush and set default policy of reject. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # /sbin/ipfwadm -I -f /sbin/ipfwadm -I -p reject # local interface, local machines, going anywhere is valid # /sbin/ipfwadm -I -a accept -V 192.168.0.1 -S 192.168.0.0/24 -D 0.0.0.0/0 # remote interface, claiming to be local machines, IP spoofing, get lost # /sbin/ipfwadm -I -a reject -V $ppp_ip -S 192.168.0.0/24 -D 0.0.0.0/0 -o # remote interface, any source, going to permanent PPP address is valid # /sbin/ipfwadm -I -a accept -V $ppp_ip -S 0.0.0.0/0 -D $ppp_ip/32 # loopback interface is valid. # /sbin/ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 # catch all rule, all other incoming is denied and logged. pity there is no # log option on the policy but this does the job instead. # /sbin/ipfwadm -I -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o ############################################################################# # Outgoing, flush and set default policy of reject. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # /sbin/ipfwadm -O -f /sbin/ipfwadm -O -p reject # local interface, any source going to local net is valid # /sbin/ipfwadm -O -a accept -V 192.168.0.1 -S 0.0.0.0/0 -D 192.168.0.0/24 # outgoing to local net on remote interface, stuffed routing, deny # /sbin/ipfwadm -O -a reject -V $ppp_ip -S 0.0.0.0/0 -D 192.168.0.0/24 -o # outgoing from local net on remote interface, stuffed masquerading, deny # /sbin/ipfwadm -O -a reject -V $ppp_ip -S 192.168.0.0/24 -D 0.0.0.0/0 -o # outgoing from local net on remote interface, stuffed masquerading, deny # /sbin/ipfwadm -O -a reject -V $ppp_ip -S 0.0.0.0/0 -D 192.168.0.0/24 -o # anything else outgoing on remote interface is valid # /sbin/ipfwadm -O -a accept -V $ppp_ip -S $ppp_ip/32 -D 0.0.0.0/0 # loopback interface is valid. # /sbin/ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 # catch all rule, all other outgoing is denied and logged. pity there is no # log option on the policy but this does the job instead. # /sbin/ipfwadm -O -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o ############################################################################# # Forwarding, flush and set default policy of deny. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # /sbin/ipfwadm -F -f /sbin/ipfwadm -F -p deny # Masquerade from local net on local interface to anywhere. # /sbin/ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/24 -D 0.0.0.0/0 # # catch all rule, all other forwarding is denied and logged. Pity there is no # log option on the policy but this does the job instead. # /sbin/ipfwadm -F -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o #End of file.

<rc.firewall-2.0-stronger STOP>

To automatically start this stronger firewall ruleset at the proper time, please see the end of the Section 3.4.3 section for full details. Please make sure you make the correct "rc.firewall-2.0" to "rc.firewall-2.0-stronger" substitutions!!

With IPFWADM, you can block traffic to a particular site using the -I, -O or -F rules. Remember that the set of rules are scanned top to bottom and "-a" tells IPFWADM to "append" this new rule to the existing set of rules. So with this in mind, any specific restrictions need to come before global rules. For example:

Using -I (input ) rules:

Probably the fastest and most efficient method to block traffic but it only stops the MASQed machines, and NOT the the firewall machine itself. Of course, you might want to allow that combination.

Anyway, to block 204.50.10.13:

In the /etc/rc.d/rc.firewall ruleset: ... start of -I rules ... # reject and log local interface, local machines going to 204.50.10.13 # /sbin/ipfwadm -I -a reject -V 192.168.0.1 -S 192.168.0.0/24 -D 204.50.10.13/32 -o # local interface, local machines, going anywhere is valid # /sbin/ipfwadm -I -a accept -V 192.168.0.1 -S 192.168.0.0/24 -D 0.0.0.0/0 ... end of -I rules ...

Using -O (output) rules:

This is the slower method to block traffic because the packets go through masquerading first before they are dropped. Yet, this rule even stops the firewall machine from accessing the forbidden site.

