[Prev][Next][Index][Thread]

IP Masquerading FAQ (was: Spesial PPP configuration)



On Tue, 17 Sep 1996, Shay Rojansky wrote:

> If you want more, an option exists called IP masquerading. This means
> you have the router machine (=the one connected to the Internet, even
> with PPP) is running special masquerading software. This software receives
> requests from a computer on the LAN, and modifies the return addresses
> so that the packets will come back to the router (they can't come
> back to the original machine, since it ain't on the net). When the
> router gets the repsonse from host it sent the request to, it sends
> the info backto the client on the LAN. This is more complicated. For
> those of you who've asked for help on how to do this, I have no idea
> where to find howtos, although you should look at the NET-2 howto,
> the firewalling howto, search the various Linux sites, and take a look
> at Linux Journal issue 27 (July 1996, titled "The Shell Game").

Here is the (unofficial) IP Masquerading FAQ for Linux.  Maybe it's a
little outdated, but there's an address when you can get the newer one
somewhere in the FAQ.

Vadik.

++        _ 
Vadik V. (_`    vadik@arbornet.org  http://www.arbornet.org/~vadik/
Vygonets (_.lf  For PGP public key, email me with sibject "get pgpkey"
Linux hackers are funny people: They count the time in patchlevels.

*** File 'ip_masquerade.faq'
==========================================================================
This document is an UNOFFICIAL FAQ about ip_masquerade for Linux

Copyright (C) 1995 Ken Eves - May be freely distributed but not modified.
You have permission to use any information in this document in your works.
Last Revised 01/07/1996

This document is NOT an official Linux FAQ.  It was prepared by someone
who is NOT an authority on Linux, or IP networking.  It is AS-IS and
most likely contains errors.

This document's home is at ftp.eves.com in /pub/masq, and is also available
on http://www.indyramp.com .

Many thanks to those who contributed to this document with posts on the
masq@eves.com mailing list (not running) and comp.os.linux.networking !!!

Ken Eves and Eves Internet Consulting accept NO LIABILITY for any dammages,
lack of sleep, or downtime caused by using this information.

ip_masquerade was written and is copyrighted by Pauline Middelink  
<middelin@polyware.iaf.nl>
==========================================================================

Q: What is ip_masquerade?
A: ip_masquerade is an addition to the kernel networking code in Linux.
   It is designed to allow systems that do not have an assigned IP addresses 
   on the Internet to be able to interact with the Internet via a Linux host.
   The Linux host is the box running ip_masquerade.

-=-

Q: How does it work?
A: Here is a drawing of the most simple setup:

     SLIP/PPP         +------------+                         +-------------+
     to provider      |  Linux     |       SLIP/PPP          | Anybox      |
    <---------- modem1|            |modem2 ----------- modem |             |
      111.222.333.444 |            |           192.168.1.100 |             |
                      +------------+                         +-------------+

    In the above drawing a Linux box with ip_masquerading installed and
running is connected to the Internet via SLIP/or/PPP using modem1.  It has
an assigned IP address of 111.222.333.444.  It is setup that modem2 allows 
callers to login and start a SLIP/or/PPP connection.

    The second system (which doesnt have to be running Linux) calls into the
Linux box and starts a SLIP/or/PPP connection.  It does NOT have an assigned 
IP address on the Internet so it uses 192.168.1.100. (see below)

    With ip_masquerade and the routing configured properly the machine
Anybox can interact with the Internet as if it was really connected (with a
few exceptions).

Quoting Pauline Middelink (unedited):
Do not forget to mention the ANYBOX should have the Linux box
as its gateway (whether is be the default route or just a subnet
is no matter). If the ANYBOX can not do this, the Linux machine
should do a proxy arp for all routed address, but the setup of
proxy arp is beyond the scope of the document.

The following is an excerpt from a post on comp.os.linux.networking which
has been edited to match the names used in the above example:

 >- I tell machine ANYBOX that my slipped linux box is its gateway.
 >- When a packet comes into the linux box from ANYBOX, it will assign it 
 >	new source port number, and slap its own ip address in the packet
 >	header, saving the originals.  It will then send the modified packet
 >	out over the SLIP/or/PPP interface to the Internet.
 >- When a packet comes from the Internet to the linux box, if the port
 >	number is one of those assigned above, it will get the original
 >	port and ip address, put them back in the packet header, and send the
 >	packet to ANYBOX.
 >- The host that sent the packet will never know the difference. 

-=-

Q: Can ip_masquerade provide a networked connection to an ethernet?
A: Yes.  In the above example simply replace modem2 with eth0 and you can
feel multiple ANYBOXes.  Each ANYBOX will have to have its own IP address.

-=-

Q: What is involved in getting ethernet masquerading setup once the kernel is
patched, recompiled and installed?
A: Assuming that your Linux is connected to the net, it is fairly simple:
	1. ifconfig your ethernet connected to the subnet to 192.168.1.1
	2. route to the subnet machines either individually using
	   192.168.1.2 to 254 or as a single network entry using 192.168.1.0
	3. Tell the kernel to masquerade for the subnet with ipfw. (see below)
	4. Setup the machine(s) on the subnet to use 192.168.1.1 as their
	   gateway address

-=-

Q: What versions of Linux kernels is ip_masquerade available for?
A: There is a patch for the 1.2.n kernel.  It may not work with kernel 1.2.0
which is reported to not have the ip_firewalling option working.  It has
been tested and does work properly with 1.2.13 (the current version)

   The 1.3.n kernel tree has ip_firewalling built in.  It also includes a
major change over the 1.2.n patch in that it will allow masqueraded machines
to use FTP with out using PASV mode.   DON'T PATCH 1.3.n with 1.2.n's patch!

