Masquerading Made Simple HOWTO

John Tapsell

Thomas Spellman

Matthias Grimm

Revision History
Revision 0.092004-07-21Revised by: ts
Revision 0.082002-07-11Revised by: jpt
Revision 0.072002-02-27Revised by: jpt
Revision 0.062001-09-08Revised by: jpt
Revision 0.052001-09-07Revised by: jpt
Revision 0.042001-09-01Revised by: jpt
Revision 0.032001-07-06Revised by: jpt

All of the authors are available on #debian on irc.opensource.net

John Tapsell (JohnFlux) is the official maintainer.

Email me (John Tapsell) for any query, flame, feedback, a date, etc.

Shamelessly stealing from David Ranch's work - .

This is NOT a replacement for the IP-Masquerading HOWTO - it is to complement it, and the two should be read side by side. I do not include things in here that are covered by the the other HOWTO, nor do I explain what it all means, or what it is all about. See http://ipmasq.cjb.net and the standard Masq-HOWTO for a much better guides.

This document describes how to enable the Linux IP Masquerade feature on a given Linux host. IP Masq is a form of Network Address Translation or NAT that allows internally networked computers that do not have one or more registered Internet IP addresses to have the ability to communicate to the Internet via your Linux boxes single Internet IP address.

This is all under the GNU Free Documentation License

http://www.gnu.org/copyleft/fdl.html


Table of Contents
1. Introduction
2. Summary: (I like doing summaries first)
3. Bitmore indepth version
4. Post-install Instructions
5. FAQ's - Frequently Asked Compla^H^H^H^H^H^H Questions

1. Introduction

This is intentionally short and to the point.

If you have a network, that you want to attach to the outside:


2. Summary: (I like doing summaries first)

Assuming external internet card is eth0, and external IP is 123.12.23.43 and the internal network card is eth1, then:

$> modprobe ipt_MASQUERADE # If this fails, try continuing anyway
$> iptables -F; iptables -t nat -F; iptables -t mangle -F
$> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43
$> echo 1 > /proc/sys/net/ipv4/ip_forward

Or for a dial-up connection:

$> modprobe ipt_MASQUERADE # If this fails, try continuing anyway
$> iptables -F; iptables -t nat -F; iptables -t mangle -F
$> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
$> echo 1 > /proc/sys/net/ipv4/ip_forward

Then to secure it:

$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$> iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
$> iptables -P INPUT DROP   #only if the first two are succesful
$> iptables -A FORWARD -i eth0 -o eth0 -j REJECT

Or for a dial-up connection (with eth0 as the internal network card):

$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
$> iptables -P INPUT DROP   #only if the first two are succesful
$> iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT

And thats it! To view the rules do "iptables -t nat -L"


3. Bitmore indepth version

Compiling the kernel: (Use a 2.4.x kernel or greater)

You need the following support in the kernel:

First, if the iptable and masq modules are not compiled into the kernel and not installed, but do exist as modules, we need to install them. If you insmod ipt_MASQUERADE it will load ip_tables, ip_conntrack and iptable_nat.

$> modprobe ipt_MASQERADE

Now either your Intranet is large, or you're just trying to get two or three machines to work on the internet - it doesn't make much difference either way.

Okay, I'm assuming that you have no other rules, so do:

$> iptables -F; iptables -t nat -F; iptables -t mangle -F

If you get an error saying can't find iptables, go find it and install it. If it says no such table 'nat', recompile the kernel with nat support. If it says no such table as 'mangle', don't worry about it, it's not necessary for MASQ'ing. If it says iptables is incompatible with your kernel, go get > 2.4 and compile that with iptables support.

Then if you have a static ip do (e.g. network card not using DHCP):

$> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43

or for dynamic (e.g. a modem - you have to call a number first):

$> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Then finally to tell the kernel yes, you really do want to start forwarding packets: (This only needs to be done once per reboot - but dosen't hurt to do it lots)

$> echo 1 > /proc/sys/net/ipv4/ip_forward

Once you have checked this all works (See under Post-install) only allow masquerading from the internal network - you don't want to allow people on the internet to use it after all :)

First, allow any existing connections, or anything related (e.g. ftp server connecting back to you)

$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If this gives an error, then you most likely don't have state tracking in the kernel - go recompile. Then allow new connections only from our intranet (local/internal network). Replace the ppp0 with eth0 or whatever your external device is. (The ! means anything but)

$> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT

And now deny everything else:

$> iptables -P INPUT DROP   #only if the first two are succesful

If either of the first two rules failed, then this last rule with prevent the masquerading from working at all. To undo this rule do "iptables -P INPUT ACCEPT".


4. Post-install Instructions

And it should all work now. Don't forget to:

To test it:

Where eth0 is the external Internet card, and 123.12.23.43 is the external ip of that machine.


5. FAQ's - Frequently Asked Compla^H^H^H^H^H^H Questions