*** File 'ip_masquerade.faq' ========================================================================== This document is an UNOFFICIAL FAQ about ip_masquerade for Linux Copyright (C) 1995 Ken Eves - May be freely distributed but not modified. You have permission to use any information in this document in your works. Last Revised 01/07/1996 This document is NOT an official Linux FAQ. It was prepared by someone who is NOT an authority on Linux, or IP networking. It is AS-IS and most likely contains errors. This document's home is at ftp.eves.com in /pub/masq, and is also available on http://www.indyramp.com . Many thanks to those who contributed to this document with posts on the masq@eves.com mailing list (not running) and comp.os.linux.networking !!! Ken Eves and Eves Internet Consulting accept NO LIABILITY for any dammages, lack of sleep, or downtime caused by using this information. ip_masquerade was written and is copyrighted by Pauline Middelink ========================================================================== Q: What is ip_masquerade? A: ip_masquerade is an addition to the kernel networking code in Linux. It is designed to allow systems that do not have an assigned IP addresses on the Internet to be able to interact with the Internet via a Linux host. The Linux host is the box running ip_masquerade. -=- Q: How does it work? A: Here is a drawing of the most simple setup: SLIP/PPP +------------+ +-------------+ to provider | Linux | SLIP/PPP | Anybox | <---------- modem1| |modem2 ----------- modem | | 111.222.333.444 | | 192.168.1.100 | | +------------+ +-------------+ In the above drawing a Linux box with ip_masquerading installed and running is connected to the Internet via SLIP/or/PPP using modem1. It has an assigned IP address of 111.222.333.444. It is setup that modem2 allows callers to login and start a SLIP/or/PPP connection. The second system (which doesnt have to be running Linux) calls into the Linux box and starts a SLIP/or/PPP connection. It does NOT have an assigned IP address on the Internet so it uses 192.168.1.100. (see below) With ip_masquerade and the routing configured properly the machine Anybox can interact with the Internet as if it was really connected (with a few exceptions). Quoting Pauline Middelink (unedited): Do not forget to mention the ANYBOX should have the Linux box as its gateway (whether is be the default route or just a subnet is no matter). If the ANYBOX can not do this, the Linux machine should do a proxy arp for all routed address, but the setup of proxy arp is beyond the scope of the document. The following is an excerpt from a post on comp.os.linux.networking which has been edited to match the names used in the above example: >- I tell machine ANYBOX that my slipped linux box is its gateway. >- When a packet comes into the linux box from ANYBOX, it will assign it > new source port number, and slap its own ip address in the packet > header, saving the originals. It will then send the modified packet > out over the SLIP/or/PPP interface to the Internet. >- When a packet comes from the Internet to the linux box, if the port > number is one of those assigned above, it will get the original > port and ip address, put them back in the packet header, and send the > packet to ANYBOX. >- The host that sent the packet will never know the difference. -=- Q: Can ip_masquerade provide a networked connection to an ethernet? A: Yes. In the above example simply replace modem2 with eth0 and you can feel multiple ANYBOXes. Each ANYBOX will have to have its own IP address. -=- Q: What is involved in getting ethernet masquerading setup once the kernel is patched, recompiled and installed? A: Assuming that your Linux is connected to the net, it is fairly simple: 1. ifconfig your ethernet connected to the subnet to 192.168.1.1 2. route to the subnet machines either individually using 192.168.1.2 to 254 or as a single network entry using 192.168.1.0 3. Tell the kernel to masquerade for the subnet with ipfw. (see below) 4. Setup the machine(s) on the subnet to use 192.168.1.1 as their gateway address -=- Q: What versions of Linux kernels is ip_masquerade available for? A: There is a patch for the 1.2.n kernel. It may not work with kernel 1.2.0 which is reported to not have the ip_firewalling option working. It has been tested and does work properly with 1.2.13 (the current version) The 1.3.n kernel tree has ip_firewalling built in. It also includes a major change over the 1.2.n patch in that it will allow masqueraded machines to use FTP with out using PASV mode. DON'T PATCH 1.3.n with 1.2.n's patch! -=- Q: What options do I need to turn ON to have ip_masquerading work? A: ip_firewalling, ip_masquerading, and ip_forwarding -=- Q: What do I use to configure ip_masquerading once it is compiled into the