-=-

Q: What options do I need to turn ON to have ip_masquerading work?
A: ip_firewalling, ip_masquerading, and ip_forwarding

-=-

Q: What do I use to configure ip_masquerading once it is compiled into the
kernel?
A: To configure ip_masquerading use the program ipfw (from the net-tools
package).  Net-tools can be obtained by anonymous ftp from sunsite.unc.edu
under /pub/Linux/system/Network/sunacm/NetTools/net-tools-1.2.0.tar.gz . 
You can also get precompiled binaries of ipfw for 1.2.n on ftp.eves.com in
/pub/masq and on http://www.indyramp.com/masq

-=-

Q: What is the ipfw command line to configure ip_masquerade?
A: The format is:

ipfw a m all from xxx.xxx.xxx.xxx/yy to 0.0.0.0/0

where xxx.xxx.xxx.xxx is the FAKE ip address and yy is a number according to
the following:

netmask  	yy
===================
255.0.0.0 	8
255.255.0.0	16
255.255.255.0 	24
255.255.255.255 32  (pointopoint)


Quoting Pauline Middelink:
yy is the number of 1-bits in the netmask used by the host's subnet.
It can be any number. The author herself uses 22 for example.
(netmask 255.255.224.0 - 4 C-nets)

-=-

Q: How do I make sure that my FAKE IP addresses never make it onto the
Internet?
A: You can use ipfw to check activity on the device that you use to
communicate with the Internet.

Quoted from a post on the masq@eves.com mailing list (unedited):

>Protect yourself from accidently forwarding straight off the LAN to the WAN.
>/sbin/ipfw add blocking deny all iface ${WAN_PORT_IP} from ${LAN_NET}/${BITS} to 0/0
>
>Another, more encompassing and safer method might be to:
>/sbin/ipfw ad bl deny all iface ${WAN_PORT_IP} from 0/0 to 0/0
>/sbin/ipfw ad bl accept all iface ${WAN_PORT_IP} from ${WAN_PORT_IP} to 0/0
>/sbin/ipfw ad bl accept all iface ${WAN_PORT_IP} from 0/0 to ${WAN_PORT_IP}
>
> Use deny instead of reject to block out your LAN.  The reason for this
>is that someone may be able to determine some data on your LAN by
>probing for commonly used addresses and checking to see if any one of
>them gets a connection or a connect refused.  Deny simply and quietly
>refuses to listen to the packets which gives no one any info.  Under
>normal circumstances, your firewall should drop anything that is not
>directed at its own IP and reject anything directed to its own ip that
>you don't want to look like there is a real service to talk to.

-=-

Q: Can I just pick ANY address for my fake IPs?
A: There is an RFC (#1597) on which IP addresses are to be used on a 
non-connected network.  There are 3 blocks of numbers set aside specifically 
for this purpose.  One which I use is 255 Class-C subenets at 192.168.1.n 
to 192.168.255.n .  

Quoted from a post on the masq@eves.com mailing list (unedited):
>From RCF 1597:
>
>3. Private Address Space
>
>   The Internet Assigned Numbers Authority (IANA) has reserved the
>   following three blocks of the IP address space for private networks:
>
>        10.0.0.0        -   10.255.255.255
>        172.16.0.0      -   172.31.255.255
>        192.168.0.0     -   192.168.255.255
>
>   We will refer to the first block as "24-bit block", the second as
>   "20-bit block, and to the third as "16-bit" block.  Note that the
>   first block is nothing but a single class A network number, while the
>   second block is a set of 16 contiguous class B network numbers, and
>   third block is a set of 255 contiguous class C network numbers.

-=-

Q: What will and wont work over an ip_masquerade connection?
A: Telnet and http work.  Ping will not work because it uses ICMP which 
cannot be masqueraded because it doesn't use ports.  Ftp (and talk) will 
work when the kernel replaces the occurrences of the foreign IP-address 
out of the datastream with its own address (and newly assigned port).

Note: it is possible to get FTP to work if the client can force the server
into PASV mode.  Talk has no options and can not be made to work yet.

Note: kernels since 1.3.39 have had the masq code changed to allow ftp
without using PASV mode.  This may contribute to masq server's system 
overhead if a lot of traffic is passed through the masq connection. (the
increase in overhead has not been confirmed)

Note: One thing that also will not work is /DCC SEND and /DCC RECEIVE on IRC
clients as they have the same problem that FTP has. (not confirmed)

Quotinging an excerpt of email from Pauline Middelink (unedited):

>Only for PORTed protocols, like TCP or UDP. ICMP will not
>(and can not) work. Futher more, the current implementation does
>not work for TALK and/or FTP, since those 2 thingies send over their
>*own* address, and since the information in the data will not be changed
>by the proxy... it won't work. (that part of the patch is in the works)

-=-

Q: Where can I get help with ip_masquerade on the Internet?
A: If you get stuck, or would like to learn more before experimenting with
masquerade, visit http://www.indyramp.com/masq for information on the masq
mailing list.  There are also several (myself included) on 
comp.os.linux.networking who respond to questions about masquerade.


============================================================================
EOF



References: