Next Previous Contents

13. Routing

13.1 Kernel configuration

Forwarding

A GNU/Linux machine has routing in the kernel. The only thing you need to do is enable it. Therefor you need to adjust /proc/sys/net/ipv4/ip_forward.


appel:~# cat /proc/sys/net/ipv4/ip_forward
0

With the following command you turn on routing:


appel:~# echo 1 > /proc/sys/net/ipv4/ip_forward
appel:~# cat /proc/sys/net/ipv4/ip_forward
1

To make sure the setting is also set after a reboot adjust /etc/network/options:


ip_forward=yes

Spoofprotect

Put in /etc/network/options:


spoofprotect=yes

Syncookies

Put in /etc/network/options:


syncookies=no

Defragment

[META]

13.2 Network Address Translation

When you use IP-addresses of the private range on your internal network, like:

then no connection to the Internet from your local net will succeed, although you have turned on routing. The reason for this is that no private range address is allowed on the Internet, so they are filtered. To solve this you need NAT, or as it is called in the GNU/Linux world: masquerading

There are two types of NAT: Source NAT and Destination NAT.

Source NAT

In the case of private IP addresses that may not occur on the Internet we use Source NAT to hide them. If you have a 2.4.x kernel installed use iptables to set masquerading:


iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

We assume that ppp0 is you Internet interface. For 2.2.x kernels you might want to use ipchains:


ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0 -i ppp0

With the above lines one has a basic system. You internal network is connected to the Internet. You have a router, but no firewall yet.

Destination NAT

The otherway around is Destination NAT, meaning that a destination IP address is translated. Maybe later versions of this document will contain more info on this.

Firewalling

To setup a firewall, and a complete discription of how to do it, is a lot of work. For now we are gonna close every incoming connection from the Internet, just to be sure (this also closes our SSH connection):


iptables -A INPUT -s 0/0 -p tcp --syn -j DROP -i ppp0

For more info on iptables read the documentation of Rusty Russel:

http://netfilter.samba.org/unreliable-guides/
packet-filtering-HOWTO/
Post-installation


Next Previous Contents