view · edit · print · history

IP Masquerading HOWTO

This is a brief descrition how to set up a NSLU2 as Router with IP Masquerading (NAT-Router). You need a NSLU2 and a second Ethernet Device (see EthernetAdapter).

It's tested with the official Unslung 5.5 Image and a D-Link DUB-E100 (without any additional flash/disk attached).


1. You need a NSLU2 with a unslung firmware (See UpSlug2). Enable Telnet (See EnableTelnetThroughTheWebInterface) and log in. Maybe installing a SSH Server is a good idea (e.g. UseDropBearForRemoteAccess). Don't forget to change the root password (See ChangePasswordsFromTheCommandLine).

2. Make sure you have enough space. If you use a USB-Stick or USB-Disk as root filesystem this should be no problem. Otherwise you can delete some unnecessary stuff.

3. Install the module for your USB-Ethernet-Adapter. In this case:

ipkg-cl install kernel-module-ax8817x

4. Load the module and configure your card:

insmod ax8817x
ifconfig eth0 192.168.X.X up

5. Now we need iptables and some kernel modules:

ipkg-cl install iptables
ipkg-cl install kernel-module-ip-tables
ipkg-cl install kernel-module-iptable-filter
ipkg-cl install kernel-module-ip-conntrack
ipkg-cl install kernel-module-iptable-nat

6. We also need two additional modules called ipt_MASQUERADE.o and ipt_state.o. They are currently not in the ipkg repository for unlsung. But there are two ways to get them:

  • Recompile the Unslung Kernel to get them. Set up a build enviroment with the MasterMakefile. Add these lines to openembedded/packages/linux/unslung-kernel/defconfig:


Now run make unslung-kernel. You will get the new kernel-module-packages kernel-module-ipt-masquerade_2.4.22.l2.3r63-r7_nslu2.ipk and kernel-module-ipt-state_2.4.22.l2.3r63-r7_nslu2.ipk. Copy them to your NSLU2 and install with:

ipkg-cl install kernel-module-ipt-masquerade_2.4.22.l2.3r63-r7_nslu2.ipk
ipkg-cl install kernel-module-ipt-state_2.4.22.l2.3r63-r7_nslu2.ipk
  • Another (easier) way is to get them from my website: http://www.defector.de/docs/nslu2-ipmasq.htm(approve sites)

7. Now we can set up a iptables script. I named it /opt/etc/masquerade. It routes all connections from inside a private net (LAN) to a outside connection (WLAN). Furthermore it blocks all connections from outside (WLAN). So it's also a simple Firewall.

The lan device is the inbuild intel ethernet-card (ixp0). The outbound device is the USB Ethernet-Card (eth0).

/opt/etc/masquerade looks like this:

#! /bin/sh

# Load all modules
insmod ip_tables
insmod iptable_filter
insmod ip_conntrack
insmod iptable_nat
insmod ipt_state
insmod ipt_MASQUERADE

# Interfaces

# Set IP-Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# Clear all chains
iptables -F
iptables -F -t nat

# In the NAT table (-t nat), Append a rule (-A) after routing                  
# (POSTROUTING) for all packets going out the outside interface                 
# (-o $WLAN) which says to masquerade the connection                            
# (-j MASQUERADE)                                                               
iptables -t nat -A POSTROUTING -o $WLAN -j MASQUERADE

# Create chain which blocks new connections, except if coming from inside.      
iptables -N block                                                               
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT                
iptables -A block -m state --state NEW -i ! $WLAN -j ACCEPT

# Logging is turned off
#iptables -A block -j LOG --log-ip-options                                      

iptables -A block -j DROP

# Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block                                                      
iptables -A FORWARD -j block

If using PPPoE? (for DSL or iBurst, etc.)

Add the following line to the end of the script to fix MTU issues (thanks to ShadowJK? from #nslu2-general for figuring this out for me). Also see http://ramblingfoo.blogspot.com/2007/11/lesson-relearned-when-linux-networking.html(approve sites)

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

In addition, you will need to install the kernel-module-ipt-tcpmss or kernel-module-xt-tcpmss and load it for this to work.

I was having weird NAT problems like I could ping and access www.google.com and I could ping www.yahoo.com but when I tried to access www.yahoo.com in a browser it would just hang waiting for a response. The above rule fixed it.

Make Startup Scripts

This section will be added later

view · edit · print · history · Last edited by Toby.
Based on work by Toby and cooper.
Originally by Sven Jost cooper.
Page last modified on May 03, 2008, at 05:37 PM