(M)  s i s t e m a   o p e r a c i o n a l   m a g n u x   l i n u x ~/ · documentação · suporte · sobre

  Next Previous Contents

2. Background Knowledge

2.1 What is IP Masquerade?

IP Masquerade is a networking function in Linux similar to one-to-many NAT (Network Address Translation) found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other "internal" computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well. Linux IP Masquerading allows for this functionality even though these internal machines don't have an officially assigned IP addresses.

MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway. To other machines on the Internet, all this outgoing traffic will appear to be from the IP MASQ Linux server itself. In addition to the added functionality, IP Masquerade provides the foundation to create a VERY secure networking environment. With a well built firewall, breaking the security of a well configured masquerading system and internal LAN should be considerably difficult.

If you would like to know more on how MASQ differs from 1:1 NAT and Proxy solutions, please see the what-is-masq FAQ entry.

2.2 Current Status

IP Masquerade has been out for several years now and is fairly mature as Linux enters the 2.2.x kernel stage. Kernels since Linux 1.3.x have had MASQ support built-in. Today many individuals and commercial businesses are using it with excellent results.

Common network uses like Web browsing, TELNET, FTP, PING, TRACEROUTE, etc. work well over IP Masquerade. Other communications such as FTP, IRC, and Real Audio work well with the appropriate IP MASQ modules loaded. Other network-specific programs like streaming audio (MP3s, True Speech, etc) work too. Some fellow users on the mailing list have even had good results with video conferencing software.

It should also be noted that running IP Masquerade with only ONE network card (NIC) to MASQ between internal and external Ethernet networks is NOT recommended. For more details, please see the aliasing FAQ section for full details.

Anyway, please refer to Supported Client Software section for a more complete listing of software supported.

IP Masquerade works well as a server to other 'client machines' running various different OS and hardware platforms. There are successful cases with internal MASQed systems using :

  • Unix: Sun Solaris, *BSD, Linux, Digital UNIX, etc.
  • Microsoft Windows 2000, NT (3.x and 4.x), 95/98/ME, Windows for Workgroups (with the TCP/IP package)
  • IBM OS/2
  • Apple Macintosh MacOS machines running either MacTCP or Open Transport
  • DOS-based systems with packet drivers and the NCSA Telnet package
  • VAXen
  • Compaq/Digital Alpha running Linux and NT
  • even Amiga computers with AmiTCP or AS225-stack.

The list goes on and on but the point is, if your OS platform talks TCP/IP, it should work with IP Masquerade!

2.3 Who Can Benefit From IP Masquerade?

  • If you have a Linux host connected to the Internet and
  • if you have some computers running TCP/IP connected to a Linux box on a local subnet, and/or
  • if your Linux host has more than one modem and acts as a PPP or SLIP server connecting other computers, which
  • those OTHER machines do not have official or public assigned IP addresses (i.e. addressed with private TCP/IP numbers).
  • And of course, if you want those OTHER machines to communicate to the Internet without spending extra money to get additional Public / Official TCP/IP addresses from your ISP and either configure Linux to be a router or purchase an external router.

2.4 Who Doesn't Need IP Masquerade?

  • If your machine is a stand-alone Linux host connected to the Internet (though setting up a firewall is a good idea), or
  • if you already have multiple assigned public addresses for your OTHER machines, and
  • of course, if you don't like the idea of a 'free ride' using Linux and feel more comfortable using expensive commercial tools to do the exact same thing.

2.5 How does IP Masquerade Work?

From the original IP Masquerade FAQ by Ken Eves: 

  Here is a drawing of the most simple setup:

   SLIP/PPP         +------------+                         +-------------+
   to ISP provider  |  Linux     |         SLIP/PPP        | Anybox      |
  <---------- modem1|    #1      |modem2 ----------- modem3|             |
    111.222.121.212 |            |           192.168.0.100 |             |
                    +------------+                         +-------------+

    In the above drawing, a Linux box with IP_MASQUERADING is installed as
  Linux #1 and is connected to the Internet via SLIP/or/PPP using modem1.  It has
  an assigned public IP address of 111.222.121.212.  It also has modem2 connected
  to allow callers to dial-in and start a SLIP/or/PPP connection.  

    The second system (which doesn't have to be running Linux) calls into the
  Linux #1 box and starts a SLIP/or/PPP connection.  It does NOT have a publicly
  assigned IP address from the Internet so it uses the private address
  192.168.0.100. (see below for more info)

    With IP Masquerade and the routing configured properly, the machine
  "Anybox" can interact with the Internet as if it was directly connected to the
  Internet (with a few small exceptions).

Quoting Pauline Middelink:

  Do not forget to mention that the "ANYBOX" machine should have the 
  Linux #1 box configured as its gateway (whether is be the default route or just 
  a subnet is no matter). If the "ANYBOX" machine can not do this, the Linux 
  machine should be configured to support proxy arp for all routed addresses. But,
  the setup and configuration of proxy arp is beyond the scope of the document.

The following is an excerpt from a previous post on comp.os.linux.networking which
has been edited to match the names used in the above example:

   o I tell machine ANYBOX that my PPP or SLIPed Linux box is its gateway.
   o When a packet comes into the Linux box from ANYBOX, it will assign it 
     a new TCP/IP source port number and slap its own IP address in the packet
     header, saving the originals.  The MASQ server will then send the modified 
     packet out over the SLIP/PPP interface to the Internet.
   o When a packet returns from the Internet to the Linux box, Linux examines 
     if the port number is one of those ports that was assigned above.  If so, the
     MASQ server will get the original port and IP address, put them back in the 
     returned packet header, and send the packet to ANYBOX.
   o The host that sent the packet will never know the difference.