... start of -O rules ... # reject and log outgoing to 204.50.10.13 # /sbin/ipfwadm -O -a reject -V $ppp_ip -S $ppp_ip/32 -D 204.50.10.13/32 -o # anything else outgoing on remote interface is valid # /sbin/ipfwadm -O -a accept -V $ppp_ip -S $ppp_ip/32 -D 0.0.0.0/0 ... end of -O rules ...

Using -F (forward) rules:

Probably slower than -I (input) rules for blocking traffic, this still only stops masqueraded machines (e.g. internal machines). The firewall machine can still reach forbidden site(s).

... start of -F rules ... # Reject and log from local net on PPP interface to 204.50.10.13. # /sbin/ipfwadm -F -a reject -W ppp0 -S 192.168.0.0/24 -D 204.50.10.13/32 -o # Masquerade from local net on local interface to anywhere. # /sbin/ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/24 -D 0.0.0.0/0 ... end of -F rules ...

There is no need for a special rule to allow machines on the 192.168.0.0/24 network to go to 204.50.11.0. Why? It is already covered by the global MASQ rule.

NOTE: There is more than one way of coding the interfaces in the above rules. For example instead of "-V 192.168.255.1" you can code "-W eth0", instead of "-V $ppp_ip" , you can use "-W ppp0". The "-V" method was phased out with the imgration to IPCHAINS, but for IPFWADM users, its more of a personal choice and documentation.

6.7.1. 2.4.x PORTFWD'ing: Using IPTABLE's PREROUTING option for 2.4.x kernels

Unlike ALL previous Linux kernels, the 2.4.x series now allows for full PORTFW, PORTFW FTP, and PORTFW REDIR functionality within the "iptables" tool itself.

NOTE: Once you enable a port forwarder on say port 80 (forward WWW traffic through the MASQ server to an internal WWW server), that port will no longer be used by the Linux IP Masquerade server itself. To be more specific, if you have a WWW server already running on the MASQ server, enabling PORTFW will now give all Internet users acces to the WWW pages from the -INTERNAL- WWW server and not the pages on your IP MASQ server.

To enable port forwarding on a 2.4.x kernel, edit the /etc/rc.d/rc.firewall-2.4 ruleset. Add the follow lines but be sure to replace the word "$EXTIP" with your specific Internet IP address.

NOTE: If you use get a DYNAMIC TCP/IP address from your ISP (PPP, ADSL, Cablemodems, etc.), you will NEED to make your /etc/rc.d/rc.firewall ruleset more intelligent. To do this, please see Section 6.4.2 from above or TrinityOS - Section 10 for more details on strong rulesets and Dynamic IP addresses. I'll give you a hint though: /etc/ppp/ip-up for PPP users.

/etc/rc.d/rc.firewall

#echo "Enabling PORTFW Redirection on the external LAN.." # # This will forward ALL port 80 traffic from the external IP address # to port 80 on the 192.168.0.10 machine # # Be SURE that when you add these new rules to your rc.firewall, you # add them before a direct or implict DROP or REJECT. # PORTFWIP="192.168.0.10" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 \ -j DNAT --to $PORTFWIP:80

That's it! Just re-run your /etc/rc.d/rc.firewall-2.4 ruleset and test it out!

PORTFW FTP: If you have the "ip_conntrack_ftp" and "ip_nat_ftp" kernel modules loaded into kernel space (as already done in the rc.firewall-2.4 script), the simple PREROUTING command like the one shown above changed for for port "21" should do the trick. Much easier than the old 2.2.x / 2.0.x ways!

