On the new linux kernel, there are facilities Netfilter and iptables instead ipchains with the addition of some facilities of which the marks on each package is filtered, the addition of NAT and mangle table. Table-This table has its own function, according to the name, table NAT handle all the needs of the Network Addresss Translation, including port redirection and IP Masquerading, while for Mangle table can be used to sign on a package, and the next to be processed or transmitted on a particular condition.
Mangle table discussion on this is not discussed here, since it deviate from the topic we are, the Network Address Translation (NAT).
As discussed previously. changes also occurred in the implementation of IP Masquerading, which is originally placed in the filter table, but the iptables, IP Masqurading placed on the table that is distinctive NAT. Therefore, the author only add pengimplementasian IP Masquerading in the kernel 2.4.xx, while for the copyright still held sdr. Agus Hartanto :-).
If you do not know whether the IP Masquerade, and what uses, please see any posts of the NAT with linux works sdr. Agus, because in this article was not described in more detail about this, afraid of ideas later allegedly cheat other people :-), I also still use the picture presented by any posts sdr. Agus because iptables is basically similar to ipchains and so that readers understand it more easily. Discussion on examples raised using RedHat linux as a reference, so there may be differences in location of the file if you use a distribution other than RedHat.
1. Preparation
To connect to the internet using the IP Masquerade, at least there must be a linux machine in a network that is connected to the Internet and have at least one real / official IP, besides of course the Linux kernel must also support IP Masquerade. The program to enable IP Masquerade on kernel 2.4.x is to use iptables, although actual ipfwadm and ipchains is also available, but the iptables has kinekerja faster compared with the preceding, and has a higher level of security, such as limiting the number of incoming packets.
iptables is already available by default in the 2.4.x kernel, but if you want to mengkompilasinya separately, the program you can search and download through netfilter.samba.org, or through a site linux archive site such as Freshmeat.
For the first step, the computer-a computer connected to the internal network, should be given the IP address using private and placed in a netmask with a gateway computer.
Example:
-----------------
ISP ppp0 = 202.151.22.1 ----------+
----------------- |
|
|
|
+-------------+-------------+---------------+
| | | |
-----+----- -----+----- -----+----- -------+--------
192.168.1.2 192.168.1.3 192.168.1.4 eth0 = 192.168.1.1
----------- ----------- ----------- ----------------
CLIENT 1 CLIENT 2 CLIENT 3 Server
netmask = 255.255.255.0
For IP-Masquerade, your kernel must support some of the drivers below:
* Enable Loadable module support
CONFIG_MODULES
- Allow you to call the kernel component
in the form of a module
* Networking support
CONFIG_NET
* Network firewalls
CONFIG_FIREWALL
* TCP / IP networking
CONFIG_INET
* Netfilter Support
CONFIG_NETFILTER
* Netfilter: Connection Tracking
CONFIG_IP_NF_CONNTRACK
* Netfilter: Iptables support Style
CONNFIG_IP_NF_IPTABLES
* Netfilter: Filter packets
CONFIG_IP_NF_FILTER
* Netfilter: reject packets
CONFIG_IP_NF_TARGET_REJECT
* Netfilter: NAT Support
CONFIG_IP_NF_NAT
CONFIG_IP_NF_NAT_NEEDED
* Netfilter: IP Masquerading
CONFIG_IP_NF_TARGET_MASQUERADE
* Netfilter: Redirection
CONFIG_IP_NF_TARGET_REDIRECT
* Netfilter: IRC NAT Support
CONFIG_IP_NF_NAT_IRC
* Netfilter: Mangle Table
CONFIG_IP_NF_MANGLE
* Netfilter: Log target support
CONFIG_IP_NF_TARGET_LOG
* Netfilter: Ipchains Style Support
CONFIG_IP_NF_COMPAT_IPCHAINS
* Netfilter: Ipfwadm Style Support
CONFIG_IP_NF_COMPAT_IPFWADM
* Dummy net driver support
CONFIG_DUMMY
In the kernel 2.4.x installed on redhat, option-the option is activated in the form of modules, so you do not need kernel mengkompile back again, which of course is very tiring for the not :-). And to use the modules, you do not need to call first to use modprobe, but you only need to run iptables, and automatically, the required modules will be loaded into memory by iptables.
