"Linux Gazette...making Linux just a little more fun!"


The Answer Guy


By James T. Dennis, [email protected]
Starshine Technical Services, http://www.starshine.org/


(?)Linux as a General Purpose SOHO to Internet Gateway

From Ron Smith on Sat, 11 Apr 1998 on a newsgroup

I looked thriugh the FAQ and didn't find any answers to this question. I hope this is the right forum.

(!)"The" FAQ. There are a huge number of Linux FAQ and HOW-TO documents. I haven't read them all and I'm "The Answer Guy."

I am a fairly experienced UNIX developer but I usually leave the difficult administrative stuff the the SysAdmins. I have been running a small LAN for my business using Slakware LINUX (currently version 3.2) for some time now. What I really want to do is use the LINUX server as a gateway to the internet for the rest of my LAN. I can connect via PPP to my ISP from the LINUX box with no problems but what I haven't found any good books or documentation on is:

How do I setup the LINUX server to bridge between my local LAN and the internet?

(!) You probably want to read up on IP Masquerading. In it's simplest form you use the ipfw (kernel packet filtering features) and configure them with a command like:
ipfwadm -F -a accept -m -S 192.168.1.0/24 -D any
... which says:
add a rule to accept packets for forwarding from the 192.168.1.* range of addresses, and masquerade them to wherever they are going.
This assumes you have all your internal systems already configured with RFC 1918 IP addresses like 192.168.1.* or 172.16.*.* or 10.*.*.*, and that you have them all configured to use the Linux system as their default router. It also assumes that you are running a reasonably recent kernel with the ipfw options enabled.

There's quite a bit more to it than that --- but that is the core command that makes it work. Note that some protocols --- ftp in particular --- don't work reliably through masquerading. It is often better to get a copy of the TIS FWTK or SOCKS (application layer proxies) to support these (*).

Suggestions: run a caching nameserver and a good caching web proxy (like squid) on the router (the Linux box). Make a "best effort" to "harden" the router's configuration and contract to have a thorough security audit performed on it. If at all possible isolate the gateway on the "outside" of an interior perimeter router (which can be another Linux box running no services, not even inetd).

Adding the caching for DNS and other protocols can greatly reduce the traffic over the network link and only costs a tiny investment in configuration time, RAM, and disk space. Any traffic that's handled by the cache is a bit less contention for everyone else using the link and everyone between you and the servers that you're accessing (i.e. the whole 'net benefits).

(?)I would appreciate any help that you can give...I will check back here periodically or, if possible, email me directly. Thanks in advance.

(!) Feh! I'll try to remember to spool off a copy via e-mail. Find a good consultant in your area. A good one will show you how to do all of this and will be able to explain quite a bit more because he or she will ask quite a bit more about your requirements. I've glossed over quite a bit here -- in particular regarding the security issues.


Copyright © 1998, James T. Dennis
Published in Linux Gazette Issue 28 May 1998


[ Table Of Contents ] [ Front Page ] [ Answer Guy Index ]