(Answer) (Category) Linux on PowerPC FAQ-O-Matic : (Category) System Configuration : (Category) Networking :
IP Masquerading with LinuxPPC 1999 (or kernel 2.1.1xx +)
The instructions below are appropriate for setting up IP Masquerading in LinuxPPC
R5 (aka LinuxPPC 1999).

Background:
A while back the old method of IP Masquerading / Network Address Translation was
removed and a new method put into place.  From the user perspective, this is a
shift from the ipfwadm tool to ipchains.  The following should be fairly
complete instructions on how to setup a 2.1.1xx or 2.2.XX kernel Linuxppc / Linuxpmac
system for IP Masquerading.  If you have not done any IP Masquerading before you
might want to take a quick look at an older document I put here "IP Masquerading
(NAT) setup under Linux/ppc (Linux-pmac)" which deals with the 2.1.24 kernel but
also goes into more depth on what IP Masquerading actually does.  Here's the
link to the previous document: 
http://www.dartmouth.edu/cgi-bin/cgiwrap/jonh/lppc/faq.pl?file=361

Overview:
1. Compile a kernel with support for IP Masquerading
2. Grab the ipchains tool from ftp.linuxppc.org or compile it yourself
3. Use ipchains to start IP Masquerading / NAT
4. Misc. Notes


Details:

1. Compiling the kernel:
You could also download a precompiled from http://netspace.org/~thedrick/linux/

A:  Grab the kernel sources from ftp.kernel.org, at this time the latest version
2.2 kernel is probably your best bet.

B:  Compile a new kernel with the IP Masquerading options set as detailed in C:
(unpack the new kernel, use "make menuconfig" to configure it, then "make dep ;
make clean ; make vmlinux ; make modules ; make modules_install" to compile it,
move the resulting vmlinux to /boot/vmlinux for OF booting or /MacOS System
Folder/vmlinux for BootX booting

C:  IP Masquerading kernel options.  Say yes to the following options during
kernel configuration.
Network Firewalls
Network Aliasing
TCP/IP Networking
        IP: firewalling
        IP: always defragment
        IP: masquerading
                IP: ICMP masquerading
                IP: masquerading special modules support
                        I did not enable ipautofw masq support or
                        ipportfw masq support, feel free to try it and
                        mail me the results
        IP: aliasing support

D:  For those of you having difficulty with kernel compilation, Cody Brownstein
has compiled the latest 2.2 kernel with IP Masquerading support & other common
LinuxPPC options and put it on http://netspace.org/~thedrick/linux/

Grab the linux*.tgz file from the site and uncompress it.  The modules should
end up in /lib/modules/<kernel version>/ and the vmlinux file in /boot.  Don't
forget to copy the vmlinux file to your MacOS System folder if you're using
BootX to start Linux.

2:  Grab the ipchains tool from ftp.linuxppc.org.  
You could also compile it yourself if you wish.  Last I checked the rpm was at:
ftp://ftp.linuxppc.org/linuxppc-1999/software/network/ipchains-1.3.8-3.ppc.rpm

3:  The following script will setup IP Masquerading from the private
(192.168.1.x) network to the rest of the Internet.  Note that you'll need to be
root to do all this:

#!/bin/sh
# ipchain.sh - Initialize IP Chains

# Re-sync the module dependancies
/sbin/depmod -a

# Load the standard modules
/sbin/modprobe ip_masq_ftp.o                    # Non-PASV FTP transfers
/sbin/modprobe ip_masq_irc.o                    # Internet relay chat
/sbin/modprobe ip_masq_user.o                   # ??
# The rest of these I don't use, but they are available
# /sbin/modprobe ip_masq_cuseeme.o              # cuseeme video conferencing
# /sbin/modprobe ip_masq_quake.o                # Quake
# /sbin/modprobe ip_masq_raudio.o               # RealAudio
# /sbin/modprobe ip_masq_vdolive.o              # ?? video ??


# Make certain of your default rules 
/sbin/ipchains -P forward DENY
/sbin/ipchains -P input ACCEPT  
/sbin/ipchains -P output ACCEPT

# Permit IP masquerading for the 192.168.1.* network
/sbin/ipchains -A forward -j MASQ -s 192.168.1.0/255.255.255.0
# ipchains is will use the appropriate devices (eth0, ppp0, etc.) without
assistance

# Start IP forwarding - this is critical!
echo "1" > /proc/sys/net/ipv4/ip_forward

# End Script

4.  Miscellaneous Notes
See how much easier the ipchains tool is than ipfwadm?  If you don't, take a
quick look at the script I stuck in with my writeup of NAT under 2.1.24.  What
took about 4 rules in ipfwadm takes 1 in ipchains.

Ipchains can do a lot more than just NAT, for instance, didn't you always want
to keep your browser from even looking at ad.doubleclick.net?  Well, now it's
easy!  Take a look at the ipchains man pages or the ipchains homepage at:

http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html

Finally, please email me with any questions you have about these instructions or
Linuxppc in general.

Last revised by Ty Hedrick: 8/11/99
<thedrick@netspace.org>

An important item to note that is not frequently (if ever) mentioned in
discussions of IP Masquerading is that the directions assume you have two 
ethernet cards installed in your computer, or more precisely that you have two 
useable ethernet interfaces.  It is possible, however, to get IP Masquerading to 
work with just one ethernet card.  To do this, you need to set up IP Aliasing, in 
essence setting up another interface (apart from the traditional eth0) to route 
IP traffic on that happens to use the same physical ethernet card.

There is a nice mini-howto (http://www.linuxdoc.org/HOWTO/mini/IP-Alias.html ) on 
IP Aliasing, but the only part you need to know is how to enable it.  In IP 
Masquerading, you route packets from one interface out to another interface.  In 
general, you'll see that IP Masq has you route packets received from the internal 
link out eth0 (the external link).  It'll get confused if you tell it that the 
internal link is eth0 too.  So what do you do?  You make a new interface with an 
internal address.

ifconfig eth0:1 192.168.1.1

This will bring up a new interface (called eth0:1) with the IP address 
192.168.1.1.  Change the address to whatever you'd like your internal gateway to 
be, but be sure to keep it as 192.168.1.* if you're using the above example for 
network numbers.  Whatever number you choose, this will be what you'll tell your 
internal machines to use as their gateway.

I think IP Masq will figure this out for itself, but you might want to specify 
"etho0" as the outgoing interface in your masq fowarder line.  To do this, just 
include "-i eth0" on the "ipchains -A" line that sets up the MASQ policy.
[Append to This Answer]
Previous: (Answer) I can't telnet in to my own machine as root
Next: (Answer) Netatalk 1.4b2+asun2.0a18.2 -- 'No response from server.'
This document is: http://www.jonh.net/cgi-bin/lppcfom/fom?file=482
[Search] [Appearance]
This is a Faq-O-Matic 2.717d.
Hosted by anduin.org and SourceForge Logo