Kernel Configuration

Kernel Configuration

Yep, you'll once again be compiling your kernel. We need to add some specific configuration items. We need:

·                 Network firewalls

·                 IP Firewalling

·                 IP transparent proxy support

·                 IP Masquerading

·                 ICMP Masquerading (so ping will work)

·                 Optimization as a router

·                 TCP Syncookie support

·                 procfs

·                 sysctl support

Thankfully, we can almost complete this little shopping list in the "Networking Options" of our kernel configuration. As you can see in Figure 3-1 , just about everything we need (and more ”see the upcoming section, Port Forwarding ) can be enabled from one screen. You'll find procfs under "proc filesystem support" in the filesystems section of the kernel config. Sysctl support is found under "general setup." What do these things do?

Figure 3-1. Linux kernel configuration.

Network firewalls and IP Firewalling allow us to use ipchains to block certain packets. They're a required piece of foundation for all the rest. If IP: firewalling is not selected, you aren't allowed to compile masquerading in either. It is, at least as far as I can ascertain, the kernel code that allows you to take a really close look at network packets and to reject or accept them.

IP transparent proxy support is also used in masquerading, and it is what allows the kernel to modify packets as they go through. This is required for IP Masquerading.

IP Masquerading is well, isn't it obvious that we'd have to enable this in order to do IP Masquerading? This code actually allows the kernel to do packet rewriting, using the rules defined by ipchains. This will also compile the standard ipmasq modules, for such things as vdolive, irc, ftp, and quake ”which do not work under normal ipchains rules.

ICMP Masquerading lets you use ping and traceroute from masq'd machines ”very handy when checking out networking problems. You want this.

Optimization as a router is definitely a good thing to enable ”it'll result in a good throughput, provided you're using a dedicated IPMasqing box (which I already highly recommended). Speed is a good thing, right?

TCP Syncookie support is a basic survival strategy. We enable this in the kernel so that when the inevitable denial-of-service attack comes, we'll be prepared. What's a denial-of-service attack? Picture this nightmarish situation: a parent cursed to answer every question, and put in charge of 35 3-year-olds. Flooded with thousands upon thousands of "why?" questions, the parent is incapable of doing anything but responding. That's a denial-of-service attack in a nutshell . It's easy to do, it's usually fairly pointless, and it's quite annoying. TCP Syncookie support will let your internal users continue using the Internet even while you're under attack. Cool, eh?

Procfs is the Proc filesystem. It's required for enabling IP Forwarding and for that syncookie support we just talked about.

Sysctl support allows you to change some kernel parameters on the fly, which is what we'll need to do to you guessed it enable IP Forwarding and syncookie support.

Now that you've got these things enabled, go ahead and recompile your kernel and install it. Go ahead and reboot, and when the system comes back up, issue these two commands as root:

  echo 1>/proc/sys/net/ipv4/ip_forward  

  echo 1>/proc/sys/net/ipv4/tcp_syncookies  

Test those two commands, and once you've verified that they work, pick a configuration file (I like /etc/rc.d/rc.inet myself ) and add those two lines into it somewhere near the beginning. Syncookie and IP_Forwarding support will now be enabled on the next boot as well. Congratulations! Your system now has the basic kernel configuration required for IP Masquerading.