Setting up a Linux IP Masquerading / Gateway Server

The problem:

We had local LAN connected to the Internet via a NT server using some WinProxy setup. All Windoze 98 machines could transparently see the 'net by using the Micro$oft proxy client. However, Linux machines could not use this proxy, except for in Netscape where it could be manually configured. Only the NT server had a valid IP address as assigned by our ISP.

We needed a solution that would 1) allow any machine to access the Internet even though all the local machines do not have "real" IP addresses (IP address only valid in local subnet), 2) provide basic firewalling features, and 3) be fast.

The solution:

We dug up an old 486. Yep, a 486. I installed RedHat Linux 6.0. We put in two NICs. I recompiled the kernel to make it smaller while enabling IP masquerading. We connected one NIC to the outside world line, and the other to the local hub. We then set all Windoze and Linux client machines to use that 486 box as the gateway. And like that we solved our problem. Took a few hours. And there's nothing like the feeling of rescuing old hardware and putting it back into the front line.

The hardware:

  • 486 machine (100 MHz)
  • Two 500M hard drives
  • 32M RAM
  • Netgear NIC
  • 3com 3c509 NIC

    The detailed solution:

    The RedHat 6.0 distro comes with kernel version 2.2.5. This should have all the necessary things compiled in to use as a gateway and masquerading server, but I wanted to recompile anyways to allow for more NIC support (I didn't know which cards we'd be throwing in) and make the kernel footprint smaller. Step one involved recompiling the kernel with all the options turned on as specified in the IP Masquerading mini-HOWTO, section 3.1. I then did a

    make dep; make bzImage; make modules; make modules_install

    and copied over the resulting bzImage into /boot and changed the entry in my /etc/lilo.conf file, and ran /sbin/lilo.

    Then I had to mess with getting this two NICs to show up. This actually turned out to be the hardest part. I had one Netgear card that I put into a PCI slot, and one 3com card that was in an ISA slot. After much work and restarting, I finally got the 3com card as eth1 and the Netgear card as eth0 by using linuxconf to set the adapters. I had to put in the driver module manually (3com was the 3c509.o and the netgear was tulip.o, I believe). Then, finally, it booted up and initialized both interfaces correctly, and even set up the routing table for me so that eth1 was part of the internal network, and eth0 went to the outside world. The "linuxconf" tool was invaluable in getting all this setup. Basically, you just need to fill out the information in the "Basic host information" section. For each adapter, you'll want to set up the IP, hostname, interface name, and driver name. For example, if eth0 points to the outside world, I put in the IP assigned by the ISP, the name with the domain of the ISP, the interface "eth0" and the driver "tulip". I new the driver was "tulip" because I had used the card in another Linux machine, but I believe it's specified in the NET-3 HOWTO. The second adapter was then configured with the name of the machine with the domain of the internal network, the internal IP for that machine, the interface "eth1", and the driver "3c509".

    I then setup the DNS to use the external nameservers, as well as the NT box for the internal DNS. At that point I could ping all internal boxes, as well as all external sites, from the 486. The DNS was setup by entering the IPs of the servers (provided by the ISP) in the /etc/resolv.conf file. At that point I had to get the firewalling stuff working, so I installed the ipchains 1.3.8 rpm package (found on, and added two lines to my /etc/rc.d/rc.local file:

    /sbin/ipchains -P forward DENY
    /sbin/ipchains -A forward -s -j MASQ

    where is the internal network. I also had to (in RedHat this is required) change FORWARD_IPV4=false to FORWARD_IPV4=true in /etc/sysconfig/network. After that I rebooted and all was done. It was really quite simple (besides the mess with getting the two NICs to work).

    We now can use any client machine, with its gateway set as the little 486 Linux box, to surf the 'net.


    The following Web sites will provide all the necessary information for getting IP masquerading / firewalling working on a Linux box:

    Michael J. Sherman, 11.04.99
    msherman at