Please note, if you PORTFW to an internal FTP server that is running on, say port 8021 and NOT running on port 21, you MUST tell the "ip_conntrack_ftp" module about the new port. To do this, edit your rc.firewall file and change the loading of the FTP module to look something like this:

/sbin/insmod ip_conntrack_ftp ports=21,8021

In the past, if users PORTFWed port 80 on their EXTERNAL IP to some internal machine, only machines on the Internet would work properly. If you tried to do this from an internal machine, it would fail. Fortunately, there is a workaround for 2.2.x and 2.0.x kernels using the REDIR tool. Fortunately, this is NOT required anymore for the 2.4.x kernels. To fix this, add a line like the following ABOVE the "Catch all" FORWARDing rule in the rc.firewall file. This example will REDIRECT internal WWW traffic to the 192.168.0.2 internal machine (please change this IP address to reflect your configuration):

$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 80 \ -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.2

6.7.2. 2.2.x PORTFWD'ing: Using IPMASQADM with 2.2.x kernels

First, make sure you have the newest 2.2.x kernel uncompressed into /usr/src/kernel/linux. If you haven't already done this, please see Section 3.2.2 section for full details. Next, download the "ipmasqadm.c" program from Section 2.7 into the /usr/src/kernel directory.

Next, you'll need to compile the 2.2.x kernel as shown in Section 3.2.2 section. Be sure to say "YES" to the IPPORTFW option when you configure the kernel. Once the kernel compile is complete and you have rebooted, return to this section.

Now, compile and install the IPMASQADM tool:

cd /usr/src tar xzvf ipmasqadm-x.tgz cd ipmasqadm-x make make install

Now, for this example, we are going to allow ALL WWW Internet traffic (port 80) hitting your Internet TCP/IP address to be forwarded to the internal Masqueraded machine at IP address 192.168.0.10.

PORTFW FTP: As mentioned above, there are two solutions for forwarding FTP server traffic to an internal MASQed PC. The first solution *IS* a BETA level IP_MASQ_FTP module for 2.2.x kernels to PORT Forward FTP connections to an internal MASQed FTP server. The other method is using a FTP proxy program (the URL is in Section 2.7. It should also be noted that the FTP kernel module also supports the adding of additional PORTFW FTP ports on the fly without the requirement of unloading and reloading the IP_MASQ_FTP module and thus breaking any existing FTP transfers. You can find more about this new code at the IPMASQ WWW site at http://ipmasq.cjb.net;. There are also examples and some additional information about PORTFWed FTP connection below in the 2.0.x. kernel section.

NOTE: Once you enable a port forwarder on port 80, that port can no longer be used by the Linux IP Masquerade server. To be more specific, if you have a WWW server already running on the MASQ server, a port forward will now give all Internet users the WWW pages from the -INTERNAL- WWW server and not the pages on your IP MASQ server.

Anyway, to enable port forwarding, edit the /etc/rc.d/rc.firewall ruleset. Add the follow lines but be sure to replace the word "$extip" with your Internet IP address.

NOTE: If you use get a DYNAMIC TCP/IP address from your ISP (PPP, ADSL, Cablemodems, etc.), you will NEED to make your /etc/rc.d/rc.firewall ruleset more intelligent. To do this, please see Section 6.4.2 from above or TrinityOS - Section 10 for more details on strong rulesets and Dynamic IP addresses. I'll give you a hint though: /etc/ppp/ip-up for PPP users.

/etc/rc.d/rc.firewall

#echo "Enabling IPPORTFW Redirection on the external LAN.." # # This will forward ALL port 80 traffic from the external IP address # to port 80 on the 192.168.0.10 machine # /usr/sbin/ipmasqadm portfw -f /usr/sbin/ipmasqadm portfw -a -P tcp -L $extip 80 -R 192.168.0.10 80

That's it! Just re-run your /etc/rc.d/rc.firewall ruleset and test it out!

If you get the error message "ipchains: setsockopt failed: Protocol not available", you AREN'T running your new IPPORTFW enabled kernel. Make sure that you moved the new kernel over, re-run LILO, and then reboot again. If you are sure you are running your new kernel, run the command "ls /proc/net/ip_masq" and make sure the "portfw" file exists. If it doesn't, you must have made an error when configuring your kernel. Try again.

