========================================================================= This document is provided for those who wish to experiment with the ip_masquerade patch for kernel 1.2.n (tested with 1.2.13). It describes in detail how I installed and configured the kernel for my system. NOTE: If you have a 1.3.n kernel, this patch is not for you. 1.3.n has the ip_masquerading code already included. The setup information in this document will apply to the newer kernels, but there are some differences. Please see the FAQ for more information. This is _NOT_ a formal Linux HOWTO. It is _NOT_ prepared by someone with experience. It MAY break your system, weaken your eyesight or promote tooth decay. Ken Eves and Eves Internet Consulting accept NO LIABILITY for what you do with this information or that the information is correct. If you break your system YOU DID IT. document prepared by Ken Eves (keves@eves.com) copyright 1995 Ken Eves - It may be freely distributed but not modified. You do have permission to use anything from this document in your work. revised Jan 7 1996 - changed ifconfig/routing to broadcast rather than pointopoint - changed copyright granting permission to use this info in other documents - added information on http://www.indyramp.com/masq and the mailing list hosted there My ftp site at ftp.eves.com has the current version of this document, the FAQ (unofficial), the kernel patch, an ipfw binary for 1.2.13. The directory that these files are in is /pub/masq . There is also a WWW site at http://www.indyramp.com with the patch, documentation, a link to the net-tools package, and information on subscribing to the ip_masquerade mailing list. The net-tools package is available on sunsite.unc.edu (and it's mirrors) as the file /pub/Linux/system/Network/sunacm/NetTools/net-tools-1.2.0.tar.gz . If you get stuck, there are several on USENET comp.os.linux.networking who respond to questions about ip_masquerade. ip_masquerade patch for Linux was written by Pauline Middelink copyright status unknown (probably GPL) ========================================================================= Here is what I have and what I have done with it: My Linux box was originally installed with a Slackware distribution that contained kernel 1.2.3. The kernel source was then later replaced with 1.2.8 and then 1.2.13. The development package is still from 1.2.3 with the exception of the kernel source in/usr/src/linux. To install the patch you need to have the full kernel source tree in /usr/src/linux. cp the patch to /usr/src and run: patch 'Networking support' CONFIG_NET y yes Question-=> 'Limit memory to low 16MB' CONFIG_MAX_16M n no Question-=> 'PCI bios support' CONFIG_PCI n no # no pentium here Question-=> 'System V IPC' CONFIG_SYSVIPC y yes Question-=> 'Kernel support for ELF binaries' CONFIG_BINFMT_ELF y yes Question-=> 'Set version information on all symbols for modules' CONFIG_MODVERSIONS n no Question-=> 'TCP/IP networking' CONFIG_INET y yes Question-=> 'IP forwarding/gatewaying' CONFIG_IP_FORWARD n yes Question-=> 'IP multicasting' CONFIG_IP_MULTICAST n no Question-=> 'IP firewalling' CONFIG_IP_FIREWALL n yes Question-=> 'IP accounting' CONFIG_IP_ACCT n yes Question-=> 'IP masquerading (ALPHA)' CONFIG_IP_MASQUERADE n yes comment '(it is safe to leave these untouched)' Question-=> 'PC/TCP compatibility mode' CONFIG_INET_PCTCP n no Question-=> 'Reverse ARP' CONFIG_INET_RARP n no Question-=> 'Assume subnets are local' CONFIG_INET_SNARL y no Question-=> 'Disable NAGLE algorithm (normally enabled)' CONFIG_TCP_NAGLE_OFF n no Question-=> 'The IPX protocol' CONFIG_IPX n no Then it asked about SCSI support which I dont use. Answer as is appropriate for your system. comment 'Network device support'. Question-=> 'Network device support?' CONFIG_NETDEVICES y yes Question-=> 'Dummy net driver support' CONFIG_DUMMY y yes Question-=> 'SLIP (serial line) support' CONFIG_SLIP n yes Question-=> ' CSLIP compressed headers' CONFIG_SLIP_COMPRESSED y yes Question-=> ' 16 channels instead of 4' SL_SLIP_LOTS n yes Question-=> 'PPP (point-to-point) support' CONFIG_PPP n yes Question-=> 'PLIP (parallel port) support' CONFIG_PLIP n no Next it asked about 30 questions as to which network cards I wanted drivers for, then about CD-ROM devices, filesystems, and I/O. Answer as appropriate for your system. comment 'Kernel hacking' Question-=> 'Kernel profiling support' CONFIG_PROFILE n no ================================================================== After make config is done do: make dep make clean make zImage Now the kernel itself is compiling. The finished kernel will be in /usr/src/linux/arch/i386/boot as the file zImage. To install it I did: cp /vmlinuz /vmlinuz.the.original cp zImage /vmlinuz cp zImage /vmlinuz.ip_masq.1.2.13.test cd / liloconfig 6--Reinstall