Another IP Masquerading Example:

A typical example is given in the diagram below: 


    +----------+
    |          |  Ethernet
    | A-box    |::::::
    |          |.2   : 192.168.0.x
    +----------+     :
                     :      +----------+   PPP   
    +----------+     :   .1 |  Linux   |   link
    |          |     :::::::| Masq-Gate|:::::::::::::::::::// Internet
    | B-box    |::::::      |          |  111.222.121.212
    |          |.3   :      +----------+
    +----------+     :
                     :
    +----------+     :
    |          |     :
    | C-box    |::::::
    |          |.4    
    +----------+  
                
    |                       |          |
    | <-Internal Network--> |          | <- External Network ---->
    |                       |          |

In this example, there are (4) computer systems that we are concerned about. There is also presumably something on the far right that your PPP connection to the Internet comes through (terminal server, etc.) and that there is some remote host (very far off to the right of the page) out on the Internet that you are interested communicating with). The Linux system Masq-Gate is the IP Masquerading gateway for ALL the internal network of machines A-box, B-box and C-box to get to the Internet. The internal network uses one of the several RFC-1918 assigned private network addresses where in this case, the Class-C network 192.168.0.0. The Linux box having the TCP/IP address 192.168.0.1 while the other systems having the addresses:

  • A-Box: 192.168.0.2
  • B-Box: 192.168.0.3
  • C-Box: 192.168.0.4

The three machines, A-box, B-box and C-box, can be running any operating system as long as they can speak TCP/IP. OSes such as Windows 95, Macintosh MacTCP or OpenTransport or even another Linux box can connect to other machines on the Internet. When running, the masquerading system or MASQ-gate converts all of these internal connections so that they appear to originate from masq-gate itself. MASQ then arranges so that data coming back in to a masqueraded connection is relayed back to the proper originating system. Because of this, the systems on the internal network see a direct route to the internet and are unaware that their data is being masqueraded. This is called a "Transparent" connection.

NOTE: Please see the FAQ for more details on topics such as:

  • The differences between NAT, MASQ, and Proxy servers.
  • How packet firewalls work

2.6 Requirements for IP Masquerade on Linux 2.2.x

** Please refer to IP Masquerade Resource for the latest information. **

2.7 Requirements for IP Masquerade on Linux 2.3.x and 2.4.x

** Please refer to IP Masquerade Resource for the latest information. **

  • The newest 2.3.x and 2.4.x kernels are now using a completely new system called NetFilter (much like the 2.2.x kernels went to IPCHAINS). Fortunately unlike the migration to IPCHAINS, the new NetFilter tool has kernel modules that can actually NATIVELY support both IPCHAINS and IPFWADM syntax so re-writing your old script is not required. Now, there might be several benefits to do a re-write (speed, new features, etc) but that is dependant on how good your old rulesets were. Many architectural changes have gone into this new code that will give the user a lot more flexibility, future features, etc.

    Some of the new functionality includes the following pros and cons:

    PROs:

    • Offers TRUE 1:1 NAT functionality for those who have TCP/IP subnets to play with
    • Built-in PORT Forwarding which makes IPMASQADM no longer required
    • The new built-in PORTFWing ability works for both external and internal traffic. This means that users using PORTFW for external traffic and REDIR for internal redirection don't have to use two tools any more!
    • Full Policy-Based routing features (source-based TCP/IP address routing)
    • Compatibly with Linux's FastRoute feature for significantly faster packet forwartding (a.k.a Linux network switching)
    • Fully supports TCP/IP v4, v6, and even DECnet (ack!)
    • Supports wildcard interface names like ppp* for PPP0, PPP1, etc
    • Supports filtering on both input and output INTERFACES
    • Ethernet MAC filtering
    • Denial of Service (DoS) packet rate limiting
    • Very simple and generic Stateful-like inspection functionality
    • Packet REJECTs now have user-selectable return ICMP messages
    • Variable levels of logging (different packets can goto different SYSLOG levels

    CONs:

    • Because Netfilter is an entirely new architecure, most of all the old MASQ kernel modules need to be re-written. Namely, on the FTP module has been updated though the following modules remain to be re-written:

      ip_masq_cuseeme.o ip_masq_icq.o ip_masq_quake.o ip_masq_user.o ip_masq_irc.o ip_masq_raudio.o ip_masq_vdolive.o

      There is documentation on how to do this porting at http://netfilter.kernelnotes.org/unreliable-guides/netfilter-hacking-HOWTO-5.html, If you have the time, you talent would highly appreciated to get these ported over quickly.

    As of this version of the HOWTO, Netfilter is NOT covered. Once the feature set of NetFilter is set, it will be added to -this- HOWTO or possibly a new HOWTO. Until then, please see the following links for the available NetFilter documentation. As it stands, the new NetFilter code will share 95% of the same setup and troubleshooting issues that IPCHAINS users have today. Because of this fact, this HOWTO is still very relevant for NetFilter firewall and NAT users.

    http://netfilter.filewatcher.org/unreliable-guides/index.html and more specifically http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO.html

Please see the IP Masquerade Resource page for more information available on these patches and possibly others as well.

2.8 Requirements for IP Masquerade on Linux 2.0.x

** Please refer to IP Masquerade Resource for the latest information. **

Next Previous Contents

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. ... ... ... ... ... ... ... ... .................................................

Todas a marcas e direitos autorais desta página são de propriedade de seus autores e/ou detentores de direitos.
Copyright © 1998-2003 Flávio Veloso. Todos os direitos reservados. All rights reserved.
Linux é marca registrada de Linus Torvalds. Magnux Linux é marca registrada de Flávio Veloso.