For those who want to understand why PORTFW cannot redirect traffic for both external and internal interfaces (the REDIR situation), here is an email from Juanjo that better explains it:

From Juanjo Ciarlante -- >If I use: > > ipmasqadm portfw -a -P tcp -L 1.2.3.4 80 -R 192.168.2.3 80 > >Everything works great from the outside but internal requests for the same >1.2.3.4 address fail. Are there chains that will allow a machine on localnet >192.168.2.0 to accesss www.periapt.com without using a proxy? Actually not. I usually setup a ipmasqadm rule for outside, *AND* a port redirector for inside. This works because ipmasqadm hooks before redir will get the eventual outside connection, _but_ leaves things ok if not (stated by APPROPIATE rules). The actual "conceptual" problem comes from the TRUE client (peer) IP goal (thanks to masq) being in the same net as target server. The failing scenario for "local masq" is : client: 192.168.2.100 masq: 192.168.2.1 serv: 192.168.2.10 1)client->server packet a) client: 192.168.2.100:1025 -> 192.168.2.1:80 [SYN] b) (masq): 192.168.2.100:1025 -> 192.168.2.10:80 [SYN] (and keep 192.168.2.1:61000 192.168.2.100:1025 related) c) serv: gets masqed packet (1b) 2)server->client packet a) serv: 192.168.2.10:80 -> 192.168.2.100:1025 [SYN,ACK] b) client: 192.168.2.100:1025 -> 192.168.2.10:80 [RST] Now take a moment to compare (1a) with (2a). You see, the server replied DIRECTLY to client bypassing masq (not letting masq to UNDO the packet hacking) because it is in SAME net, so the client resets the connection. hope I helped. Warm regards Juanjo

6.7.3. 2.0.x PORTFWD'ing: Using IPPORTFW on 2.0.x kernels

First, make sure you have the newest 2.0.x kernel uncompressed into /usr/src/kernel. If you haven't already done this, please see Section 3.2.3 for full details. Next, download the "ipportfw.c" program and the "subs-patch-x.gz" kernel patch from Section 3.2.3 into the /usr/src/ directory.

NOTE: Please replace the "x" in the "subs-patch-x.gz" file name with the most current version available on the site.

Next, if you plan on port forwarding FTP traffic to an internal server, you will have to apply an additional NEW IP_MASQ_FTP module patch found in Section 3.2.3. More details regarding this are later in this section. Please note that this is NOT the same patch as for the 2.2.x kernels so some functionality such as the dynamic FTP PORT functionality is not present.

Now, copy the IPPORTFW patch (subs-patch-x.gz) into the Linux directory

cp /usr/src/subs-patch-1.37.gz /usr/src/linux

Next, apply the kernel patch to create the IPPORTFW kernel option:

cd /usr/src/linux zcat subs-patch-1.3x.gz | patch -p1

Ok, time to compile the kernel as shown in Section 3.2.3. Be sure to say YES to the IPPORTFW option now available when you configure the kernel. Once the compile is complete and you have rebooted, return to this section.

Now with a newly compiled kernel, please compile and install the actual "IPPORTFW" program

cd /usr/src gcc ipportfw.c -o ipportfw mv ipportfw /usr/local/sbin

Now, for this example, we are going to allow ALL WWW Internet traffic (port 80) hitting your Internet TCP/IP address to then be forwarded to the internal Masqueraded machine at IP address 192.168.0.10.

NOTE: Once you enable a port forwarder on port 80, that port can no longer be used by the Linux IP Masquerade server. To be more specific, if you have a WWW server already running on the MASQ server and then you port forward port 80 to an internal MASQed computer, ALL internet users will see the WWW pages pages from the -INTERNAL- WWW server and not the pages on your IP MASQ server. This only performs a port forward to some other port, say 8080, to your internal MASQ machine. Though this will work, all Internet users will have to append :8080 to the URL to then contact the internal MASQed WWW server.

Anyway, to enable port forwarding, edit the /etc/rc.d/rc.firewall ruleset. Add the follow lines but be sure to replace the word "$extip" with your Internet IP address.

NOTE: If you use get a DYNAMIC TCP/IP address from your ISP (PPP, ADSL, Cablemodems, etc.), you will NEED to make your /etc/rc.d/rc.firewall ruleset more intelligent. To do this, please see Section 6.4.2from above or TrinityOS - Section 10 for more details on strong rulesets and Dynamic IP addresses. I'll give you a hint though: /etc/ppp/ip-up for PPP users.

