Setting Up IP Masquerading

Author: jbm <>
Created on: July 19, 1998
Last Modified: March 2, 1999
Status: Beta


So - you've got your Linux up and running and you can use the LAN between Linux and Windows 95. Good for you. But you still can't get online with your Windows 95 box and your Linux at the same time. This is why they developed IP Masquerading. To begin with, you need a few things: the ability to compile your own kernel (see Compiling a New Kernel for more info on this), a working subnetwork (probably Ethernet - see Setting Up Ethernet for more info. There are other ways to create a subnetwork, but if you can get those working, you probably don't need this guide ;^), and a way to get at the internet while on your Linux (either Ethernet or dial-up, there are special instructions for using two NICs at once, see A discussion of networking is beyond the scope of this document, as is setting up dial-up connections (discussed in Setting Up an internet Connection.), so if you don't have those working yet, go ye forth and fix ye thee. If you're still with me, go grab the IP-Masquerading mini-howto, from your local sunsite mirror:Linux/docs/HOWTO/mini/IP-Masquerade or at really quick. It's a more in-depth discussion of what this document covers. Also, is the official homepage of Linux IP Masquerading. hint hint.

Before You Begin...

I'm no expert when it comes to this. I just got my setup working well enough, and I saw a definite need for a document like this one. The IP-Masquerading mini howto is too in-depth for the average Windows 95 --> Linux --> Internet setup. If you can add anything to this - please do! I'm currently working on on-demand dialup that's transparent to Windows 95. Any info that you need that's not covered here will most likely be found at hint hint.

This document is based on my personal setup - a Windows 95 box connected via eth0 to a Linux box which is connected to the internet by ppp0. I use Slackware, with kernel 2.0.34. I'll try and make everything usable under RedHat, but I can't make any guarantees. I take no responsibility if this document messes up your boxen. Or causes your dog to shed all over the couch. Feel free to mail me(, but please only send me questions dealing with IP masquerading and/or this document (misspellings, etc). Please no questions about setting up PPP or Ethernet.


Make sure your ethernet works ('ping' back and forth), make sure that your PPP dialup works ('ping' somebody on the net), and make sure they both work at once ('ping' back and forth locally and some internet site while online). If this is all ok, move on. If not, you need to fix it before you proceed. Check the related docs on this site, then try re-doing things (if you need to recompile your kernel, don't include the IP Masq changes. It's best to change one or two things at once, so you can find exactly what's not working. After you get ethernet and PPP working side-by-side you can try to get them working hand-in-hand.)

Setting Up Linux

To get Linux ready for IP Masquerade, you only need to do three things:

Kernel Stuff:

If you're not comfortable recompiling your kernel, stop now. You really need to be able to do this to be a Linux user, so go learn how to at Compiling a New Kernel. Go through and configure your kernel for all the things you normally need (*modules*, filesystems, SCSI if you need it, PPP/SLIP, networking, etc), and then add the following things (in older kernels you may need enable experimental things):

Now do the whole kernel building process... make dep; make clean; make zImage (go watch tv); make modules; make modules_install. The modules part is required because certain protocals (ftp, irc, realaudio to name just a few) need special configuration to work correctly through masquerade.

rc.modules Fun:

For this, you need to edit your rc.modules file - /etc/rc.d/rc.modules in Slackware and /etc/rc.d/rc.local in Red Hat - and add the following lines:

depmod -a  #if there's already a line containing this, don't add it.
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_vdolive  

And any other modules you see in /lib/modules/2.0.xx/ipv4 that start with ip_masq. According to the mini-howto, kerneld won't work. Sorry to those of you who use it.


Note: if you are using a 2.2.x series kernel (or late 2.1.xx), you need to use IP chains, see below for more details. Skip this section and go on to the next.

You need to stick

ipfwadm -F -p deny
ipfwadm -F -a m -S -D
in your /etc/<rc.d>rc.local file, it only needs to be run once (i was mis-informed at last writing. My apologies). Due to the nature of this file, these lines won't automatically be executed until you reboot. You can, however, just paste these into the commandline using gpm and set it up on a running system.

This should complete the Linux side of the setup.

IP Chains

IP chains is the "new" way to set IP masq things up. If you are using a 2.0.xx series kernel, you don't need to worry about it just yet; if you are using 2.2.x, however, you do.

The use is just like for 'ipfwadm', except you place

ipchains -P forward DENY
ipchains -A forward -j MASQ -s -d
in your /etc/<rc.d>rc.local file. Due to the nature of this file, these lines won't automatically be executed until you reboot. You can, however, just paste these into the commandline using gpm and set it up on a running system.

Configuring Windows 95

This is by far easier. If you've got the ethernet adaptor installed right, just open up Start->Settings->Control Panel, then go to Networking. Open up TCP/IP -><name of your ethernet adaptor>. Go to the Gateway Tab, and enter the Subnet IP address of your Linux (probably Add the appropriate settings under the DNS Configuration tab. You don't need the suffix search thing, but it's kinda nice. Click OK through all the dialogs and restart Windows. This should be all you need to do.

This should complete the Windows side of the configuration.

Setting Up Other OSs

See the IP Masquerade mini-HOWTO for instructions on setting up other OSs capable of TCP/IP networking (or UDP/IP. but i think UDP is more complicated setup...).

Test it

Well.. that should be it. Try it out - reboot your Linux box, start up your PPP connection, run the ipfwadm script (if you need one), and trying getting onto the net with Windows. If it doesn't work, make sure you ran the ipfwadm stuff after you connected with PPP (ie - after you actually got an IP address assigned).If that doesn't fix things, try going through the IP Masquerade mini-howto. It'smuch more in-depth and thorough, so your problem will likely be addressed there.

PPP Stops Working After You Install IP Masquerade

This confused me very much so. If you compiled PPP as a module, make sure you do /sbin/modprobe slhc.o before /sbin/modprobe ppp.o. Try doing depmod -e ppp to see what error messages your kernel is having problems with. I personally recommend compiling PPP into the kernel, as it's used fairly often. If that looks ok, try recompiling it, after printing out the configuration information above and double check all your settings. If it's still broken, triple check your settings. If it still doesn't work, try setting up PPP by itself. If that's broken, see Setting Up an Internet Connection. After you get that working, try the IP masq setup again. This should solve most problems.

Thanks to Tom M. Schenkenberg for pointing out the new ip-masq site, and keeping me from getting dead link complaints =).

Copyright (c)1998 jbm ( All rights reserved. Permission to use, distribute, and copy this document is hereby granted. You may modify this document as long as credit to me is given.