Published on: Sunday 21st February 1999 By: Tarique Sani
Getting on to the Net is for many people like climbing the stairway to heaven but if you run a small corporate allowing every one to have a separate dial up connection can be very expensive. The solution to this is to set up your intranet server as an Internet Gateway.
Doing this is very easy, set up your Linux server to perform IP Masquerading. IP Masquerading fools a remote host on the Internet (say a Web server your client machines are trying to connect to) into believing it is talking to only a single machine, the publicly accessible server that has a direct link to the Internet.
When a client makes a request to a host which is not on the local network, the gateway, based on a strict set of rules, passes it on to the outside, in this case, the Internet. As each TCP/IP packet arrives from the client, the server replaces the client's IP address with its own external (Internet) address, and changes the port number with a random unused value. The packet is then passed on to the remote host, which replies to the sender based on the changed IP address and port number. Packets arriving at the host are then substituted with the client's IP address based on their port number, and forwarded to the clients.
To the clients, this process is completely transparent, and makes it appear as if it is directly connected to the Internet.
Your kernel needs to be configured to support IP masquerading, IP forwarding and Network Firewalls. Red Hat Linux uses a modular kernel which allows you to enable these features without having to recompile. Support for IP masquerading and firewalling is already built into the default kernel.
To enable IP forwarding, you will have to edit the file /etc/sysconfig/network
Change the line that says:
to (quite obviously):
You can also enable this using the network configuration tool. (Try netcfg & in X)
Certain programs, such as CuSeeME, the Quake clients and some others, require special modules to be loaded at boot time to work correctly. You can edit the file /etc/rc.d/rc.fw to add support for any specific software you need. To add additional support as modules become available, copy the module into the /lib/modules/2.0.3X/ipv4/ directory, and add the line:
to the /etc/rc.d/rc.fw file.
Allowing your intranet network to access the Internet also sets up a security hole. To ensure that remote machines cannot gain access to your network via the gateway, you need to set up a firewall. Let me warn you again that I am not a Guru in these matters but I will show how I set up a rudimentary firewall using the ipfwadm package (comes with Red Hat CD.)
Again we need to edit the /etc/rc.d/rc.fw file to setup a set of default rules for both incoming and outgoing packets.
We start by flushing all existing rules for Firewalls (-F) using:
/sbin/ipfwadm -F -f
Setup a default policy of deny:
/sbin/ipfwadm -F -p deny
The last line requires a bit more explanation:
/sbin/ipfwadm -F -a accept m -S 192.168.1.0/24 -D 0.0.0.0/0
This adds (-a) a forwarding rule (-F) to the source network (-S) 192.168.1.0, to the destination (-D) 0.0.0.0 (any address). The m parameter turns on masquerading on all packets to make it appear as if they originate from the gateway, and the parameter x, in this case, 24, is determined by the network class from the table below.
Netmask X Class 255.0.0.0 8 Class A 255.255.0.0 16 Class B 255.255.255.0 24 Class C 255.255.255.255 32 Point-to-Point
If you wish to allow only a certain machine (in this case 192.168.1.123), access to the Internet, you could instead add the rule:
/sbin/ipfwadm -F -a m -S 192.168.1.123/32 -D 0.0.0.0/0
You can set up further rules to block access to certain sites and log traffic etc. The following rule denies and logs traffic attempting to go to the site 220.127.116.11:
/sbin/ipfwadm -I -a reject -S 192.168.1.0/24 -D 18.104.22.168/32 -o
This will suffice the needs of most small corporate intranets