The benefits of running a Linux/UNIX server as your gateway, and masquerading your IP addresses are simple:

• an almost unlimited number of internet connections using only 1 internet IP address
• the security for your entire local network is controlled in one centralized spot
• you can setup the gateway machine to be very strict with access incoming, and outgoing. Or you can set it up very insecure
• you can setup PORT forwarding, which is really kewl. (explained later)

Setting up your network this way not only makes it really easy for networking with all machines on the network, regardless of OS, but also provides you with the added stability of using a *nix platform for you connectivity gateway over using a windows box.

Let me explain a little about how my network is setup. My gateway machine is a P60 (original) running RedHat 6 with 2 nic cards in it. Yes, really, and guess what.. It's stable. As a matter of fact it's real stable.

/usr/src root>uptime
11:18am up 35 days, 14:08, 3 users, load average: 0.01, 0.02, 0.00
/usr/src root>

I have a Dual P90 FreeBSD machine on my LAN. And I also have an AMDK6/2 400 Win98 gaming machine on my LAN. My roommate also has his computer on my network sharing the internet connection. I am using RedHat 6.0 from: ftp://sunsite.unc.edu/pub/Linux/distributions/redhat/redhat-6.0/i386 Both of my nic cards are SMC Ultra cards. I run my internet connection (from my cable modem) to the first ethernet card. This will become eth0 on this machine. I run the other card to my hub. This is eth1.

The first step is to recompile your kernel, if necessary, to add IP Masquerading support options. RedHat 6.0 out-of-the-box kernel should have all necessary support needed to do IP Masquerading. To setup the Linux machine's to recognize 2 NIC cards can be a chore. Your best option is to read the Ethernet-HOWTO available at the Linux Documentation Project. May I suggest using kernel modules when trying this, if at all possible.

Next, setup /dev/eth1. This network card will be the gateway for your local network. I make this card's IP address 192.168.1.1 . Note: 192.168.* is a subnet mask that is used for LOCAL networks only. YOU CANNOT ACCESS THESE IP ADDRESSES FROM THE INTERNET. You can assign your local network machines to ANY IP address under this netmask.

Set your gateway IP address (/dev/eth1) to be 192.168.1.1 and netmask of 255.255.255.0, or something similar. Now bring up this interface. RedHat users should check out /etc/sysconfig/network-scripts . You can also try using the "sysconfig" command to setup your network interfaces, but I personally don't like sysconfig.

Now... Set the IP addresses of your local machine that are connected to the HUB to be an IP address in 192.168.* range. I would suggest 192.168.1.15 and up. Now use one of these machine to try and ping 192.168.1.1 . Don't forget that 192.168.1.1 will have to be your default gateway for these locally networked machine because all of their packets must go through the Linux eth1 first. You should be able to ping these two machines from one another. You should NOT be able to ping any internet IP address yet from any machine.

Now try running DHCPCD for eth0, or set up this interface to use a STATIC IP if you'd like. It really doesn't matter. I use DHCPCD, and use http://www.dyndns.org for a static hostname that is dynamically updated.. If the internet connection works, you should be able to type "ifconfig" at the Linux prompt, and see 3 different interfaces listed, with all of their information including IP address, MAC addy etc. One for eth0, eth1, and lo.. If you've made it this far try to ping www.yahoo.com FROM the Linux machine. If it's unable to obtain the IP address, try editing /etc/resolv.conf, and adding a line like this:

nameserver 205.238.128.38 # IP Address of Nameserver Try again

If this doesn't work try checking your system logs. You may have some kind of routing problem. If that's the case, try something like this:

route add default eth0

If it does work, then you're sitting pretty. Try this: "cat /proc/sys/net/ipv4/IP_forward". If it is set to 0, then type: "echo 1 >/proc/sys/net/ipv4/IP_forward".

You now need to setup your IPCHAINS. There is a HOWTO on this under the Linux Documentation Project, located on metalabs.unc.edu . This should work for most users.

ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward DENY # DO NOT SET TO ACCEPT
ipchains -A forward -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASQ

This tells your machine that it needs to forward all 192.168.1.* packets to the destination internet address, and MASQUERADE the IP address as the Linux box's address.

Port forwarding is where someone connects to your masq'd machine on port XXXX. Well the Linux machine takes that port #, and forwards all those connections to your local machine 192.168.1.18 port 21. What does this mean? You can allow someone to access your Internal network services by forwarding a certain port # to that machines address and port #.

Example:
ipmasqadm portfw -a -P tcp -L $IP 69 -R 192.168.1.15 22

What this will do. This command will forward all connections to my gateway machine port 69, to my FreeBSD machine's SSH server. This way I have external internet access to my internal UNIX machine. At this point, if everything is working properly, you should be able to access any internet site from your LAN. If not, there is plenty of documentation on IP Masquerading on the Linux Documentation Project.

It may take some playing around with to get everything working properly. The results of IP masquerading are a stable, reliable, secure, private network, with as many internet connections as you should need using one IP address.

The moral of this story is, "if at first you don't succeed, RTFM!!!"

Good luck,
Jensen