[ale] IP Masquerading on Linux
Byron A Jeff
byron at cc.gatech.edu
Tue Oct 6 03:25:33 EDT 1998
>
> Greetings !
>
> Thanks to the many for all previous help.
>
> I am running RedHat4.2 and would like to implement IPMasq. I've read
> Doctor Linux Mini-HowTo and am even more confused.
>
> How does it work ?
The basic idea is to hide your internal network behind a single external
interface. A quick example:
1) You have a linux box and a SCO box on your internal network. Say they have
IPs of 192.168.0.1 and 192.168.0.2. BTW these two are out of a set of special
'internal network' addresses that no properly configured router would route
through the internet.
2) The Linux box calls your ISP via PPP. You get an address of 206.15.192.200
for your PPP interface. PPP also sets up your default route to your ISP.
3) OK at this point the Linux box is set. It can connect to the internet and
do stuff. The SCO box still needs work.
4) First off the Linux box is a gateway, So you have to compile in and enable
IP Forwarding in the kernel. What this is is set it up so that any packet that
the Linux box receives on one interface (internal ethernet) will be forwarded
on the other interface (PPP). So we do this and set the default route of the
SCO box to the Linux box. But it still doesn't work. Here's why...
The SCO box tries to get to the ISP web server (206.15.192.10). So it sends
a packet out on the ethernet to its default gateway (the Linux box). When the
Linux box gets it, it'll forward it to the PPP connection. The problem is that
the destination is still set to the SCO box (192.168.0.2) which when received
by the ISP's web server, it has no clue how to send a response back since that
internal network address for the SCO box isn't routable. Enter IP Masqerading..
5) Turn on masquerading on the Linux box. You get the same sequence except
with one significant difference...
The SCO box tries to get to the ISP web server (206.15.192.10). So it sends
a packet out on the ethernet to its default gateway (the Linux box). When the
Linux box gets it, it'll forward it to the PPP connection. Except now that
masquerading is on, the Linux box will change the destination for the response
to its own internet IP address (206.15.192.200). When the ISP's web server
gets the requirest it'll send a response back to the Linux box, when it turn
will change the destination back to the address of the SCO box, and drop the
packet back onto the internal network. So the SCO box receives the response
from the web server and all is well.
So the bottom line is to set up the following:
1) Your PPP connection to your ISP.
2) Forwarding in your Linux gateway.
3) IP Masquerading in your Linux gateway.
4) Use a configuration tool (I use ipfwadm on my old Slackware box) to
configure the masquerading. Here are my two configuration lines:
/usr/local/sbin/ipfwadm -F -p deny
/usr/local/sbin/ipfwadm -F -a m -S 10.192.143.0/24 -D 0.0.0.0/0
The first says as a default not to forward anything. The second says to
masquerade all packets on my internal net going out onto the external net.
>
> What do I need to do to be able to dial out from a SCO machine through
> Linux ?
>
> Are there choices about how to do this ?
Dial-out is a different tool altogether. Here are your choices:
1) telnet to the Linux box and start the connection by hand.
2) Use diald, which is a tool that will monitor for network traffic and
establish a link whenever a request for traffic comes along.
3) Use a late model of PPP (which your 4.2 probablydoes not have) which has
the same functionality as diald.
Personally I use 2. diald works for me.
Hope this helps,
BAJ (typing this from a masqueraded Linux box in the middle of a sleepless
night)
More information about the Ale
mailing list