Linux Today: Linux News On Internet Time.

Linux Consulting: Firewalls that Work Under Kernel 2.2

Aug 12, 1999, 15:37 (20 Talkback[s])
(Other stories by Tom Adelstein)

by Tom Adelstein of Bynari, Inc.
with Emmanuel Stalin and Prabhakar Vijayarangam

Businesses of all sizes use the Internet on a global basis. Estimates of the number of high-speed lines to the Internet backbone from the business community ranges from one to three million depending on who publishes the reports. Whatever the number of connections to the Internet from business most analysts agree, including the major backbone provider, that about 85% of those lines remain unprotected by a firewall of any kind.

The consequences for the use of Linux solutions provide its most significant market edge and one many people have overlooked. The Linux solution requires no user licenses and can provide rule and hardware based firewall protection. Consider the consequences of providing a secure environment for users on your network and the ability to access the Internet without revealing your internal IP addresses.

The cost of firewalls and proxy servers from major vendors have prevented many businesses from utilizing the Internet. With this barrier removed, IT departments have no excuses left for providing a safe environment. If you want to test the security of your network, trying pinging your workstation from your home. First, find out its IP address. When at home, go to a dos command prompt or the command line of a Linux machine and type in "ping xxx.xxx.xxx" where "x" represents a number such as Don't use the quotes in the command. If your command returns a reply such as this:

$ ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=248 time=430.1 ms
64 bytes from icmp_seq=1 ttl=248 time=718.7 ms
64 bytes from icmp_seq=2 ttl=248 time=240.1 ms
64 bytes from icmp_seq=3 ttl=248 time=64.8 ms
64 bytes from icmp_seq=4 ttl=248 time=56.7 ms

--- ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 56.7/302.0/718.7 ms

and that's the IP of your workstation then you're exposed to the public Internet.

Last year, I took a contract with a national consultancy and immediately noticed their exposure to the Internet. When I raised the issue with the CTO, he gave me numerous excuses. He even told me that he had the main router configured to filter packets and keep intruders out. I saw a Cisco 2501 and a Kentronics CSU/DSU on the rack.

Seeing that we had reached a stalemate, I brought it to management's attention. In a very polite and non-intrusive way, one of the executives asked him to test the network from home. The next morning, I received a call before 6:00 AM from the CTO asking me to come to the office at once. He had pinged his Notes server from his son's computer. Call the rest history.

This article describes how to enable the Linux IP Masquerade feature on a given Linux host. IP Masq is a form of Network Address Translation that allows internally connected computers that do not have one or more registered Internet IP addresses to have the ability to communicate to the Internet via your Linux box's single Internet IP address.

What is IP Masquerade for Linux?

IP Masquerade is a networking feature in Linux. If a Linux host is connected to the Internet with IP Masquerade enabled, then computers connecting to it (usually on the same LAN, but can also be connected with other links such as modems or PLIP) can reach the Internet as well, even though they have no officially assigned IP addresses.
MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway. To other machines on the Internet, all this outgoing traffic will appear to be from the IP MASQ Linux server itself. In addition to the added functionality, IP Masquerade provides the foundation to create a VERY secure networking environment. With a well built firewall, breaking the security of a well configured masquerading system and internal LAN should be considerably difficult.

Who Can Benefit From IP Masquerade?

If you have a Linux host connected to the Internet and
if you have some computers running TCP/IP connected to a Linux box on a local subnet, and/or
if your Linux host has more than one modem and acts as a PPP or SLIP server connecting other computers, which
those OTHER machines do not have official or public assigned IP addresses (i.e. addressed with private TCP/IP numbers).
And of course, if you want those OTHER machines to communicate to the Internet without spending extra money to get additional Public / Official TCP/IP addresses from your ISP and either configure Linux to be a router or purchase an external router.

