[ Bloke.com || Linux || JavaScript || Java || Volleyball || Link Me ]
Free: [ Guestbook || MessageBot || Plugins || Counter || AusPrices || Advertise ]

Home - Linux - Firewall

My Setup
+-------+  +-------+  +--------+
| Optus +--+ Cable +--+ Switch |
| cable |  | Modem |  |        |
+-------+  +-------+  +-+-+----+
                        | |
                        | +-- tiger
                        +---- jack
Cable Modem is a Motorola SB4100 Surfboard
Switch is a Netgear FS605, 5 port Fast Ethernet switch.
tiger is my laptop and the current machine to do routing (and firewall/nat/ipmasq)
jack is a dual cpu linux box.
Both machines have only one ethernet card.


To be able to play games and have all the features in a secure environment and only one ip address.

The basic idea is to have all the machines have internal IP addresses, and then when they access the internet, they appear as if they are from the one IP address. This process is called NAT (Network Address Translation), but as it turns out, what I really wanted is IPMASQ (IP Masquerading).

I was using ipchains, but had to switch to use iptables.

Basically this URL:

is all you'll ever need. But I have outlined the steps that I had to do with a RedHat 7.3 setup (and switching from ipchains).

First check that you have met the requirements:

#checked I met the requirements as per...
# and
# http://en.tldp.org/HOWTO/IP-Masquerade-HOWTO/ipmasq-compiling3.1.html
# in my case I did
# Run the command "ls /proc/sys/net/ipv4" while logged into the Linux box
#      2.4.x kernels (look for most of the following entries out of the much longer list):
#            ip_dynaddr
#            ip_forward 

and they were there :-) If not .. well, read that HOWTO on how to get those modules into your kernel. I added ipaddress for use as the default internal gateway I added this to "tiger" which is going to be my firewall/ipmasq/router machine.
ifconfig eth0:0
(and then I added to /etc/rc.d/rc.local, which is very lazy, and not the right way.) I'm using internal address in block (class C.. netmask=

# installed firewall-config-0.97-2.i386.rpm
# hmm .. didn't seem to do much :-(

From http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/examples/ I grabbed firewall-2.4 and called it /etc/rc.d/init.d/firewall then
chmod 755 /etc/rc.d/init.d/firewall
Then I grabbed rc.firewall-2.4 from the same place and saved it in /etc/rc.d/ then
chmod 755 /etc/rc.d/rc.firewall-2.4
Then I updated /etc/rc.d/rc.firewall-2.4 and /etc/rc.d/init.d/firewall so that IPTABLES=/sbin/iptables (and not /usr/local/sbin/iptables)
/etc/rc.d/init.d/ipchains stop
/etc/rc.d/init.d/firewall start
grr... errors

so (from http://www.linuxuser.co.uk/forum/messages/678.html

service ipchains stop
chkconfig ipchains off
rmmod ipchains

service iptables start
chkconfig iptables on
insmod iptables
Now the only problem I had was that I don't have a second ethernet interface, and so I needed to change /etc/rc.d/rc.firewall-2.4 so that INTIF points to eth0 and not eth1. I'm not too sure how this effects security, and normally, you would have a machine with two interfaces and all external traffic on one side of the ipmasq machine and all internal traffic on the other side.

Now instead turn firewall on at reboot..

chkconfig --level=345 firewall on
Once getting it all working and running through the tests in the FAQ I then upgraded to use the stronger firewall (/etc/rc.d/rc.firewall-2.4-stronger) remembering to update INTIF from eth1 to eth0 and the /sbin path changes.

Bugs etc
The following is no doubt outdated already, I need to check against the current version of the IPMask HOWTO (which was just updated days ago).
typo on Please see Section 7.38 for addutional details.
(additional) on http://en.tldp.org/HOWTO/IP-Masquerade-HOWTO/kernel-2.4.x-requirements.html

on http://en.tldp.org/HOWTO/IP-Masquerade-HOWTO/masq-supported-distributions.html
redhat 7.3 uses:
% rpm -q iptables
#most recent kernel
% rpm -q kernel

Shouldn't that be for the broadcast address...

"Please note that and are the Network and Broadcast address respectively (these addresses are RESERVED). Avoid using these addresses on your machines or your network will not function properly."


Last Change: Monday, 10-Jan-2005 07:41:02 EST


The information provided within these pages is provided AS IS, and without any warranty. Following these directions may (but not limited to) crash your computer, delete all the information on your hard disk, open up security holes or cause your house to burn down. I made these pages to provide some information about the setup that I have done, but I did not proofread it for correctness, and in most cases did not test it. There are commands in these pages that would definately delete or corrupt all the data on your computer (especially the dualboot section). In fact it happened to me.... So you are on your own!

Cameron Gregory