Build a kernel with Firewall Masquerading and Forwarding support
Once again, the first thing you need to do is ensuring that your kernel has been built with Network Firewall support enabled and Firewalling. In the 2.2.14 kernel version you need to ensure that you have answered Y to the following questions:
Networking options:
Network firewalls (CONFIG_FIREFALL) [N] Y IP:Firewalling (CONFIG_IP_FIREWALL) [N] Y IP:TCP syncookie support (CONFIG_SYN_COOKIES) [N] Y
NOTE: If you followed the Linux Kernel section and have recompiled your kernel, the options “Network firewalls, IP:Firewalling, and IP:TCP syncookies supports” shown above are already set.
IP Masquerading and IP ICMP Masquerading are requiring only for a Gateway Server.
IP:Masquerading (CONFIG_IP_MASQUERADE) [N] Y
IP:ICMP Masquerading (CONFIG_IP_MASQUERADE_ICMP) [N] Y
NOTE: Only your Gateway Server needs to have “IP:Masquerading” and “IP:ICMP Masquerading” kernel options enabled. This is required to masquerade your Internal Network to the outside.
Masquerade means that if one of the computers on your local network for which your Linux box (or gateway) acts as a firewall wants to send something to the outside, your box can “masquerade” as that computer. In other words it forwards the traffic to the intended outside destination, but makes it look like it came from the firewall box itself. It works both ways: if the outside host replies, the Linux firewall will silently forward the traffic to the corresponding local computer. This way, the computers on your local net are completely invisible to the outside world, even though they can reach the outside and can receive replies. This makes it possible to have the computers on the local network participate on the Internet even if they don’t have officially registered IP addresses.
The IP masquerading code will only work if IP forwarding is enabled on your system. This feature is by default disabled and you can enable it with the following command:
Under Red Hat Linux 6.1
• To enable IP forwarding feature on your server, execute the following command: [root@deep /]# echo “1″ > /proc/sys/net/ipv4/ip_forward
You can add the above line in your 7etc/rc.d/rc.local” script file so IP forwarding is enabled automatically for you even if your server is rebooted. In Red Hat Linux 6.1 this can also be accomplished by changing the line in 7etc/sysconfig/network” file from:
FORWARD_IPV4=”false” To read: FORWARD_IPV4=”yes”
• You must restart your network for the change to take effect:
[root@deep /]# /etc/rc.d/init.d/network restart