LILO using the existing lilo.conf NOTE: I USE LILO as my loader. If you dont setup whatever loader you use properly, you will NOT be able to boot your system without a boot floppy. It is beyond the scope of this document to explain this further. After the kernel was installed, I rebooted (worked fine) and ran ipfw to add ip_masquerading from machines that are ethernet connected. Here is my ifconfig: (ppp0 is my IP feed from my provider) ================ lo Link encap:Local Loopback inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0 UP BROADCAST LOOPBACK RUNNING MTU:2000 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 TX packets:622568 errors:0 dropped:0 overruns:0 ppp0 Link encap:Point-Point Protocol inet addr:199.224.67.135 P-t-P:199.224.67.3 Mask:255.255.255.0 UP POINTOPOINT RUNNING MTU:1500 Metric:1 RX packets:200458 errors:73 dropped:0 overruns:0 TX packets:239919 errors:0 dropped:0 overruns:0 eth0 Link encap:10Mbps Ethernet HWaddr 00:80:48:90:CB:D7 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:469312 errors:0 dropped:0 overruns:0 TX packets:398004 errors:0 dropped:0 overruns:0 Interrupt:15 Base address:0x310 Memory:d0000-d2000 NOTE: please notice that the MTU for the PPP connection is 1500 to match the ethernet adapter. Running a smaller MTU (although it lessens the impact of multiple connections) on the PPP connection seems to cause fragmentation and buggy behavior on the masq fed machines. ================= Here is my route: Kernel routing table Destination Gateway Genmask Flags MSS Window Use Iface x2.eves.com * 255.255.255.255 UH 1436 0 104572 eth0 x3.eves.com * 255.255.255.255 UH 1436 0 220676 eth0 pc.eves.com * 255.255.255.255 UH 1436 0 23156 eth0 qrvlterminal01. * 255.255.255.255 UH 1436 0 66750 ppp0 loopback * 255.0.0.0 U 1936 0 625880 lo default qrvlterminal01. * UG 1436 0 238461 ppp0 NOTE: I have my routing setup for each individual machine. It is also possible to do the routing to the subnet with a single route command like: /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 dev eth0 ================= Here is my /etc/hosts: # # hosts This file describes a number of hostname-to-address # mappings for the TCP/IP subsystem. It is mostly # used at boot time, when no name servers are running. # On small systems, this file can be used instead of a # "named" name server. Just add the names, addresses # and any aliases to this file... # # By the way, Arnt Gulbrandsen says that 127.0.0.1 # should NEVER be named with the name of the machine. It causes problems # for some (stupid) programs, irc and reputedly talk. :^) # # For loopbacking. 127.0.0.1 localhost 192.168.1.1 x1local.eves.com x1local 192.168.1.2 x2.eves.com x2 192.168.1.3 x3.eves.com x3 192.168.1.100 pc.eves.com pc 199.224.67.135 x1.eves.com x1 199.224.67.3 qrvlterminal01.epix.net qrvlterminal01 # End of hosts. As you can see from my hosts I have assigned the subneted machines the IPs of 192.168.1.n in accordance with the RFC concerning non connected machines needing IP addresses. All of 192.168.n.n is set aside for this purpose. Since 192.168.n.n is a Class-C subnet (actually 255 of them) the netmask is 255.255.255.0. =========================================================================== ipfw command line usage: ipfw [-n] l[ist] a[ccounting] | l[ist] b[locking] | l[ist] f[irewall] | f[lush] a[ccounting] | f[lush] b[locking] | f[lush] f[irewall] | c[heck] b[locking] from to | c[heck] f[orwarding] from to | p[olicy] b[locking] | p[olicy] f[orwarding] | a[dd] a[ccounting] [iface ] from to | a[dd] b[locking] [iface ] from to | a[dd] f[orwarding] [iface ] from to | a[dd] m[asquerade] from to | d[el] a[ccounting] [iface ] from to | d[el] b[locking] [iface ] from to | d[el] f[orwarding] [iface ] from to | d[el] m[asquerade] from to | zero[accounting] The command I used to have the subneted machines talk to the rest of the world via ip_masquerade is: ipfw a m all from 192.168.1.0/24 to 0.0.0.0/0 which means: add masquerade all protocols from any machine on the net 192.168.1.0 (netmask 255.255.255.0) to the world ^^^^^^^^^^^ = 24 bits NOTE: Another way of doing this on a per machine basis would have been for me to use the following lines: ipfw a m all from 192.168.1.2/32 to 0.0.0.0/0 ipfw a m all from 192.168.1.3/32 to 0.0.0.0/0 ipfw a m all from 192.168.1.100/32 to 0.0.0.0/0 ====================================================================== IT WORKED !!! x2, x3 and pc can to everything except ftp, talk and ping. NOTE: ftp will work if the client software is set to use PASV mode, and the server agrees (most do). (see FAQ for more information) Also since these machines arent on a REAL ip address they cant act as servers since they are not reachable from the outside world. ======================================================================