Network Address Translation (NAT) lets you hide the IP address of the computers on your network that make a connection to the Internet. NAT replaces the source address with the IP address of the firewall computer, which also serves as a gateway between your network and the Internet. The source address is cached on the gateway, so it knows which computer made the request.
When the firewall receives data such as a Web page, the process is reversed. As the packets pass through the firewall, the originating computer is identified in the cache. The header of each packet is modified accordingly before the packets are sent on their way.
This approach is useful for several reasons. Disguising your internal IP addresses makes it harder for someone to break into your network. NAT allows you to connect computers to the Internet without having to have an official IP address for each computer. This allows you to use the private IP addresses discussed in Chapter 1 on your internal LAN. In the Linux world, this process is known as IP masquerading.
Red Hat Enterprise Linux supports a variation of NAT called IP masquerading. IP masquerading allows you to provide Internet access to multiple computers with a single officially assigned IP address. IP masquerading lets you map multiple internal IP addresses to a single valid external IP address.
Connecting multiple systems to the Internet using IP masquerading is a fairly straightforward process. Your firewall computer will need one network card to connect to your LAN and a second network card for the Internet. This second network card can be a telephone modem, or it can be connected to a cable modem or DSL adapter. This configuration requires the following steps:
Assign your official IP address to the network card that is directly connected to the Internet.
Assign computers on your LAN one of the private IP addresses described in Chapter 1.
Reserve one private IP address for the network card on your firewall that is connected to the LAN.
Use iptables to set up IP masquerading.
Enable IP forwarding on the firewall computer.
Configure the computers on your LAN with the IP address of your firewall computer as their Internet gateway.
Take a careful look at when a message comes from a computer on a LAN, through a firewall, to the Internet. When a computer on your LAN wants a Web page on the Internet, it sends packets to the firewall. The firewall replaces the source IP address on each packet with the firewall's official IP address. It then assigns a new port number to the packet. The firewall caches the original source IP address and port number.
When a packet comes in from the Internet to the firewall, it should include a port number. If your firewall can match it with the port number assigned to a specific outgoing packet, the process is reversed. The firewall replaces the destination IP address and port number with the internal computer's private IP address and then forwards the packet back to the original client on the LAN.
The next step in the process is to use iptables to enable masquerading. The following command assumes that eth1 represents the network card that is directly connected to the Internet, and that your LAN has a network address of 192.168.0.0/24:
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
The following command enables FTP connection tracking through your firewall:
# modprobe -a ip_conntrack_ftp ip_nat_ftp
If you've installed the kernel source code, similar modules are available in your kernel directory, in the following subdirectory:
But there is one more thing. IP masquerading does not work unless you've enabled IP forwarding, as described in the next section.
IP forwarding is more commonly referred to as routing. Routing is critical to the operation of the Internet or any IP network. Routers connect and facilitate communication between multiple networks. When you set up a computer to find a site on an outside network, you need a gateway address. This corresponds to the IP address of your router on your LAN.
A router looks at the destination IP address of each packet. If the IP address is on one of its LANs, it routes the packet directly to the proper computer. Otherwise, it sends the packet to another gateway closer to its final destination. To use a Red Hat Enterprise Linux system as a router, you must enable IP forwarding in the /etc/sysctl .conf configuration file by changing
net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
These settings take effect the next time you reboot your system. Until you reboot, you can enable forwarding directly in your kernel with the following command:
echo 1 > /proc/sys/net/ipv4/ip_forward
Now that you have seen some of the security capabilities of Red Hat Enterprise Linux, refer to the following Scenario & Solution for some possible scenario questions and their answers. It does not matter what you do, as long as it solves the problem.
SCENARIO & SOLUTION
You have only one official IP address, but you need to provide Internet access to all of the systems on your LAN. Each computer on the LAN has its own private IP address.
Use iptables to implement IP masquerading. Make sure IP forwarding is active.
You have installed an e-mail server on your corporate network, and you want to restrict access to certain departments. Each department has its own subnet.
Use the /etc/hosts.deny file in the tcp_wrappers package to block e-mail access (dovecot) to the unwanted subnets.
You have a LAN of Linux and Unix computers and want to implement a single authentication database of usernames and passwords for the network.
Implement NFS file sharing on the network. Set up an NIS server. Set up the other computers on your LAN as NIS clients.
You want to modify the commands associated with halting and rebooting your computer so they're accessible only to the root user.
Set up the appropriate Pluggable Authentication Module configuration files in /etc/pam.d to use the system-auth module.