/etc/rc.d/rc.firewall

#echo "Enabling IPPORTFW Redirection on the external LAN.." # # This will forward ALL port 80 traffic from the external IP address # to port 80 on the 192.168.0.10 machine # /usr/local/sbin/ipportfw -C /usr/local/sbin/ipportfw -A -t$extip/80 -R 192.168.0.10/80

That's it! Just re-run your /etc/rc.d/rc.firewall ruleset and test it out!

If you get the error message "ipfwadm: setsockopt failed: Protocol not available", you AREN'T running your new kernel. Make sure that you moved the new kernel over, re-run LILO, and then reboot again.

Port Forwarding FTP servers:

If you plan on port forwarding FTP to an internal machine, things get more complicated. The reason for this is because the standard IP_MASQ_FTP kernel module wasn't written for this though some users report that it works without any problems. Personally, without the patch, I've heard that extended file transfers in excess of 30 minutes will fail without the patch while other users swear that it works flawlessly. Anyway, I recommend that you try the following PORTFW instruction with the STOCK ip_masq_ftp module and see if it works for you. If it doesn't, try using the modified ip_masq_ftp module.

For those who need the module, Fred Viles wrote a modified IP_MASQ_FTP module to make things work. If you are curious what EXACTLY are the issues, download the following archive since Fred documents it quite well. Also understand that this patch is somewhat experimental and should be treated as such. It should be noted that this patch is ONLY available for the 2.0.x kernels though there is a different patch available for 2.2.x kernels.

So, to get the 2.0.x patch working, you need to:

• FIRST, apply the IPPORTFW kernel patch as shown earlier in this section.

• Download the "msqsrv-patch-36" from Fred Viles's FTP server in Section 3.2.3and put it into /usr/src/linux.

• Patch the kernel with this new code by running "cat msqsrv-patch-36 | patch -p1"

• Next, replace the original "ip_masq_ftp.c" kernel module with the new one

  mv /usr/src/linux/net/ipv4/ip_masq_ftp.c /usr/src/linux/net/ipv4/ip_masq_ftp.c.orig

  mv /usr/src/linux/ip_masq_ftp.c /usr/src/linux/net/ipv4/ip_masq_ftp.c

• Lastly, build and install the kernel with this new code in place.

Once this is complete, edit the /etc/rc.d/rc.firewall ruleset and add the following lines, but be sure to replace the word "$extip" with your Internet IP address.

This example, like the one above, will allow ALL FTP Internet traffic (port 21) hitting your Internet TCP/IP address to then be forwarded to the internal Masqueraded machine at IP address 192.168.0.10.

NOTE: Once you enable a port forwarder on port 21, that port can no longer be used by the Linux IP Masquerade server. To be more specific, if you have an FTP server already running on the MASQ server, a port forward will now give all Internet users the FTP files from the -INTERNAL- FTP server and not the files on your IP MASQ server.

/etc/rc.d/rc.firewall

#echo "Enabling IPPORTFW Redirection on the external LAN.." # /usr/local/sbin/ipportfw -C /usr/local/sbin/ipportfw -A -t$extip/21 -R 192.168.0.10/21 #NOTE: If you are using multiple local port numbers to PORTFW # to multuple internal FTP servers (say, 21, 2121, 2112, # etc, you need to configure the ip_masq_ftp nodule to # listen to these ports. To do this, edit the # /etc/rc.d/rc.firewall script as shown in this HOWTO # to look like: # # /sbin/modprobe ip_masq_ftp ports=21,2121,2112 # # Re-run the /etc/rc.d/rc.firewall script for these changes to # take effect. #Please note that PORTFWing port 20 is probably NOT required # for ACTIVE connections as the internal FTP server will # initiate this port 20 connection and it will be properly # handled by the classic MASQ mechanisms.

That's it! Just re-run your /etc/rc.d/rc.firewall ruleset and test it out!