kernel? A: To configure ip_masquerading use the program ipfw (from the net-tools package). Net-tools can be obtained by anonymous ftp from sunsite.unc.edu under /pub/Linux/system/Network/sunacm/NetTools/net-tools-1.2.0.tar.gz . You can also get precompiled binaries of ipfw for 1.2.n on ftp.eves.com in /pub/masq and on http://www.indyramp.com/masq -=- Q: What is the ipfw command line to configure ip_masquerade? A: The format is: ipfw a m all from xxx.xxx.xxx.xxx/yy to 0.0.0.0/0 where xxx.xxx.xxx.xxx is the FAKE ip address and yy is a number according to the following: netmask yy =================== 255.0.0.0 8 255.255.0.0 16 255.255.255.0 24 255.255.255.255 32 (pointopoint) Quoting Pauline Middelink: yy is the number of 1-bits in the netmask used by the host's subnet. It can be any number. The author herself uses 22 for example. (netmask 255.255.224.0 - 4 C-nets) -=- Q: How do I make sure that my FAKE IP addresses never make it onto the Internet? A: You can use ipfw to check activity on the device that you use to communicate with the Internet. Quoted from a post on the masq@eves.com mailing list (unedited): >Protect yourself from accidently forwarding straight off the LAN to the WAN. >/sbin/ipfw add blocking deny all iface ${WAN_PORT_IP} from ${LAN_NET}/${BITS} to 0/0 > >Another, more encompassing and safer method might be to: >/sbin/ipfw ad bl deny all iface ${WAN_PORT_IP} from 0/0 to 0/0 >/sbin/ipfw ad bl accept all iface ${WAN_PORT_IP} from ${WAN_PORT_IP} to 0/0 >/sbin/ipfw ad bl accept all iface ${WAN_PORT_IP} from 0/0 to ${WAN_PORT_IP} > > Use deny instead of reject to block out your LAN. The reason for this >is that someone may be able to determine some data on your LAN by >probing for commonly used addresses and checking to see if any one of >them gets a connection or a connect refused. Deny simply and quietly >refuses to listen to the packets which gives no one any info. Under >normal circumstances, your firewall should drop anything that is not >directed at its own IP and reject anything directed to its own ip that >you don't want to look like there is a real service to talk to. -=- Q: Can I just pick ANY address for my fake IPs? A: There is an RFC (#1597) on which IP addresses are to be used on a non-connected network. There are 3 blocks of numbers set aside specifically for this purpose. One which I use is 255 Class-C subenets at 192.168.1.n to 192.168.255.n . Quoted from a post on the masq@eves.com mailing list (unedited): >From RCF 1597: > >3. Private Address Space > > The Internet Assigned Numbers Authority (IANA) has reserved the > following three blocks of the IP address space for private networks: > > 10.0.0.0 - 10.255.255.255 > 172.16.0.0 - 172.31.255.255 > 192.168.0.0 - 192.168.255.255 > > We will refer to the first block as "24-bit block", the second as > "20-bit block, and to the third as "16-bit" block. Note that the > first block is nothing but a single class A network number, while the > second block is a set of 16 contiguous class B network numbers, and > third block is a set of 255 contiguous class C network numbers. -=- Q: What will and wont work over an ip_masquerade connection? A: Telnet and http work. Ping will not work because it uses ICMP which cannot be masqueraded because it doesn't use ports. Ftp (and talk) will work when the kernel replaces the occurrences of the foreign IP-address out of the datastream with its own address (and newly assigned port). Note: it is possible to get FTP to work if the client can force the server into PASV mode. Talk has no options and can not be made to work yet. Note: kernels since 1.3.39 have had the masq code changed to allow ftp without using PASV mode. This may contribute to masq server's system overhead if a lot of traffic is passed through the masq connection. (the increase in overhead has not been confirmed) Note: One thing that also will not work is /DCC SEND and /DCC RECEIVE on IRC clients as they have the same problem that FTP has. (not confirmed) Quotinging an excerpt of email from Pauline Middelink (unedited): >Only for PORTed protocols, like TCP or UDP. ICMP will not >(and can not) work. Futher more, the current implementation does >not work for TALK and/or FTP, since those 2 thingies send over their >*own* address, and since the information in the data will not be changed >by the proxy... it won't work. (that part of the patch is in the works) -=- Q: Where can I get help with ip_masquerade on the Internet? A: If you get stuck, or would like to learn more before experimenting with masquerade, visit http://www.indyramp.com/masq for information on the masq mailing list. There are also several (myself included) on comp.os.linux.networking who respond to questions about masquerade. ============================================================================ EOF