 |
IP Masquarading has many practical uses beyond simple IP sharing. It automatically isolates the main network and the masquarade net permitting development and operation of services on the private network that would otherwise interfer with the upstream network. Similarly the private network is automaticly protected from outside network, in general only connections that open outward first can connect back to the private network, and unused connection close in less than 5 mins.
Of course one can also have firewalls. In iptables the private network and Linux machine have seperate, highly customizable firewalls. In this example the the firewall blocks all but ssh and http traffic from the Internet to the Linux machine itself; but when the traffic is from the private network, it will permit or forward any kind of traffic to the Linux machine or to the Internet.
IP Masquarade works extremely well, even on very old hardware. My 90Mhz PentiumI can more than adequately keep up with a 10Mhz cablemodem. I have measured higher performance configurations forwaring at giga-bit (890Mbps) speeds. While admittedly running a router old box is more costly than say a LinkSys router; the same hardware can run your personal webserver, handle your eMail, be your ssh accessible homebase, and/or be a Samba fileserver for you home windows machines. There are many economies in this approach.
This page has been shortened for quick installation under RedHat 7.2+ and for the most common installation. It features iptables built-in postrouting, which not only offers increased performance, but also supports PPTP tunneling and Kerberos/Sidecar usage on the client network machines. This is also based on standard RedHat configuration files and allows setup by merely copying 4 files, and is interoperable with RedHat Network Adminsitration GUIs and Control Panels.
|
|
System Requirements -
If the above installation is what you want, starting from the nest reboot; just copy the follow files to your system, or user this file:ipmasq.tar.gz:
Quick Installation Files
1)Using a root shell copy the file above to thier respective locations.
2)To use the DHCP server you must make two network specific adjustments, the subnet of you up-port, and network specific DNS servers. The current files assume the CUCS network, the items in blue must be changed if other network is used:
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.110 192.168.1.150;
default-lease-time 86400;
max-lease-time 604800;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
option domain-name-servers 132.236.56.250, 128.253.180.2, 128.84.154.10;
}
# If you don't define UpPort Net, it complains.. Set for CS Network!!
subnet 128.84.96.0 netmask 255.255.252.0 {
}
3)Before Rebooting you may wish to setup the Daemon so they will run automatically after reboot. Ipchains and iptables are incompatible, so also make sure it is off. To enable this, type the following from a root shell;
# chkconfig --level 345 ipchains off
# chkconfig --level 345 iptables on
# chkconfig --level 345 dhcpd on
4) Reboot. If all goes well things should automatically start
working. Reboot the client machines on the private network, making
sure they are set to obtain thier IP information via DHCP. From a client
machine, try websurfing and other operations.
If you wish to make additional changes to your firewall, you should add and delete firewall rules in active session to test them, here a few examples:
Once you have a firewall working the way you want it, to properly save it so it will startup upon reboot, use the iptables-save command thusly;
# iptables-save > /etc/sysconfig/iptables
Which with save it in the properly condensed format for use by iptables-restore which read this file at startup.
This page has been re-written to use iptables and support environment found in RedHat 7.2, 7.3, 8.0+... script-based ipchains and iptables for older systems or other environments can be found here.