IP Masquerading Example:
A typical example is given in the diagram below:

| |
| A-box |:::::::::::::
| | ::
+----------+ ::
+----------+ :: +-------+ +----------+
| || | eth1| Linux |eth0
| B-box |:::::::::::::::::::::::::::| Hub |:::::::::::::::::|Masq-Gate |:::::::::::::::// Internet
| | ::::::::::::::::| || |
+----------+ :: +-------+ +----------+
+----------+ ::
| |
| C-box |:::::::::::::
| |

| | |
| Internal Network | | External Network

| | |

In this example, there are (4) computer systems that we are concerned about. There is also presumably something on the far right that your PPP connection to the Internet comes through (terminal server, etc.) and that there is some remote host (very far off to the right of the page) out on the Internet that you are interested communicating with). The Linux system Masq-Gate is the IP Masquerading gateway for ALL the internal network of machines A-box, B-box and C-box to get to the Internet. The internal network uses one of the several RFC-1918 assigned private network addresses where in this case, the Class-C network The Linux box having the TCP/IP address while the other systems having the addresses:

A- Box:
B- Box:
C- Box:

The three machines, A-box, B-box and C-box, can be running any operating system as long as they can speak TCP/IP. OSes such as Windows 95, Macintosh MacTCP or OpenTransport or even another Linux box can connect to other machines on the Internet. When running, the masquerading system or MASQ-gate converts all of these internal connections so that they appear to originate from masq-gate itself. MASQ then arranges so that data coming back in to a masqueraded connection is relayed back to the proper originating system. Because of this, the systems on the internal network see a direct route to the internet and are unaware that their data is being masqueraded. This is called a "Transparent" connection.

Linux 2.2.x Kernels

Please note that IPFWADM is no longer the firewall tool for manipulating IP Masquerading rules for both the 2.1.x and 2.2.x kernels. These new kernels now use the IPCHAINS tool.
Create the file /etc/rc.d/rc.firewall with the following initial SIMPLE ruleset:

# rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using IPCHAINS
# Load all required IP MASQ modules
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules
# are shown below but are commented out from loading.

# Needed to initially load modules
/sbin/depmod -a

# Supports the proper masquerading of FTP file transfers using the PORT method
/sbin/modprobe ip_masq_ftp

# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#/sbin/modprobe ip_masq_raudio

# Supports the masquerading of IRC DCC file transfers
#/sbin/modprobe ip_masq_irc

# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to play
# Quake II and/or Quake I/II on other server ports, use the second example.
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#Quake I / QuakeWorld / and Quake II (ports 26000, 27000, 27910)
#/sbin/modprobe ports=ip_masq_quake 26000,27000,27910

# Supports the masquerading of the CuSeeme video conferencing software
#/sbin/modprobe ip_masq_cuseeme

#Supports the masquerading of the VDO-live video conferencing software
#/sbin/modprobe ip_masq_vdolive

#CRITICAL: Enable IP forwarding since it is disabled by default since
# Red Hat Users: you may try changing the options in /etc/sysconfig/network from:
# FORWARD_IPV4=false
# to
echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following
# option. This enables dynamic-ip address hacking in IP MASQ, making the life
# with Diald and similar programs much easier.
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# MASQ timeouts
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
ipchains -M -S 7200 10 60

# Enable simple IP forwarding and Masquerading
# NOTE: The following is an example for an internal LAN address in the 192.168.0.x
# network with a or a "24" bit subnet mask.
# Please change this network number and subnet mask to match your internal LAN setup
ipchains -P forward DENY
ipchains -A forward -s -j MASQ

# DHCP: For people who receive their external IP address from either DHCP or BOOTP
# such as ADSL or Cablemodem users, it is necessary to use the following
# before the deny command. The "bootp_client_net_if_name" should be replaced
# the name of the link that the DHCP/BOOTP server will put an address on to?
# This will be something like "eth0", "eth1", etc.
# This example is currently commented out.
#ipchains -A input -j ACCEPT -w bootp_clients_net_if_name -s 0/0 68 -d 0/0 67 -p udp

Once you are finished with editing the /etc/rc.d/rc.firewall ruleset, make it executable by typing in chmod 700 /etc/rc.d/rc.firewall

You could have also enabled IP Masquerading on a PER MACHINE basis instead of the above method enabling an ENTIRE TCP/IP network. For example, say if I wanted only the and hosts to have access to the Internet and NOT any of the other internal machines. I would change the in the "Enable simple IP forwarding and Masquerading" section (shown above) of the /etc/rc.d/rc.firewall ruleset.

