Masquerading

IP Masquerading

Our server is used by clients as default gateway to the internet. For this reason each client has to route IP datagrams with destination “internet” over our server whereas other datagrams are directly sent into LAN.

Setting up Win2000 clients

Due to the immense number of MS operating systems only Win2000 is considered. Use “Start” button Settings->Network and Dial-up Connections. From there double click on your “Local Area Connection” and press the “Properties” button. Select the “Internet Protocol (TCP/IP)” from there and click on the “Properties” button. Use the following form to enter your IP address which is one of 192.168.0.x and the subnet mask which is 255.255.255.0 and the default gateway which is 192.168.0.10. All values related to our example. You may use this occasion to enter the DNS server which is our server, too (see chapter Named ).

tcp/ip settings

This has the effect that all IP datagrams that can not be delivered locally are routed via our server. Those datagrams carry the clients IP address as source IP address. Of course this address is only valid in our LAN. So the task of our server is to replace the client IP address with a valid internet IP address (which has been dynamically assigned by ISP when dialing out) and send out the datagram via PPP (see chapter ISDN Dialout ). When the response comes in the destination IP address is now our servers internet IP address. This IP address has to be set to the clients IP address which is the real destination. These are the basics of masquerading which has to be configured for our server.

Setting up server

Use the following commands:

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.ip_dynaddr=1
iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE

The first command enables IP masquerading for the kernel. The third command enables IP masquerading for the kernel firewall. Mind that the latter is needed as IP masquerading is switched off by default. The second command is related to ISDN dialin. Whenever the ISDN connection is not enabled and an IP datagram with destination “internet” comes in the ISDN connection is set up on demand (see chapter ISDN Dialout ). After the ISDN connection is established our server gets a valid internet IP address (before it had a dummy IP address which is not valid for internet). The datagram initiating the dial on demand would get a wrong source IP address due to the fact that the real internet IP address has not been assigned yet. The setting of net.ipv4.ip_dynaddr will correct this problem.

ATTENTION: the latter only works when IP masquerading is set up by the new iptables command (2.4 kernel). DO NOT use the deprecated ipchains command which is still available for compatibility. This will break ip_dynaddr!

Make Server Settings Persistent

The above description works only for the current session. After rebooting IP masquerading will not work anymore. To make settings persistent use YAST2 “RC-Config Editor” to set the variables

IP_DYNIP="yes"
IP_FORWARD="yes"

Furthermore take care that NO SuSE firewall is activated as they are still using ipchains to setup.

START_FW="no"

You can check the settings in /etc/rc.config.

Incorporating iptables Firewall

As mentioned before we need to set up IP masquerading for the kernel firewall. For this reason we wrote a startup script /etc/init.d/firewall which you can see here .

To make this script called at startup links are needed. They are established by the following commands:

ln –s /etc/init.d/firewall /etc/init.d/rc3.d/K21firewall
ln –s /etc/init.d/firewall /etc/init.d/rc3.d/S01firewall
ln –s /etc/init.d/firewall /etc/init.d/rc5.d/K21firewall
ln –s /etc/init.d/firewall /etc/init.d/rc5.d/S01firewall

This will call the script whenever init level 3 or 5 is entered or left. This will ensure that IP masquerading is set up when server in network mode.

ATTENTION: the attached script does not setup a firewall in the sense of protection. It only enables masquerading. When you are in need of a firewall add iptable commands after the following lines of /etc/init.d/firewall .

echo -n "Initializing firewall:"
iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE