12.1. Build a kernel with Firewall Masquerading and Forwarding support

Once again, the first thing you need to do is ensuring that your kernel has been built with Network Firewall support enabled and Firewalling. In the 2.2.14 kernel version you need to ensure that you have answered Y to the following questions:

Networking options: Network firewalls (CONFIG_FIREFALL) [N] Y IP:Firewalling (CONFIG_IP_FIREWALL) [N] Y IP:TCP syncookie support (CONFIG_SYN_COOKIES) [N] Y

IP Masquerading and IP ICMP Masquerading are requiring only for a Gateway Server.

IP:Masquerading (CONFIG_IP_MASQUERADE) [N] Y IP:ICMP Masquerading (CONFIG_IP_MASQUERADE_ICMP) [N] Y

Masquerade means that if one of the computers on your local network for which your Linux box (or gateway) acts as a firewall wants to send something to the outside, your box can masquerade as that computer. In other words it forwards the traffic to the intended outside destination, but makes it look like it came from the firewall box itself.

It works both ways: if the outside host replies, the Linux firewall will silently forward the traffic to the corresponding local computer. This way, the computers on your local net are completely invisible to the outside world, even though they can reach the outside and can receive replies. This makes it possible to have the computers on the local network participate on the Internet even if they don't have officially registered IP addresses.

The IP masquerading code will only work if IP forwarding is enabled on your system. This feature is by default disabled and you can enable it with the following command:

Under

         [root@deep] /#echo 1 > /proc/sys/net/ipv4/ip_forward
         

         FORWARD_IPV4="false"
         

         FORWARD_IPV4="yes"
         

You must restart your network for the change to take effect:

[root@deep] /# /etc/rc.d/init.d/network restart

Bringing up interface lo [ OK ] Bringing up interface eth0 [ OK ] Bringing up interface eth1 [ OK ]

So you can either add the echo 1 > /proc/sys/net/ipv4/ip_forward command line to your rc.local script file or you change the value of the line FORWARD_IPV4=false to yes in the network file to set this feature to ON. Personally I prefer the second choice.

Under

         # Enable packet forwarding
         net.ipv4.ip_forward = 1
         

To restart all network devices manually on your system, use the following command:

[root@deep] /# /etc/rc.d/init.d/network restart

Setting network parameters [ OK ] Bringing up interface lo [ OK ] Bringing up interface eth0 [ OK ] Bringing up interface eth1 [ OK ]

If you enabled IP Masquerading, then the modules ip_masq_ftp.o for ftp file transfers, ip_masq_irc.o for irc chats, ip_masq_quake.o you guessed it!, ip_masq_vdolive.o for VDOLive video connections, ip_masq_cuseeme.o for CU-SeeMe broadcasts and ip_masq_raudio.o for RealAudio downloads will automatically be compiled. They are needed to make masquerading for these protocols work.

Also, don't forget that you'll need to build a modularized kernel and answer Yes to the Enable loadable module support (CONFIG_MODULES) option instead of a monolithic kernel to be able to use masquerading functions and modules like ip_masq_ftp.o on your Gateway server see the Linux Kernel section above in this book for more information.

The basic masquerade code described for IP: masquerading above only handles TCP or UDP packets and ICMP errors for existing connections. The IP:ICMP Masquerading option adds additional support for masquerading ICMP packets, such as ping or the probes used by the Windows 95™ tracer program.

Remember that other servers like the Web Server and Mail Server examples don't need to have these options enabled since they either have a real IP address assigned or don't act as a Gateway for the inside network.