The Best Damn Firewall Book Period

IP forwarding is the ability for a Linux system to act as a router. Packets enter the Linux kernel, and are then processed by the operating system. Follow these steps to make your Linux operating system act as a simple IP forwarder:

1. Install at least two NICs into your system. This is necessary, because your Linux system will then be able to service two different networks. You must, of course, have all of the required cables and hubs to allow systems to use all of the available network hosts.

2. Issue the following command at a terminal:

   echo "1" > /proc/sys/net/ipv4/ip_forward

   This command enables IP forwarding on your Linux router. Entering the preceding command into some sort of file that runs whenever the system boots up. This way, if you restart your system, IP forwarding will be enabled by default. You can create your own file, or you can enter it at the bottom of the /etc/rc.d/rc.local file.

3. You can verify whether your system is acting as a router (in other words, IP forwarder) by issuing the following command:

   cat /proc/sys/net/ipv4/ip_forward 1 host #

4. If it reads 1, then your system is now acting as a router. A value of 0 means that your Linux system is not routing.

The main thing to remember is that a Linux system with simple IP forwarding enabled can route any network address to another. If you are allotted a range of IP addresses from a local or regional Internet registry, you can use a multihomed Linux system to route this set of addresses to another network. For example, if you are allotted the 128.187.22.0/24 block of IP addresses, you can use a Linux router to route this network to the 221.9.3.0 network, or to any other.

However, Internet routers will not forward traffic from private IP addresses (in other words, any network address of 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16). Figure 5.1, for example, shows how traffic from the 10.1.2.0 network and the 192.168.1.0 network can reach all networks, including the 128.187.22.0 network. However, only traffic from the 128.187.22.0 can reach the Internet.

Figure 5.1: A Linux System Configured as a Forwarding Router

Figure 5.1 shows that traffic from the 10.1.2.0 and 192.168.1.0 networks cannot reach hosts across the Internet, only because the Internet routers will simply drop the traffic. To allow private network addresses to reach the Internet, you need to invoke Ipchains/Iptables-based IP masquerading. However, you have at least two solutions available to you:

• Place a proxy server on the network that has at least two NICs This proxy server can be configured to accept requests from the internal network and forward them to the outside network. The first NIC must be internal, because it will receive traffic passing from inside the network. The second NIC must be external, and will pass internal traffic to the outside world, and will also receive outside traffic so that it can be routed to the internal network. Another way of explaining this concept is that the proxy server receives egress traffic (in other words, traffic passing outside of the private IP address networks) and uses an Internet-routable IP address to forward the packets. The proxy server can also receive ingress traffic and translate it so that internal systems can receive it. This option requires the use of an additional software daemon, such as Squid.

• Enable IP masquerading In a Linux router, you can use either Ipchains or Iptables to forward and/or alter the IP headers of packets originating from private IP address networks to pass through Internet routers. Both Ipchains and Iptables do this by processing IP packets through the Linux kernel. As long as the client hosts are configured to use your Linux router as their default gateway, the clients will be able to access any and all Internet services, including ping, traceroute, Telnet, FTP, e-mail (SMTP and POP3), and Web client traffic (ports 80 and 443). This is because the Linux system "mangles" the packets to make them appear as if they originated from a legitimate IP address, and then sends them on their way. You should note that this option is not necessarily secure—IP masquerading leaves all client hosts wide open to attack. If a hacker can attach to your Linux router using Telnet, for example, he or she can then directly access your systems. You will learn about how you can use Ipchains and Iptables to create firewall rules shortly.

We will focus on the second option: Enable IP masquerading.

Masquerading

Masquerading is when your Linux system rewrites the IP headers of a network packet so that the packet appears to originate from a different host. Once the IP header has been rewritten to a nonprivate IP address, it can then be rerouted over the Internet. The practice of rewriting IP packets is colloquially known as packet mangling, because it alters the contents of the packet. Masquerading is useful because you can use it to invoke NAT, where one IP address can stand in for several.

As shown in Figure 5.2, masquerading allows the Linux-based system to translate the 10.1.2.0 network in to the Internet-addressable IP address of 66.1.5.0.

Figure 5.2: Masquerading the 10.1.2.0 Network as the 66.1.5.1 IP Address

Once the private network of 10.1.2.0 is masqueraded as the IP address of 66.1.5.1, all hosts on this network can access the Internet. Depending on the subnet mask used for the 10.1.2.0 network, this means that hundreds and perhaps even thousands of client hosts can be masqueraded under this one IP address.

Translating the private to routable Internet address is accomplished by a database stored on the Ipchains/Iptables-based Linux router. The Linux masquerading router keeps this database so that it knows how to "untranslate," as it were, the packets that have been mangled so that they can then be addressed to the local, private network. This process occurs very quickly, although it is important that you have the proper amount of system power to enable the translation database to do its jobs.

Simple masquerading leaves the network "wide open," meaning that anyone who enters your firewall or router as a default gateway can have full access to all attached networks. Packet filtering is the answer to locking down access to your network. You can learn more about masquerading by reading the NAT-HOWTO file, which can be found at www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html.