From Ron Smith on Sat, 11 Apr 1998 on a newsgroup
I looked thriugh the FAQ and didn't find any answers to this question. I hope this is the right forum.
"The" FAQ. There are a huge number of Linux FAQ and HOW-TO documents. I haven't read them all and I'm "The Answer Guy."
I am a fairly experienced UNIX developer but I usually leave the
difficult administrative stuff the the SysAdmins. I have been running a
small LAN for my business using Slakware LINUX (currently version 3.2)
for some time now. What I really want to do is use the LINUX server as
a gateway to the internet for the rest of my LAN. I can connect via PPP
to my ISP from the LINUX box with no problems but what I haven't found
any good books or documentation on is:
How do I setup the LINUX server to bridge between my local LAN and the
internet?
You probably want to read up on IP Masquerading. In it's simplest form you use the ipfw (kernel packet filtering features) and configure them with a command like:... which says:ipfwadm -F -a accept -m -S 192.168.1.0/24 -D any
add a rule to accept packets for forwarding from the 192.168.1.* range of addresses, and masquerade them to wherever they are going.This assumes you have all your internal systems already configured with RFC 1918 IP addresses like 192.168.1.* or 172.16.*.* or 10.*.*.*, and that you have them all configured to use the Linux system as their default router. It also assumes that you are running a reasonably recent kernel with the ipfw options enabled.
There's quite a bit more to it than that --- but that is the core command that makes it work. Note that some protocols --- ftp in particular --- don't work reliably through masquerading. It is often better to get a copy of the TIS FWTK or SOCKS (application layer proxies) to support these (*).
Suggestions: run a caching nameserver and a good caching web proxy (like squid) on the router (the Linux box). Make a "best effort" to "harden" the router's configuration and contract to have a thorough security audit performed on it. If at all possible isolate the gateway on the "outside" of an interior perimeter router (which can be another Linux box running no services, not even inetd).
Adding the caching for DNS and other protocols can greatly reduce the traffic over the network link and only costs a tiny investment in configuration time, RAM, and disk space. Any traffic that's handled by the cache is a bit less contention for everyone else using the link and everyone between you and the servers that you're accessing (i.e. the whole 'net benefits).
I would appreciate any help that you can give...I will check back here periodically or, if possible, email me directly. Thanks in advance.
Feh! I'll try to remember to spool off a copy via e-mail. Find a good consultant in your area. A good one will show you how to do all of this and will be able to explain quite a bit more because he or she will ask quite a bit more about your requirements. I've glossed over quite a bit here -- in particular regarding the security issues.
- Shortly after writing this, but prior to "going to press" I hunted around for an alternative to FWTK and found DeleGate, which can be used as a SOCKS proxy (semi-transparent but requiring client software support) and as a user-driven proxy. Thus it can be used in place if SOCKS and FWTK and seems to be simpler to set up than either. It hasn't been around as long, or used as widely, so we can't be as confident in its security and feature set. But, it's well worth a look and has a more BSDish license.