7.15.1. Changing the MTU of a PPP link:

• To fix the MTU issue on your PPP link, edit your /etc/ppp/options file and towards the top, add the following text on two seperate lines: "mtu 1500" and "mru 1500". Save these new changes and then restart PPP. Like above, again verify that your PPP link has the correct MTU and MTU.

• To fix the MTU issue on a standard Ethernet link to your bridged or routed DSL, Cablemodem, etc. connection, you need to edit the correct network startup scripts for your Linux distribution. Please see the TrinityOS - Section 16 document for network optimizations.

7.15.2. Old UNIX Serial interfaces:

• Lastly, though this isn't a common problem, some users have found the solution to the following problem. With PPP users, verify what port is your PPPd code connecting to. Is it a /dev/cua* port or a /dev/ttyS* port? It NEEDS to be a /dev/ttyS* port. The cua style is OLD and it breaks some things in very odd ways.

7.15.3. PPPoE Users:

For those users who use PPPoE (this has a maximum MTU of 1490) or for those users who choose NOT to use an MTU of 1500, not is all lost. If you reconfigure ALL of your MASQed PCs to use the SAME MTU as your external Internet link's MTU, everything should work fine. It should be noted that some PPPoE ISPs might require an MTU of 1460 for proper connectivity.

How would you do this? Follow these simple steps for your respective operating system.

The follow examples utilizes an MTU of 1490 for typical PPPoE connections for some DSL and Cablemodem users. It is recommended to use the HIGHEST values possible for all connections that are 128Kb/s and faster.

The only real reason to use smaller MTUs is to lower latency but at the cost of throughput. Please see:

http://www.ecst.csuchico.edu/~dranch/PPP/ppp-performance.html#mtu

for more details on this topic.

*** If you have had SUCCESS, FAILURE, or have procedures for OTHER operating *** systems, please email David Ranch. Thanks!

7.15.4. Linux:

------------------------------------------ 1. The setting of MTU can vary from Linux distribution to distribution. For Redhat: You need to edit the various "ifconfig" statements in the /sbin/ifup script For Slackware: You need to edit the various "ifconfig" statements in the /etc/rc.d/rc1.inet 2. Here is one good, any-distribution-will-work example, edit the /etc/rc.d/rc.local file and put the following at the END of the file: echo "Changing the MTU of ETH0" /sbin/ifconfig eth0 mtu 1490 Replace "eth0" with the interface name that is the machine's upstream connection which is connected to the Internet. 3. For advanced options like "TCP Receive Windows" and such, detailed examples on how to edit the respective networking scripts for your specific Linux distro, etc., please see Chapter 16 of http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos ------------------------------------------

7.15.5. MS Windows 95:

------------------------------------------ 1. Making ANY changes to the Registry is inheritantly risky but with a backup copy, you should be safe. Proceed at your OWN RISK. 2. Goto Start-->Run-->RegEdit 3. You should make a backup copy of your Registry before continuing. To do this, copy the "user.dat" and "system.dat" files from the \WINDOWS directory and put them into a safe place. It should be noted that the previously mentioned method of using "Regedit: Registry-->Export Registry File-->Save a copy of your registry" would only do Registry MERGES and NOT do a replacement. 4. Search through each of the Registry trees that end in "n" (e.g. 0007) and have a Registry entry called "IPAddress", which has the IP address of your NIC. Under that key, add the following: From http://support.microsoft.com/support/kb/articles/q158/4/74.asp [Hkey_Local_Machine\System\CurrentControlset\Services\Class\NetTrans\000n] type=DWORD name="MaxMTU" (Do NOT include the quotes) value=1490 (Decimal) (Do NOT include the text "(Decimal)") type=DWORD name="MaxMSS" (Do NOT include the quotes) value=1450 (Decimal) (Do NOT include the text "(Decimal>") 5. You can also change the "TCP Receive Window" which sometimes increases network performance SUBSTANTIALLY. If you notice your throughput has DECREASED, put these items BACK to their original settings and reboot. [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP] type=DWORD name="DefaultRcvWindow" (Do NOT include the quotes) value=32768 (Decimal) (Do NOT include the text "(Decimal>") type=DWORD name="DefaultTTL" (Do NOT include the quotes) value=128 (Decimal) (Do NOT include the text "(Decimal>") 6. Reboot to let the changes take effect. ------------------------------------------

