Setting up Ip-Masquerading
Last Updated on December 9th 1998

An article submitted by my
friend Arto Repola in Finland


MH NOTE: This page was contributed by my friend Arto Repola, over in Finland. He had asked if he could put his trials and tribulations on my site, so without further ado, I bring you his step-by-step procedure to setting it up -- enjoy! (all that follows is his text)

Note, I have some personal updates/additions for kernels 2.1.x and 2.2.x which require you to use ipchains rather than ipfwadm which I'll put up here shortly. I have this setup at home so that my SGI Indigo2 High Impact can use the Internet connection (and 56K modem!) on my Linux box. Sweet.


I tested this following example in December 1997 when my high school ADP teacher kindly borrowed an old 486 box so I could do some tests at home. I especially played with Samba and ip-masquerade. I had only two weeks time to test different kinds of things so this document won't contain all aspects of setting up ip-masquerade. The following example assumes that your ISP gives you dynamic ip-addresses (you have different ip-address every time when you login), that you have configured your modem/isdn card correctly and your login scripts to your ISP work properly!

Basic Setup

Q. What is this Ip-masquerade what people are talking about? What use is there for such a thing?

A. Ip-masquerade allows to setup your linux as router for a small LAN which means that after you've setup your linux box as a gateway, you can (from other machines in your LAN) surf Internet after your linux box has established connection to your ISP! That's right: you can surf around Internet with only one ip-address and it's legal!

Q. I have trouble understanding these texts. I'd better undestand if you'd draw some kind of picture about it. Could you do it?

A. Of course! Here is an example which gives you a more or less accurate way how ip-masquarade works:

When you request pages from the client machine the process looks like this:

    Client            Router                  Your ISP
    WIN95             Linux                   whatever             w.x.y.z		
    -------   packets -------        arbitary -------
    |     |   ------->|     | --------------->|     |
    -------           -------     port number -------
                                  for packets
                                  eg. 25500

When you get a reply from some Website, the process looks like this:

    Client                Router              Your ISP
    WIN95                 Linux               whatever          w.x.y.z
    -------   arbitrary   -------   packets   -------
    |     |<------------- |     |<----------- |     |
    -------   port number -------             -------
    Client X  for packets
    will get  is extracted
    www-page  and routed
    packets   to client X

Q. Do i need any special requirements to setup linux as router? What about clients and their operating systems?

A. Setting up linux as a router for a small LAN doesn't differ very much from setting up linux as fileserver for a small LAN. you can happily setup your medium-powered 486 as a router but make sure that you have at least a 16550A UART for your serial ports. Otherwise you may encounter loss of data or in the worst case, you won't get data at all! Here is an example of my internal 33.6Kbps modem (com2) which has 16550A UART and it's flag is setup as "spd_vhi" (with setserial

[root@localhost /root]# setserial -a /dev/modem
/dev/modem, Line 1, UART: 16550A, Port: 0x02f8, IRQ: 3
        Baud_base: 115200, close_delay: 50, divisor: 0
        Flags: spd_vhi skip_test

After you've made sure that you have 16550A UART in your internal modem or in your serial ports there won't be any trouble.

For a client I can only say that I did this with WIN95 but I've read from the IP-Masquerade FAQ (which should lie under the /usr/doc/HOWTO/mini directory) that it should work happily with many clients including: WfW 3.11, WinNT (3.x,4,x), OS/2 Warp and DOS! You name it! As long as there is a TCP/IP stack available for the client and you have setup your NIC's correctly, there shouldn't be any major problems. There are no special requirements for client machines as long as you can use lynx, Netscape, ftp, telnet or whatever you want to use.

Q. Now hold on! If I can surf around the Internet by using only one legal ip-address, which ip-addresses can I use on my client machines?

A. Once again you can use "free" ip-addresses which are according to RFC1597:

Network Class Netmask Network Addresses
A -
B -
C -

Q. I'm still pretty confused. Could you give me some kind of example when I have a Linux box at home and my sister would like to browse the Internet from another machine?

A. Sure! I had a this kind of situation at home. I installed an NE2000 (ISA) NIC in both of these, cabled them and because I had already-working login scripts, there was not much to do. Here are machines what I used to test ip-masquerading:

Linux Router:


Pentium 150Mhz
NE2000 (ISA) NIC
Thin-net (10-Base-T) cabling
Redhat 4.2 (kernel 2.0.33)

486 25Mhz
NE2000 (ISA) NIC
Thin-net (10-Base-T) cabling
Windows 95 + Netscape 2.0

Q. Which one i should configure first: router or client?

A. It doesn't matter which one you setup first. The client is much easier to setup so let's start with it. This following example is for WIN95 only!

  1. Turn off your computer
  2. Insert your NIC into the appropriate ISA/PCI slot
  3. Turn on computer
  4. Wait until Win95 finishes loading. Add NIC under "Control Panel | Add New Hardware"
  5. Go to the "Control Panel | Network" box
  6. Add the TCP/IP protocol (if it's not already there)
  7. Select the TCP/IP protocol and then click on "Properties"
  8. First choose the "ip address" section and type "" as your ip-address. Next go to the "Netmask" field and type "" into it
  9. Go to the "Gateway" field and put your linux router ip-address "" into it
  10. Go to the "DNS Configuration" field and enter your ISP's nameserver ip-addresses, your domain name and hostname. Mine were:

    hostname: wnet

    BTW! You can find these values in /etc/resolv.conf in your linux machine
  11. Now click "OK" on all dialog boxes and you should get a prompt which says something like this: "xxx has been changed. Restart system Yes/No?" Click on "Yes" and once again wait until your Win95 loading is finished

That's it! Basic client setup is done!


First thing what you have to do is to recompile your kernel and include ip-masquerade support to it! If you don't know how to compile a kernel, there should be file called README in the /usr/src/linux directory which explains everything you need to know. Basically it goes like this:

make config  		;or make menuconfig/xconfig
make dep
make clean
make zImage 		;or make zlilo/zdisk
make modules
make modules_install

When you execute the command "make config" under /usr/src/linux you should say Yes "Y" to these following questions and of course under Network section you should enable at least "Ethernet support" and drivers for your NIC.

    * Prompt for development and/or incomplete code/drivers
      - this will allow you to select experimental ip_masq
        code compiled into the kernel

    * Enable loadable module support
      - allows you to load modules

    * Networking support

    * Network firewalls

    * TCP/IP networking

    * IP: forwarding/gatewaying

    * IP: firewalling

    * IP: masquerading (EXPERIMENTAL)
      - although it is experimental, it is a *MUST*

    * IP: always defragment
      - highly recommended

    * Dummy net driver support
      - recommended

When you have succesfully compiled your kernel, copied to it the corresponding place and rebooted your machine, we can start to play with network settings. Let's create a "loopback" device first and test that your network support is working correctly!

/sbin/ifconfig lo
/sbin/route add -host lo

Then execute this following command without quotes: "ping" You got some mysterious replies? Congratulations! At least your basic configuration is working correctly!

You can optionally put these very same lines to /etc/hosts -file what i've used in my samba/linux+WIN95 example:

# /etc/hosts     kirk    spock

Now let's create a route for your client machines.After this command you can simply add more clients as needed without changing this ever! (unless you have more than 255 clients in your small LAN which is highly unlikely!)

/sbin/ifconfig eth0 netmask up
/sbin/route add -net eth0

The next thing what we have to do is tell your Linux machine that client machines will "hide" their identity within the Linux machine' packets which go to to your ISP and from there, to the Internet. You should have a program called ipfwadm installed and the next thing what you have to do is type following commands:

/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S -D

You can place these commands for example, in /etc/rc.d/rc.sysinit so every time when you boot Linux these commands are already setup. /etc/rc.d/rc.sysinit is for Redhat (and Debian?) distrubutions only. In Slackware, the path is a little bit different but because I haven't used Slackware for the last 3 years I don't remember its path structure very well... In case of emergency contact your local Linux guru to help you out!)

That's it! Let's test it!

Test Phase

  1. Load Netscape on your client machine and setup cache settings if you wish and setup your ISP's proxy server's name/port address if needed/available.

  2. Execute your PPP connection to your ISP from your linux computer. When the link is up try to visit some sites like from your client computer. If you get a response within few seconds it's time to party!

Miscellaneous Questions

Q. What do you mean that it's legal to surf around Internet by using only one legal ip-address? Aren't you afraid that your ISP might find out that you are using more than one machine at home and with only one ISP's package?

A. Of course it's possible that some day your country's (insert here) government could deny such a thing but it's more likely to win in a lottery! :) Contact your ISP and ask them if this is okay with them if you're worried. If it's okay with your ISP then you don't have to worry about it anymore! Enjoy free surfing from other machines! This feature with Samba are the best programs for Linux what I've ever used and they are both very good!

Q. What about security? Couldn't one hack into my client machines when my connection is up because Ip-Masquerade also allows *EVIL* persons to telnet/use evil programs to crash/format my client machine' HDD's?

A. There are tons and tons of different kinds of security issues and programs around the Internet for Linux but personally I wouldn't be so paranoid. I've used Ip-Masquerade support for a very short time (two weeks only!) and my system was never hacked. Rule of thumb is that if your ISP gives to you dynamic ip-addresses (very common!), you have installed latest kernel (2.0.33+) and you have grabbed the latest patches/updates from Red Hat (for example), I wouldn't worry about it much. If you are really concernced about your security during ppp-connection, take a look at the section called "4.4. IP Firewall Administration (ipfwadm)" in the Ip-Masquerade FAQ which should lie in /usr/doc/HOWTO/mini/ which explains how to setup input/output policies but this applies only for static ip-addresses. Could someone do this for dynamic ip-addresses? Personally I don't know!

Q. Netscape seems to work just fine but when I tried to execute an IRC client from my client machine it didn't worked at all! What have I done wrong?

A. In order to get IRC, Vdoline video conferencing, Quake (YES!), FTP, etc. you have to put these following commands into /etc/rc.d/rc.sysinit or you can execute them at the prompt:

/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc

Now at least IRC, FTP and RealAudio should work correctly!

Q. I'm using my sister' Win95 machine in her room and my linux machine is in our living room. I wouldn't like to go there just to execute a connection script. How can I automate this process so every time when i fire up netscape connection would start automatically and after a certain number of idle seconds, the connection would "go down" automatically? How can I do this and is it possible?

A.Yes, it's possible. One could telnet to a linux machine from Win95 and execute the login script from there, but more elegant way to do this is to take a look at package called diald. When you have setup and configured this program correctly on your Linux machine, you could establish PPP connections to your ISP whenever you wish, automatically!. Take a look at bottom of this page for a link to the diald homepage. I haven't tested this ever, so I cannot help you with this one :(

Q. I get quite crappy baud rates to my client machine. Are there any ways to speedup my connection?

A. I've heard some rumors that fine-tuning the MTU setting for your NICs with ifconfig might work. I've heard that if you lower the MTU value you get really fast responses but the drawback is that you get really low cps rates, and if you increase the MTU setting, you will get faster cps rates but lookup times are horrible! Has anyone ever tested this?


If your connection still doesn't work try these following commands which are very similar to what I've described in my Linux/Samba+Win95 combination:

  1. Try to ping your machines. Under linux type ping Now you should receive echo replies from Win95. You can stop this operation by pressing CTRL+C. You can also try names like this: ping spock or ping If you don't receive any echo replies, double check your network settings. One good way is to check NIC settings is by using the command ifconfig which shows the NIC's settings and route which shows route tables to the other machines. If route hangs for a moment try route -n. In this case it won't try to "resolve" your hostname, thus speeding up "finding" the computer on the network.

  2. Try to telnet to the linux machine from the Win95 machine. Click on Start in lower left corner, select Run and type telnet in the box which will pop up. Aftet that, select connect and first use an ip-address rather than a name ( If you get a prompt soon there's surely some kind of traffic between your machines. If you don't get any prompt and it waits forever in that state with a flashing cursor, double check that you don't have any extra settings in /etc/hosts.allow and /etc/hosts.deny files which prevents other machines to use linux services.

  3. Download a program called IPTraffic at It's a menu-based program which can be used to monitor your Ethernet traffic for example or your ppp0 device for ppp connections. It's very useful, really easy to use and has lots of options, so you can easily fine-tune what you want to monitor and what not to. Just place iptraf in the freshmeat search field and it will find and show it's appindex to you.

Not Tested!

Untested uses for ip-masquerading (theories only!)

I wonder if these two following examples are possible with ip-masquerading? Has anyone ever tried these?

Example 1: Imagine that you have been given certain ip-addresses from your ISP. Now you are happily running them in your company. Now you realize that you a running out of ip-addresses and you would have to install 25 machines connected to the Internet but you have only, let's say, three ip-addresses left. What could you do? Get some more ip-addresses? One solution could be like this (in theory).

Just assign one of those ip-addresses to one linux machine and use ip-aliasing support. First, assign eth0 a "legal" ip-address and for eth0:0 device, assign a "fake" ip-address. Now after you've configured the corresponding routes, DNS, etc. you could install these 25 machines and assign them "fake" ip-addresses. In theory these machines should now access the Internet without any trouble. The only thing that you'd have to do would be to setup corresponding ipfwadm rules. Could this work? Any uses for this? OF COURSE! What would you say if you didn't have to pay any extra for getting more ip-addresses? If it's fine with your ISP then go ahead! This could save you LOTS of money over the long run.

Example 2: This is basically an idea that I read from Michael Holve's Linux Coffee Talk section. There was a guy who wanted to know if it is possible to setup a ppp-server which would have one "legal" ip-address and then allow other users to login and use "bogus" ip-addresses. My theory is that it should be possible. Just install two NIC's into this machine or use ip-aliasing. Use the same principal as in example one and configure your modems to use "fake" ip-addresses. After you've configured your ipfwadm (or ipchains) to route your clients request to the Internet it should be all set. Now when clients connect, they should be assigned "fake" ip-addresses which would be used to connect to Internet. Maybe this ASCII-art picture could clarify this just a little bit more:

	  ----------	 two NIC's
   	  -let's say	 eth0 "legal"	
	  10 modems      eth1 "bogus,fake"
	  which would
	  have "fake" 

So every time a client connects, he/she would get a "fake,bogus" ip-address which would be forwarded from eth1 through the "legal" ip-address/device eth0 to the Internet from there back to its original source (Client).


This document was created at my home in Raahe, Finland on May 23, 1998. Local time is 7:30pm right now. Good night to everyone and God bless you all!

This document is dedicated to the ALL_MIGHTY_LINUX_GURU LINUS! You've done something that will never be forgotten!

All images are (C) 1994-2005 by Michael Holve