IP Masquerade for Linux

IP Masquerade

ISPs do not want to give you more than one IP address, so many ISPs require that you use NAT (Network Address Translation) or some sort of Proxy server.

IP Masquerade is a type of NAT, and is a theoretically simple process. A typical proxy would receive the request, then perform the server function requested itself. Clients would need to point at the proxy for the service. A much cleaner solution is IP Masquerade, which looks at everything coming across its Ethernet card trying to route out to the world. If it is an outbound packet, it strips the source information off, and places its own IP headers on the packet. When data comes back through, it does the reverse operation. It will natively handle most protocols, but module plug-ins will need to be used for ftp, irc and most games. Some older ftp clients will not work through IP Masquerade, so you may need to upgrade. I have played Quake II through my simple masquerade with no extra lag or packet loss. It is a good simple test, since Quake UDP packets flow through at around 20 to 40 packets per second.

To get masquerade to work, you may need 3 things - a new kernel configured for masquerade and firewall (depending on your distribution - many have IP Masq turned on now), IP Forwarding turned on, and an ipchains (firewall) rule to allow the masquerade. I am assuming you already built the new kernel and have it running.

Masquerade

Add the following lines to the end of file /etc/rc.d/rc.local. Alternatively, you could place these lines in a second file, and have it executed from rc.local. I call mine rc.ethers, so at the end of rc.local, I appended "/etc/rc.d/rc.ethers" to execute it at boot-up. If you are using ipchains, you will find a similar set of rules here.

# this is the adapter that will be masqued
echo "ip_masq 172.16.50.1"

# this sets ipforwarding on
echo "1" > /proc/sys/net/ipv4/ip_forward

# checks module dependancy
/sbin/depmod -a

# adds ftp & irc ability
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe ip_masq_irc.o

# by default, deny forwarded packets
/sbin/ipchains -A forward -j deny

#forward all from local ethernet side
/sbin/ipchains -A forward -i eth1 -s 172.16.50.0/24 -j MASQ

Once these changes have been made, you can reboot the machine. If you have ppp working, you should be able to ping out to the net from a client connected machine. Set the client to point to 172.16.50.1 as their gateway, with DNS set to your ISP's DNS servers. You could also set up a caching nameserver on your Linux box. It is fairly easy to do. If you decide to set up a firewall, be sure and use the command...

/sbin/ipchains -A forward -i eth1 -s 172.16.50.0/24 -j MASQ

...in that configuration as well, or data may not forward properly.