7.15.6. MS Windows 98:

------------------------------------------ 1. Making ANY changes to the Registry is inheritantly risky but with a backup copy, you should be safe. Proceed at your OWN RISK. 2. Goto Start-->Run-->RegEdit 3. You should make a backup copy of your Registry before doing anything. To do this, copy the "user.dat" and "system.dat" files from the \WINDOWS directory and put them into a safe place. It should be noted that the previously mentioned method of using "Regedit: Registry-->Export Registry File-->Save a copy of your registry" would only perform Registry MERGES and NOT do a replacement. 4. Search though each of the Registry trees that end in "n" (e.g. 0007) and have a Registry entry called "IPAddress" which has the IP address of your NIC. Under that key, add the following: From http://support.microsoft.com/support/kb/articles/q158/4/74.asp [Hkey_Local_Machine\System\CurrentControlset\Services\Class\NetTrans\000n] type=STRING name="MaxMTU" (Do NOT include the quotes) value=1490 (Decimal) (Do NOT include the text "(Decimal)") 5. You can also change the "TCP Receive Window" which sometimes increases network performance SUBSTANTIALLY. If you notice your throughput has DECREASED, put these items BACK to their original settings and reboot. [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP] type=STRING name="DefaultRcvWindow" (Do NOT include the quotes) value=32768 (Decimal) (Do NOT include the text "(Decimal>") type=STRING name="DefaultTTL" (Do NOT include the quotes) value=128 (Decimal) (Do NOT include the text "(Decimal>") 6. Reboot to let the changes take effect. ------------------------------------------

7.15.7. MS Windows NT 4.x

------------------------------------------ 1. Making ANY changes to the Registry is inheritantly risky but with a backup copy, you should be safe. Proceed at your OWN RISK. 2. Goto Start-->Run-->RegEdit 3. Registry-->Export Registry File-->Save a copy of your registry to a reliable place 4. Create the following keys in the Registry trees, choose two possible Registry trees. Multiple entries are for various network devices like DialUp Networking (ppp), Ethernet NICs, PPTP VPNs, etc. http://support.microsoft.com/support/kb/articles/Q102/9/73.asp?LN=EN-US&SD=gn&FR=0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Parameters\Tcpip] and [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<Adapter-name>\Parameters\Tcpip] Replace "<Adapter-Name>" with the respective name of your uplink LAN NIC interface type=DWORD name="MTU" (Do NOT include the quotes) value=1490 (Decimal) (Do NOT include the text "(Decimal>") (Do NOT include the quotes) *** If you know how to also change the MSS, TCP Window Size, and the *** TTL parameters in NT 4.x, please email dranch@trinnet.net as I *** would love to add it to the HOWTO. 5. Reboot to make the changes take effect. ------------------------------------------

7.15.8. MS Windows 2000

------------------------------------------ 1. Making ANY changes to the Registry is inheritantly risky but with a backup copy, you should be safe. Proceed at your OWN RISK. 2. Goto Start-->Run-->RegEdit 3. Registry-->Export Registry File-->Save a copy of your registry to a reliable place 4. Navigate down to the key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter faces\<ID for Adapter> Each ID Adapter has default keys for DNS, TCP/IP address, Default Gateway, subnet mask, etc. Find the key one that is for your network card. 5. Create the following Entry: type=DWORD name="MTU" (Do NOT include the quotes) value=1490 (Decimal) (Do NOT include the text "(Decimal)") http://support.microsoft.com/support/kb/articles/Q120/6/42.asp?LN=EN-US&SD=gn&FR=0 *** If you know how to also change the MSS, TCP Window Size, and the *** TTL parameters in NT 2000, please email dranch@trinnet.net as I *** would love to add it to the HOWTO. 5. Reboot to let the changes take effect. ------------------------------------------

As stated above, if you know how to make similar changes like these to other OSes like OS/2, MacOS, etc. please email David Ranch so it can be included in the HOWTO.