3. Bitmore indepth version
Compiling the kernel: (Use a 2.4.x kernel or greater)
You need the following support in the kernel:
First, if the iptable and masq modules are not compiled into the kernel and
not installed, but do exist as modules, we need to install them.
If you insmod ipt_MASQUERADE it will load ip_tables, ip_conntrack and
iptable_nat.
$> modprobe ipt_MASQERADE |
Now either your Intranet is large, or you're just trying to get two or three
machines to work on the internet - it doesn't make much difference either way.
Okay, I'm assuming that you have no other rules, so do:
$> iptables -F; iptables -t nat -F; iptables -t mangle -F |
If you get an error saying can't find iptables, go find it and install it.
If it says no such table 'nat', recompile the kernel with nat support. If
it says no such table as 'mangle', don't worry about it, it's not necessary
for MASQ'ing. If it says iptables is incompatible with your kernel, go get > 2.4
and compile that with iptables support.
Then if you have a static ip do (e.g. network card not using DHCP):
$> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43 |
or for dynamic (e.g. a modem - you have to call a number first):
$> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE |
Then finally to tell the kernel yes, you really do want to start forwarding
packets: (This only needs to be done once per reboot - but dosen't hurt to
do it lots)
$> echo 1 > /proc/sys/net/ipv4/ip_forward |
Once you have checked this all works (See under Post-install) only allow
masquerading from the internal network - you don't want to allow people on
the internet to use it after all :)
First, allow any existing connections, or anything related (e.g. ftp server
connecting back to you)
$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
If this gives an error, then you most likely don't have state tracking in
the kernel - go recompile. Then allow new connections only from our
intranet (local/internal network). Replace the ppp0 with eth0 or
whatever your external device is. (The ! means anything but)
$> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT |
And now deny everything else:
$> iptables -P INPUT DROP #only if the first two are succesful |
If either of the first two rules failed, then this last rule with prevent
the masquerading from working at all. To undo this rule do
"iptables -P INPUT ACCEPT".