2. Enabling IP_FORWARDING
To enable ip_forward you need to give value 1 to the file / proc/sys/net/ipv4/ip_forward, for example, by typing the command prompt in linux:
[root @ server /] # echo "1"> / proc/sys/net/ipv4/ip_forward
This is very important to note, because the kernel since 2.0.34, the kernel does not enable it by default.
Or other means, you can add the following line in / etc / sysctl.conf:
net.ipv4.ip_forward = 1
with the line then the script / etc / rc.d / init.d / network will provide the value of 1 automatically to the file / proc/sys/net/ipv4/ip_forward at the start linux.
3. Calling the module module supporting IP Masquerade
As mentioned above, in the 2.4.x kernel modules that are available do not need to be called first, you just run iptables, and automatically, modules that are required will be loaded to memory. While some of the modules that are on the Netfilter kernel 2.4.x (located in the directory / lib/modules/2.4.x/kernel/net/ipv4/netfilter) is:
ipchains.o ip_nat_ftp.o iptable_nat.o ipt_mark.o ipt_owner.o ipt_TCPMSS.o
ip_conntrack_ftp.o ip_nat_irc.o ip_tables.o ipt_MARK.o ipt_REDIRECT.o ipt_tos.o
ip_conntrack_irc.o ip_queue.o ipt_limit.o ipt_MASQUERADE.o ipt_REJECT.o ipt_TOS.o
ip_conntrack.o iptable_filter.o ipt_LOG.o ipt_MIRROR.o ipt_state.o ipt_unclean.o
ipfwadm.o iptable_mangle.o ipt_mac.o ipt_multiport.o ipt_tcpmss.o
4. Configure IP Rules of Forwarding and Firewall does little
To enable IP Masquerade, you must give the command:
iptables-t nat-A POSTROUTING-s yyy.yyy.yyy.yyy. / x-j Masquerade as the table above.
For more details, try to note the example below:
1. You have a network with the gateway IP address 192.168.1.1 and the linux client 192.168.1.2 client s / d 192.168.0.4 with netmask 255.255.255.0, and you want to enable IP Masquerading on the address of this address, then you must type the command:
iptables-t nat-A POSTROUTING-s 192.168.1.0/24-d 0.0.0.0 / 0-j Masquerade
2. You have the address of the IP address above spt but you only want to bernomer client with IP 192.168.1.5 and 192.168.0.10 can only access the internet, then you should just type the command:
iptables-t nat-A POSTROUTING-s 192.168.1.5/32-d 0.0.0.0 / 0-j Masquerade
iptables-t nat-A POSTROUTING-s 192.168.1.10/32-d 0.0.0.0 / 0-j Masquerade
3. You have the address of the IP address spt above and you want all clients can access the Internet, unless the IP 192.168.1.5 and 192.168.1.10 are not able to access the internet, then you should type the command:
iptables-t nat-A POSTROUTING-s 192.168.1.0/24-d 0 / 0-j Masquerade
to enable masquerading. Then we cegat second computer with the command:
iptables-I INPUT-s 192.168.1.5/32-d 0 / 0-j DROP
iptables-I INPUT-s 192.168.1.10/32-d 0 / 0-j DROP
4. Certain administrative facilities facilities
We can also do pencegatan against the package that the package will go to a particular port, it also allows us to turn off or turn on some internet facilities, for example, you want your client with the address 192.168.1.5 is not allowed to do the chat, then we can deny men - , packets from the client 192.168.1.5 package that will go to the IRC port (example port number 6667).
Below is an example to intercept TCP packets from the client with the address 192.168.1.5 to the port 6667:
iptables-I INPUT-p tcp-s 192.168.1.5/32-d 0 / 0 - destination-port 6667-j DROP
To open or remove a rule that the rules we have created we can change the option-I, etc.-A, for example, with the option-D for example:
iptables-I INPUT-p tcp-s 192.168.1.5/32-d 0 / 0 - destination-port 6667-j DROP
can be removed with the command:
iptables-D INPUT-p tcp-s 192.168.1.5/32-d 0 / 0 - destination-port 6667-j DROP
5. Note option option iptables I used above
A rule-add
-I insert (insert) a firewall rule to the top of the line
D-delete rule you created
-s source address
-d destination address
In the DROP iptables deny unknown target, instead of using the DROP target
Subscribe to:
Post Comments (Atom)
your create is very....
ReplyDeletegood