NOTE: Most modern Linux Section 7.1 that
natively come with 2.2.x kernels are typically modular kernels and have
all the IP Masquerade functionality already included. In such cases,
there is no need to compile a new Linux kernel. If you are UPGRADING your
kernel, you should be aware of other programs that might be required and/or
need to be upgraded as well (mentioned later in this HOWTO).
NOTE #1: --- UPDATE YOUR KERNEL ---
Linux 2.2.x kernels less than version 2.2.20 contain several different
security
vunerabilities (some were MASQ specific). Kernels less than
2.2.20 have a few local vunerabilities. Kernel versions less
than 2.2.16 have a TCP root exploit vulnerability and versions less than
2.2.11 have a IPCHAINS fragmentation bug. Because of these issues, users
running a firewall with strong IPCHAINS rulesets are open to possible
instrusion. Please upgrade your kernel to a fixed version.
NOTE #2: Some newer Section 7.1 such as
Redhat 5.2 might not be Linux 2.2.x ready (upgradable). Tools
like DHCP, NetUtils, etc. will need to be upgraded. More details
can be found later in the HOWTO.
A properly configured and running TCP/IP network running on the Linux
machine as covered in
Linux NET-3-4 HOWTO and the
Network Administrator's Guide . Also check out the
TrinityOS document which is also authored by David Ranch. TrinityOS is
a very comprehensive guide for Linux networking. Some topics include IP MASQ,
security, DNS, DHCP, Sendmail, PPP, Diald, NFS, IPSEC-based VPNs, and
performance sections, to name a few. There are over Fifty sections in all!
Know how to configure, compile, and install a new Linux kernel as described in
the Linux Kernel
HOWTO. This HOWTO does cover kernel compiling but only for IP
Masquerade related options.
Other optional patches and tools for 2.2.x kernels
There are 2.2.x and 2.0.x kernel MASQ Module solutions for PORTFWed FTP
to a MASQed machine (put an FTP server behind a MASQ server). Please
see the Application Page on the IPMASQ
WWW site for full details. Please note that this is not
required for 2.4.x kernels.
There is a full FTP proxy application from SuSe that will also allow
PORTFWed-like functionality to reach an internal FTP server. For more
details, please refer to the
SuSe Proxy
URL.
IPROUTE2 for True 1:1 NAT, Policy-based (source) routing, and Traffic
Shaping: