Kernel Configuration

Kernel
Configuration

Yep, you'll once again be compiling your
kernel. We need to add some specific configuration items. We need:

style='font-size:10.0pt;font-family:Symbol'>�        
Network firewalls

style='font-size:10.0pt;font-family:Symbol'>�        
IP Firewalling

style='font-size:10.0pt;font-family:Symbol'>�        
IP transparent proxy support

style='font-size:10.0pt;font-family:Symbol'>�        
IP Masquerading

lang=EN-GB style='font-size:10.0pt;font-family:Symbol'>�        
ICMP Masquerading (so ping will work)

style='font-size:10.0pt;font-family:Symbol'>�        
Optimization as a router

style='font-size:10.0pt;font-family:Symbol'>�        
TCP Syncookie support

style='font-size:10.0pt;font-family:Symbol'>�        
procfs

style='font-size:10.0pt;font-family:Symbol'>�        
sysctl support

Thankfully, we can almost complete this
little shopping list in the "Networking Options" of our kernel
configuration. As you can see in lang=EN-GB style='color:#003399'>Figure 3-1, just
about everything we need (and more�see the upcoming section, lang=EN-GB style='color:#003399'>Port Forwarding)
can be enabled from one screen. You'll find procfs under "proc filesystem
support" in the filesystems section of the kernel config. Sysctl support
is found under "general setup." What do these things do?

style='font-size:10.5pt;font-family:Arial'>Figure 3-1. Linux kernel
configuration.

Network firewalls and IP Firewalling allow us
to use ipchains to block certain packets. They're a required piece of
foundation for all the rest. If IP: firewalling is not selected, you aren't
allowed to compile masquerading in either. It is, at least as far as I can ascertain,
the kernel code that allows you to take a really close look at network packets
and to reject or accept them.

IP transparent proxy support is also used in
masquerading, and it is what allows the kernel to modify packets as they go
through. This is required for IP Masquerading.

IP Masquerading is�well, isn't it obvious
that we'd have to enable this in order to do IP Masquerading? This code
actually allows the kernel to do packet rewriting, using the rules defined by
ipchains. This will also compile the standard ipmasq modules, for such things
as vdolive, irc, ftp, and quake�which do not work under normal ipchains rules.

ICMP Masquerading lets you use ping and
traceroute from masq'd machines�very handy when checking out networking
problems. You want this.

Optimization as a router is definitely a good
thing to enable�it'll result in a good throughput, provided you're using a
dedicated IPMasqing box (which I already highly recommended). Speed is a good
thing, right?

TCP Syncookie support is a basic survival
strategy. We enable this in the kernel so that when the inevitable
denial-of-service attack comes, we'll be prepared. What's a denial-of-service
attack? Picture this nightmarish situation: a parent cursed to answer every
question, and put in charge of 35 3-year-olds. Flooded with thousands upon
thousands of "why?" questions, the parent is incapable of doing
anything but responding. That's a denial-of-service attack in a nutshell. It's
easy to do, it's usually fairly pointless, and it's quite annoying. TCP
Syncookie support will let your internal users continue using the Internet even
while you're under attack. Cool, eh?

Procfs is the Proc filesystem. It's required
for enabling IP Forwarding and for that syncookie support we just talked about.

Sysctl support allows you to change some
kernel parameters on the fly, which is what we'll need to do to�you guessed
it�enable IP Forwarding and syncookie support.

Now that you've got these things enabled, go
ahead and recompile your kernel and install it. Go ahead and reboot, and when
the system comes back up, issue these two commands as root:

echo 1>/proc/sys/net/ipv4/ip_forward

lang=EN-GB>echo 1>/proc/sys/net/ipv4/tcp_syncookies

Test those two commands, and once you've
verified that they work, pick a configuration file (I like /etc/rc.d/rc.inet
myself) and add those two lines into it somewhere near the beginning. Syncookie
and IP_Forwarding support will now be enabled on the next boot as well. Congratulations!
Your system now has the basic kernel configuration required for IP Masquerading.