Linux Know-How provides a collection of introductory texts on often needed Linux skills.

IP Masquerading

Another computer on your network must have a modem (or another Internet connection) though :-). Set up IP masquerading. This way, all requests going from your network to your Internet Service Provider (ISP) appear to have originated from a single computer, and your ISP will let them through.

ON REDHAT 5.2, simple masquerading required just one command (on the computer with the modem):

/sbin/ipfwadm -F -p m

This sets up masquerading as your default forwarding policy of your IP firewall, and therefore is insecure but probably OK for a home user. (The danger is that if somebody cracked into your computer, s/he can use your computer to hide his true identity. Whatever malicious the hacker does to anybody, you take the blame. The hacker can even set his route to "tunnel" back to your network thus concealing his identity from you.) For more info, please check the file /usr/doc/HOWTO/mini/IP-Masquerade. A more secure setup is shown here:

ipfwadm -F -p deny

ipfwadm -F -a m -S -D

ipfwadm -F -a m -S -D

ipfwadm -F -a m -S -D

This sets up the default policy to "deny" and explicitly masquerades two machines with IPs and It also masquerades any machine from the network The number /32 stands for point-to-point networking (this means "machine-to-machine"), the option /24 identifies a class C network. The -D identifies the default route that the machines to be masqueraded use to go out to the Internet.

ON REDHAT 6.0 THE NAME OF THE COMMAND is ipfwadm-wrapper (instead of ipfwadm) and I had to use the second, more secure method (setting up masquerading as the default policy does not seem to work on my system any more). Also, with newer kernels (2.0.34 and later) forwarding is disabled by default and must be turned on using:

echo "1" > /proc/sys/net/ipv4/ip_forward

Actually, ipfwadm-wrapper is a wrapper because it lets me use the old rules of setting up the firewall policies using the brand new firewalling kernel code. Doing something like this may work better for you:

ipchains -P forward DENY

ipchains -A forward -s -j MASQ

If you would like to have this command(s) always executed on your system startup, add it as the last line(s) to the file /etc/rc.d/rc.local . This file is something like AUTOEXEC.BAT in DOS. As always, it is recommended to read the manual page and other documentation to see what the command(s) does and what are the other options:

less /usr/doc/HOWTO/mini/IP-Masquerade

man ipfwadm

man ipchains

ON REDHAT 7.1 (KERNEL 2.4.x) the firewalling can be set up using the new iptables command. You can still use the old ipchains, provided you don't run iptables at the same time. So perhaps use ntsysv to make sure ipchains is enabled, and iptables is disabled.

Last Update: 2010-12-16