264 lines
7.3 KiB
HTML
264 lines
7.3 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>IP Masquerade and Network Address Translation</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux Network Administrators Guide"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Passive Collection of Accounting Data"
|
|
HREF="x-087-2-accounting.passive.collection.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Side Effects and Fringe Benefits"
|
|
HREF="x-087-2-masq.side.effects.html"></HEAD
|
|
><BODY
|
|
CLASS="CHAPTER"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux Network Administrators Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-accounting.passive.collection.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-masq.side.effects.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="CHAPTER"
|
|
><H1
|
|
><A
|
|
NAME="X-087-2-IPMASQ"
|
|
>Chapter 11. IP Masquerade and Network Address Translation</A
|
|
></H1
|
|
><DIV
|
|
CLASS="TOC"
|
|
><DL
|
|
><DT
|
|
><B
|
|
>Table of Contents</B
|
|
></DT
|
|
><DT
|
|
>11.1. <A
|
|
HREF="x-087-2-masq.side.effects.html"
|
|
>Side Effects and Fringe Benefits</A
|
|
></DT
|
|
><DT
|
|
>11.2. <A
|
|
HREF="x-087-2-masq.kernel.config.html"
|
|
>Configuring the Kernel for IP Masquerade</A
|
|
></DT
|
|
><DT
|
|
>11.3. <A
|
|
HREF="x-087-2-masq.configuration.html"
|
|
>Configuring IP Masquerade</A
|
|
></DT
|
|
><DT
|
|
>11.4. <A
|
|
HREF="x-087-2-masq.namelookups.html"
|
|
>Handling Name Server Lookups</A
|
|
></DT
|
|
><DT
|
|
>11.5. <A
|
|
HREF="x9803.html"
|
|
>More About Network Address Translation</A
|
|
></DT
|
|
></DL
|
|
></DIV
|
|
><P
|
|
>You don't have to have a good memory to remember a time when only large
|
|
organizations could afford to have a number of computers networked together
|
|
by a LAN. Today network technology has dropped so much in
|
|
price that two things have happened. First, LANs are now
|
|
commonplace, even in many household environments. Certainly many Linux
|
|
users will have two or more computers connected by some Ethernet.
|
|
Second, network resources, particularly IP addresses, are now
|
|
a scarce resource and while they used to be free, they are now being bought
|
|
and sold.</P
|
|
><P
|
|
>Most people with a LAN will probably also want an Internet
|
|
connection that every computer on the LAN can use. The IP routing rules
|
|
are quite strict in how they deal with this situation. Traditional solutions
|
|
to this problem would have involved requesting an IP network address, perhaps
|
|
a class C address for small sites, assigning each host on the LAN an
|
|
address from this network and using a router to connect the LAN to the
|
|
Internet.</P
|
|
><P
|
|
>In a commercialized Internet environment, this is quite an
|
|
expensive proposition. First, you'd be required to pay for the network
|
|
address that is assigned to you. Second, you'd probably have to pay your
|
|
Internet Service Provider for the privilege of having a suitable route
|
|
to your network put in place so that the rest of the Internet knows how to
|
|
reach you. This might still be practical for companies, but domestic
|
|
installations don't usually justify the cost.</P
|
|
><P
|
|
> Fortunately, Linux provides an answer to this dilemma.
|
|
This answer involves a component of a group of advanced networking features
|
|
called <I
|
|
CLASS="EMPHASIS"
|
|
>Network Address Translation</I
|
|
> (NAT).
|
|
NAT describes the process of modifying the network
|
|
addresses contained with datagram headers while they are in transit. This
|
|
might sound odd at first, but we'll show that it is ideal for solving
|
|
the problem we've just described and many have encountered. IP masquerade
|
|
is the name given to one type of network address translation
|
|
that allows all of the hosts on a private network to use the Internet at the
|
|
price of a single IP address.</P
|
|
><P
|
|
>
|
|
IP masquerading allows you to use a private (reserved) IP network
|
|
address on your LAN and have your Linux-based router perform some
|
|
clever, real-time translation of IP addresses and ports. When it
|
|
receives a datagram from a computer on the LAN, it takes note of the
|
|
type of datagram it is, “TCP,” “UDP,”
|
|
“ICMP,” etc., and modifies the datagram so that it looks
|
|
like it was generated by the router machine itself (and remembers that
|
|
it has done so). It then transmits the datagram onto the Internet with
|
|
its single connected IP address. When the destination host receives
|
|
this datagram, it believes the datagram has come from the routing
|
|
host and sends any reply datagrams back to that address. When the
|
|
Linux masquerade router receives a datagram from its Internet
|
|
connection, it looks in its table of established masqueraded
|
|
connections to see if this datagram actually belongs to a computer on
|
|
the LAN, and if it does, it reverses the modification it did on the
|
|
forward path and transmits the datagram to the LAN computer.</P
|
|
><P
|
|
>A simple example is illustrated in <A
|
|
HREF="x-087-2-ipmasq.html#X-087-2-MASQUERADE.NET"
|
|
>Figure 11-1</A
|
|
>.</P
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="X-087-2-MASQUERADE.NET"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 11-1. A typical IP masquerade configuration</B
|
|
></P
|
|
><P
|
|
><IMG
|
|
SRC="lag2_1101.jpg"></P
|
|
></DIV
|
|
><P
|
|
>We have a small Ethernet network using one of the reserved network addresses.
|
|
The network has a Linux-based masquerade router providing access to the
|
|
Internet. One of the workstations on the network (192.168.1.3) wishes to
|
|
establish a connection to the remote host 209.1.106.178 on port 8888. The
|
|
workstation routes its datagram to the masquerade router, which identifies
|
|
this connection request as requiring masquerade services. It accepts the
|
|
datagram and allocates a port number to use (1035), substitutes its own
|
|
IP address and port number for those of the originating host, and transmits
|
|
the datagram to the destination host. The destination host believes it has
|
|
received a connection request from the Linux masquerade host and generates
|
|
a reply datagram. The masquerade host, upon receiving this datagram,
|
|
finds the association in its masquerade table and reverses the substution
|
|
it performed on the outgoing datagram. It then transmits the reply datagram
|
|
to the originating host.</P
|
|
><P
|
|
>The local host believes it is speaking directly to the remote host. The
|
|
remote host knows nothing about the local host at all and believes it has
|
|
received a connection from the Linux masquerade host. The Linux masquerade
|
|
host knows these two hosts are speaking to each other, and on what ports,
|
|
and performs the address and port translations necessary to allow
|
|
communication.</P
|
|
><P
|
|
>This might all seem a little confusing, and it can be, but it works and
|
|
is really quite simple to configure. So don't worry if you don't understand
|
|
all the details yet.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-accounting.passive.collection.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-masq.side.effects.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Passive Collection of Accounting Data</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Side Effects and Fringe Benefits</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |