Linux Help

IP Masquerading Setup Guide   
Printable Version

Janou's Red Hat Linux IP Masquerade  HOWTO
v1.00, 7 May 1999

This document describes how to enable IP masquerade feature on a Linux   host, allowing connected computers that do not have registered Internet IP addresses to connect to the Internet through your Linux box. In other words, you get to LEGALLY get more Internet access for nothing.

Ok folks ... let me show you how to get IP Masquerading going without all the mumbo-jumbo. Before you even get started, there are a few things that you need to check out:

1) What is IP masquerading?
2) Why do you want to masquerade?
3) what will you be masquerading?
3) what you will need to masquerade?

IP Masquerade is a networking function in Linux. If a Linux host is connected to the Internet with IP Masquerade enabled, then computers connecting to it (either on the same LAN or connected with modems) can reach the Internet as well, even though they have no official assigned IP addresses. So, whatever you heard about "MUST HAVING A STATIC IP in order to masquerade" is a bunch of bull!

If Masquerading is set up properly on your Linux box, you can attach more than one workstation (whether another Linux box, or Windows 95/98/NT system) which in hence, can access the internet through a hidden gateway. Even though you can attach multiple workstations to the masquerade, it will appear to the ISP as only one connection.

If you have a stand-alone machine or if you don't plan on connecting to the internet, you do not need to masquerade. Also, if the dial-up is not through the Linux box but through another O/S such as Windows or Apple, then you need to figure out another way.

In order to masquerade, you will need the following: A 2.2.x kernel or 2.0.36 kernel with ALL masquerading features compiled.

These are the following lines that should be enabled in your .config file or when you make menuconfig (these items vary across kernels)


If you do not have these mods enabled, you need to compile them into your kernel. Please read the Kernel-Howto or Joey's guides to compiling a kernel.

If you are using kernel 2.0.36-x, you need to have ipfwadm installed. For those of you running 2.2.x, IPCHAINS is needed because they did away with ipfwadm. If you do not have these, follow the link from our website in the programs page to get it.

Lastly, your network has to be a TCP/IP network. If you are running Novell IPX/SPX or some other protocol, you will not be able to run masquerading. Each workstation that will be in the masquerade should have the TCP/IP Protocol installed.

Ok. Let's get started. I will start with IPCHAINS Masquerade first. It is good practice to keep Linux updated with the latest releases. Joey gives up-to-date reports on the latest erratas and kernel releases. If you are not up-to-date, you should get up-to-date.

On your Linux Box, log on as root and edit the /etc/rc.d/rc.local file--you can use pico for this. At the end of the file, add the following lines:

#---- IP Masquerade section w/IPCHAINS ----
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_quake
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward
#---- IP Masquerade END ----

What this is doing is loading the ip_masq modules ftp, raudio, irc and quake (there is also a ip_masq_vdolive and ip_masq_cuseeme, but you don't need that here). Then we forward the IP packets across the network by using your network's first three nodes with the last node being "0" (ex:

The last line that echos is for IP forwarding. Forwarding is disabled from 2.0.34 and up. This ensures that it is enabled.

This is what the format would look like with ipfwadm (2.0.36-x and 2.1.x)

#---- IP_Masuerading Section w/ipfwadm ----
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_quake
/sbin/ipfwadm -F -a m -S -D
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -p masquerade
echo 1 > /proc/sys/net/ipv4/ip_forward
#---- IP Masquerade END ipfwadm ----

Once this is done, you can execute rc.local or just reboot your Linux box.

The next thing you need to do is configure your other workstations which I trust will mainly be Windows 95/98 or NT stations.

Setting up Windows 95/98/NT (I assume that you already have a network card and TCP/IP for the card installed and IP addresses assigned).

Go to the Control Panel and double-click Network. In the NIC's TCP/IP properties goto your gateway address and add the IP address of the Linux Box.

Under 'DNS Configuration'/'DNS Server search order' add the DNS that your Linux host uses which is your ISP's address. If you forgot how to get it, on the Linux box, type --> cat /etc/resolv.conf. For the host, type in the hostname of the Linux box. You can find that in the linux prompt. For the domain name, use you ISP's domain name (ex. or

Leave all the other settings as they are unless you know what you're doing. Then Click 'OK' on all dialog boxes and restart system.

When the PC reboots, ping the linux box to test the network connection: You can do this by either going into the DOS prompt and ping the IP address of the Linux box, or choose Start, Run and type in --> ping (where the Xs represent the Linux box IP address. It should ping with no problem. Now, for the ultimate test. You can either ping a domain on the Internet or goto your web browser and try opening a URL. If all goes well, you should be able to surf the web, ftp, telnet and other stuff as you would normally do over the internet. If not, recheck all of the steps above. Most likely, you missed something.

That's it!

Having trouble? Got questions? Require further assistance? If so please feel free to visit our Help Forums and ask the experts!

Copyright © 1997 - 2014 Private World Domination Inc. All rights reserved.
Linux is a registered trademark of Linus Torvalds. All other trademarks and copyrights are the property of their respective owners.
| Contact Us | Link to Us | RSS Feed | Staff |

DNS Hosting by easyDNS