[ale] IP Masquerading on Linux

Tue Oct 6 08:59:57 EDT 1998

Having read myriads of explanations about this subject and others on Linux,
let me just say that when it comes to help...

YOU THE MAN!

That was awesome!  i come from the GUI world of WinNT where help files are
abundant.  I am really enjoting using Linux, but it has one problem...the
help and manuals that I HAVE SEEN stink!

Have you considered joining the Linux documentation project?

In my opinion, they could really use your help!

-Matthew Brown

-----Original Message-----
 From: Byron A Jeff <byron at cc.gatech.edu>
To: Courtney Thomas <ccthomas at flash.net>
Cc: ale at cc.gatech.edu <ale at cc.gatech.edu>
Date: Tuesday, October 06, 1998 4:05 PM
Subject: Re: [ale] IP Masquerading on Linux

>>
>> Greetings !
>>
>> Thanks to the many for all previous help.
>>
>> I am running RedHat4.2 and would like to implement IPMasq. I've read
>> Doctor Linux Mini-HowTo and am even more confused.
>>
>> How does it work ?
>
>The basic idea is to hide your internal network behind a single external
>interface. A quick example:
>
>1) You have a linux box and a SCO box on your internal network. Say they
have
>IPs of 192.168.0.1 and 192.168.0.2. BTW these two are out of a set of
special
>'internal network' addresses that no properly configured router would route
>through the internet.
>
>2) The Linux box calls your ISP via PPP. You get an address of
206.15.192.200
>for your PPP interface. PPP also sets up your default route to your ISP.
>
>3) OK at this point the Linux box is set. It can connect to the internet
and
>do stuff. The SCO box still needs work.
>
>4) First off the Linux box is a gateway, So you have to compile in and
enable
>IP Forwarding in the kernel. What this is is set it up so that any packet
that
>the Linux box receives on one interface (internal ethernet) will be
forwarded
>on the other interface (PPP). So we do this and set the default route of
the
>SCO box to the Linux box. But it still doesn't work. Here's why...
>
>The SCO box tries to get to the ISP web server (206.15.192.10). So it sends
>a packet out on the ethernet to its default gateway (the Linux box). When
the
>Linux box gets it, it'll forward it to the PPP connection. The problem is
that
>the destination is still set to the SCO box (192.168.0.2) which when
received
>by the ISP's web server, it has no clue how to send a response back since
that
>internal network address for the SCO box isn't routable. Enter IP
Masqerading..
>
>5) Turn on masquerading on the Linux box. You get the same sequence except
>with one significant difference...
>
>The SCO box tries to get to the ISP web server (206.15.192.10). So it sends
>a packet out on the ethernet to its default gateway (the Linux box). When
the
>Linux box gets it, it'll forward it to the PPP connection. Except now that
>masquerading is on, the Linux box will change the destination for the
response
>to its own internet IP address (206.15.192.200). When the ISP's web server
>gets the requirest it'll send a response back to the Linux box, when it
turn
>will change the destination back to the address of the SCO box, and drop
the
>packet back onto the internal network. So the SCO box receives the response
>from the web server and all is well.
>
>So the bottom line is to set up the following:
>
>1) Your PPP connection to your ISP.
>2) Forwarding in your Linux gateway.
>3) IP Masquerading in your Linux gateway.
>4) Use a configuration tool (I use ipfwadm on my old Slackware box) to
>   configure the masquerading. Here are my two configuration lines:
>
>/usr/local/sbin/ipfwadm -F -p deny
>/usr/local/sbin/ipfwadm -F -a m -S 10.192.143.0/24 -D 0.0.0.0/0
>
>The first says as a default not to forward anything. The second says to
>masquerade all packets on my internal net going out onto the external net.
>
>
>
>
>>
>> What do I need to do to be able to dial out from a SCO machine through
>> Linux ?
>>
>> Are there choices about how to do this ?
>
>Dial-out is a different tool altogether. Here are your choices:
>
>1) telnet to the Linux box and start the connection by hand.
>2) Use diald, which is a tool that will monitor for network traffic and
>establish a link whenever a request for traffic comes along.
>3) Use a late model of PPP (which your 4.2 probablydoes not have) which has
>the same functionality as diald.
>
>Personally I use 2. diald works for me.
>
>Hope this helps,
>
>BAJ (typing this from a masqueraded Linux box in the middle of a sleepless
>night)