In this Help File, I'm going to attempt to tell
you how to get IPchains working. I'm going to show you how
to do it manually. This way anyone with a 2.2.x kernel should
be able to get it working. I'm assuming that if your reading
this Help File, you have more then 1 machine connected together
via Ethernet (whether that be a *nix box, windows box, etc),
that you have the NIC (Network Interface Cards) setup correctly,
and that you have a linux box connected to the net via modem.
I'm also going to tell you what you need to have compiled
into your kernel to get this to work. If you don't know how
to recompile a kernel, your going to want to look at the README
file in /usr/src/linux for more detail on how to recompile
your kernel.
Recompiling Your Kernel
I am showing you how to do this with Slackware 4.0, kernel
2.2.6, but it should work with any 2.2.x kernel, and just
about any distro.
Lets get started with what is needed to be compiled
into the kernel to get IPmasq working. Here is a list that should get you
started. If you still have questions about recompiling a new kernel, I
would recommend you check out this site
Heres a quick demo of how you would go about recompiling your kernel. I'm
not going to go into great detail.
-
Make sure you're root, and do the following:
# cd /usr/src/linux
# make menuconfig (config, or
xconfig)
This is what you will need for IPchains to work:
Code maturity level options --->
[*] Prompt for development and/or incomplete code/drivers
---
Loadable module support --->
[*] Enable loadable module support
---
General setup --->
[*] Networking support
Networking options --->
[*] Packet socket
[*] Kernel/User netlink socket
[*] Routing messages
[M] Netlink device emulation
[*] Network firewalls
[*] Unix domain sockets
[*] TCP/IP networking
[*] IP: multicasting
[*] IP: firewalling
[*] IP: always defragment (required for masquerading)
[*] IP: transparent proxy support
[*] IP: masquerading
[*] IP: masquerading special modules support
[M] IP: ipautofw masq support
[M] IP: ipportfw masq support
[M] IP: ip fwmark masq-forwarding support
[M] IP: tunneling
[M] IP: GRE tunnels over IP
[*] IP: TCP syncookie support
[M] IP: Reverse ARP
Network Device Support --->
[*] Network device support
[*] Dummy net driver support
*note* You'll want to check whatever kind of NIC card
you'll be using also. You will also want to make sure you
compile anything else that your system will need into the
kernel.
After that do the following:
# make bzImage (zImage, etc..)
# make modules
*Note* Make sure you save your old modules in /lib/modules/2.2.x before
doing the next step
# make modules_install
*Note* Make sure you backup /vmlinuz before running the next command!
*Note* These directions might not work for you, but should be pretty
close. If you have any problems, I would recommend you refer to this site on
recompiling your kernel.
Setting up
rc.firewall
First of all, your going to want to create a file called
/etc/rc.d/rc.firewall.
# pico /etc/rc.d/rc.firewall
The following is just a basic configuration, you'll want to
edit it as it applies to you. If you use the default configuration,
it should work fine though.
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x
and 2.2.x kernels using IPCHAINS
#
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current
IP MASQ modules
# are shown below but are commented out from loading.
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using
the PORT method
#
/sbin/modprobe ip_masq_ftp
#
#
# Supports the masquerading of RealAudio over UDP. Without
this module,
# RealAudio WILL function but in TCP mode. This can cause
a reduction
# in sound quality
#
#/sbin/modprobe ip_masq_raudio
#
# Supports the masquerading of IRC DCC file transfers
#
/sbin/modprobe ip_masq_irc
#
# Supports the masquerading of Quake and QuakeWorld by default.
This modules is
# for for multiple users behind the Linux MASQ server. If
you are going to play
# Quake I, II, and III, use the second example.
#
# Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960
#
# Supports the masquerading of the CuSeeme video conferencing
software
#
#/sbin/modprobe ip_masq_cuseeme
#Supports the masquerading of the VDO-live video conferencing
software
#
#/sbin/modprobe ip_masq_vdolive
#
#CRITICAL: Enable IP forwarding since it is disabled by default
since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or
DHCP, enable this following
# option. This enables dynamic-ip address hacking in IP MASQ,
making the life
# with Diald and similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet
is received
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ
users)
# /sbin/ipchains -M -S 7200 10 160
#
# DHCP: For people who receive their external IP address from
either DHCP or BOOTP
# such as ADSL or Cablemodem users, it is necessary to use
the following
# before the deny command. The "bootp_client_net_if_name"
should be replaced
# the name of the link that the DHCP/BOOTP server will put
an address on to?
# This will be something like "eth0", "eth1", etc. #
# This example is currently commented out.
#
#
#/sbin/ipchains -A input -j ACCEPT -i bootp_clients_net_if_name
-s 0/0 67 -d 0/0 68 -p udp
# Enable simple IP forwarding and Masquerading
#
# NOTE: The following is an example for an internal LAN address
in the 192.168.0.x
# network with a 255.255.255.0 or a "24" bit subnet mask.
#
# Please change this network number and subnet mask to match
your internal LAN setup
#
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ
# End of file.
After you have setup /etc/rc.d/rc.firewall, you will want
do to the following...
# chmod +x /etc/rc.d/rc.firewall
That will make the script you just created executable.
Now you'll want to edit /etc/rc.d/rc.M (or one of your start-up
scripts) and add the following..
- # Start IPchains
if [ -x /etc/rc.d/rc.firewall ]; then
/etc/rc.d/rc.firewall
fi
# End of file.
After you do all of that, you will have to add the following
into /etc/resolv.conf
You will want to make all the other computers on your LAN
use the IP of your Linux Box as their Default Gateway.
If you are setting up another linux box. You will want to
setup a host entry in /etc/hosts for your server box. You
will also want to setup your /etc/resolv.conf file like
the following..
If you do not know your ISP's DNS servers, contact them.
They can give you that info.
If your using a windows client, go into start/settings/control
panel/networks...click on the TCP/IP settings for your Ethernet
Card and click on properties.
You will then want to put in your IP address. 192.168.0.x
(2-255) And your Subnet Mask 255.255.255.0
After that you will click on the 'DNS Configuration' tab,
you will want to add the name for this computer and your
ISP's domain name.
You will then click on the 'Gateway' tab, and put in 192.168.0.1
and click on 'Add'.
Hopefully I've included enough info to get IPchains running
on your box, but if I left anything out, or you find something
wrong with this page, Email
me
