Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
Let The Music Play: Join EFF Today

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
Copyright Info
Terms of Use
Privacy Info
Masthead / Impressum
Your Account

Private Messages

News Archive
Submit News
User Articles
Web Links


The Web

Who's Online
There are currently, 116 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here



Current HOWTO: Masquerading-Simple-HOWTO

Bitmore indepth version

3. Bitmore indepth version

Compiling the kernel: (Use a 2.4.x kernel or greater)

You need the following support in the kernel:

  • Under Networking Options

    • Network packet filtering (CONFIG_NETFILTER)

  • Under Networking Options->Netfilter Configuration

    • Connection tracking (CONFIG_IP_NF_CONNTRACK)

    • FTP Protocol support (CONFIG_IP_NF_FTP)

    • IP tables support (CONFIG_IP_NF_IPTABLES)

    • Connection state match support (CONFIG_IP_NF_MATCH_STATE)

    • Packet filtering (CONFIG_IP_NF_FILTER)

      • REJECT target support (CONFIG_IP_NF_TARGET_REJECT)




    • Packet mangling (CONFIG_IP_NF_MANGLE)

    • LOG target support (CONFIG_IP_NF_TARGET_LOG)

First, if the iptable and masq modules are not compiled into the kernel and not installed, but do exist as modules, we need to install them. If you insmod ipt_MASQUERADE it will load ip_tables, ip_conntrack and iptable_nat.

$> modprobe ipt_MASQERADE

Now either your Intranet is large, or you're just trying to get two or three machines to work on the internet - it doesn't make much difference either way.

Okay, I'm assuming that you have no other rules, so do:

$> iptables -F; iptables -t nat -F; iptables -t mangle -F

If you get an error saying can't find iptables, go find it and install it. If it says no such table 'nat', recompile the kernel with nat support. If it says no such table as 'mangle', don't worry about it, it's not necessary for MASQ'ing. If it says iptables is incompatible with your kernel, go get > 2.4 and compile that with iptables support.

Then if you have a static ip do (e.g. network card not using DHCP):

$> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to

or for dynamic (e.g. a modem - you have to call a number first):

$> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Then finally to tell the kernel yes, you really do want to start forwarding packets: (This only needs to be done once per reboot - but dosen't hurt to do it lots)

$> echo 1 > /proc/sys/net/ipv4/ip_forward

Once you have checked this all works (See under Post-install) only allow masquerading from the internal network - you don't want to allow people on the internet to use it after all :)

First, allow any existing connections, or anything related (e.g. ftp server connecting back to you)

$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If this gives an error, then you most likely don't have state tracking in the kernel - go recompile. Then allow new connections only from our intranet (local/internal network). Replace the ppp0 with eth0 or whatever your external device is. (The ! means anything but)

$> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT

And now deny everything else:

$> iptables -P INPUT DROP   #only if the first two are succesful

If either of the first two rules failed, then this last rule with prevent the masquerading from working at all. To undo this rule do "iptables -P INPUT ACCEPT".

The Linux Tutorial completely respects the rights of authors and artists to decide for themselves if and how their works can be used, independent of any existing licenses. This means if you are the author of any document presented on this site and do no wish it to be displayed as it is on this site or do not wish it to be displayed at all, please contact us and we will do our very best to accommodate you. If we are unable to accommodate you, we will, at your request, remove your document as quickly as possible.

If you are the author of any document presented on this site and would like a share of the advertising revenue, please contact us using the standard Feedback Form.




Security Code
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!

Amazon Wish List

Did You Know?
You can help in many different ways.


Tell a Friend About Us

Bookmark and Share

Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.09 Seconds