# Enable simple IP forwarding and Masquerading
# NOTE: The following is an example to only allow IP Masquerading for the
# and machines with a or a "24" bit subnet mask.
# Please change this network number and subnet mask to match your internal LAN setup
ipchains -P forward deny
ipchains -A forward -s -j MASQ
ipchains -A forward -s -j MASQ

What appears to be a common mistake with new IP Masq users is to make the first command:
ipchains -P forward masquerade

Do NOT make your default policy MASQUERADING. Otherwise someone who can manipulate the routing tables will be able to tunnel straight back through your gateway, using it to masquerade their OWN identity!

Again, you can add these lines to the /etc/rc.d/rc.firewall file, one of the other rc files you prefer, or do it manually every time you need IP Masquerade.

Configuring the other internal to-be MASQed machines

Besides setting the appropriate IP address for each internal MASQed machine, you should also set each internal machine with the appropriate gateway IP address of the Linux MASQ server and required DNS servers. In general, this is rather straight forward. You simply enter the address of your Linux host (usually as the machine's gateway address.

For the Domain Name Service, you can add in any DNS servers that are available. The most apparent one should be the one that your Linux server is using. You can optionally add any "domain search" suffix as well.
After you have properly reconfigured the internal MASQed machines, remember to restart their appropriate network services or reboot them.

The following configuration instructions assume that you are using a Class C network with as your Linux MASQ server's address. Please note that and are reserved TCP/IP address.
As it stands, the following Platforms have been tested as internal MASQed machines:

Linux 1.2.x, 1.3.x, 2.0.x, 2.1.x, 2.2.x
Solaris 2.51, 2.6, 7
Windows 95, OSR2, 98
Windows NT 3.51, 4.0, 2000 (both workstation and server)
Windows For Workgroup 3.11 (with TCP/IP package)
Windows 3.1 (with the Netmanage Chameleon package)
Novell 4.01 Server with the TCP/IP service
OS/2 (including Warp v3)
Macintosh OS (with MacTCP or Open Transport)
DOS (with NCSA Telnet package, DOS Trumpet works partially)
Amiga (with AmiTCP or AS225-stack)
VAX Stations 3520 and 3100 with UCX (TCP/IP stack for VMS)
Alpha/AXP with Linux/Redhat
SCO Openserver (v3.2.4.2 and 5)
IBM RS/6000 running AIX

Configuring Microsoft Windows 95

1.If you haven't installed your network card and adapter driver, do so now. Description of this is beyond the scope of this document.

2.Go to the 'Control Panel' --> 'Network'.

3.Click on Add --> Protocol --> Manufacture: Microsoft --> Protocol: 'TCP/IP protocol' if you don't already have it.

4.Highlight the TCP/IP item bound to your Windows95 network card and select 'Properties'. Now goto the 'IP Address' tab and set IP Address to 192.168.0.x, (1 <x < 255), and then set the Subnet Mask to

5. Now select the "Gateway" tab and add as your gateway under 'Gateway' and hit 'Add'."

6.Under the 'DNS Configuration' tab, make sure to put in a name for this machine and enter in your official domain name. If you don't have your own domain, put in the domain of your ISP. Now, add all of the DNS server that your Linux host uses (usually found in /etc/resolv.conf). Usually these DNS servers are located at your ISP though you can be running either your own CACHING or Authoritative DNS server on your Linux MASQ server as well. Optionally, you can add any appropriate domain search suffixes as well.

7.Leave all the other settings as they are unless you know what you're doing.

8.Click 'OK' on all dialog boxes and restart system.

9.Ping the linux box to test the network connection: 'Start/Run', type: ping
(This is only an INTERNAL LAN connection test, you can't ping the outside world yet.) If you don't see "replies" to your PINGs, please verify your network configuration.

10.You can optionally create a HOSTS file in the C:\Windows directory so that you can ping the "hostname" of the machines on your LAN without the need for a DNS server. There is an example called HOSTS.SAM in the C:\windows directory.

Linux provides an inexpensive solution for a secure network. Some companies with whom I've consulted have insisted that they spend tens of thousands of dollars on a lesser but proprietary system. I remember a CIO of a large hotel chain discussing this with me. He said, " when I make decisions, I imagine I'm having a conversation with the CEO. I imagine that someone broke into our network and took sensitive financial data. The CEO, Don, then asks me why I used the system I did. I say, because it was cheap. He then fires me."

I consider this one of the ultimate rationalizations I have ever heard. First, Linux isn't cheap, it's free. Secondly, if it's good enough for the Department of Defense, it's good enough for me.