403 lines
9.8 KiB
HTML
403 lines
9.8 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>How does IP Masquerade Work?</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux IP Masquerade HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Background Knowledge"
|
|
HREF="ipmasq-background2.0.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Who Doesn't Need IP Masquerade?"
|
|
HREF="ipmasq-background2.4.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Requirements for IP Masquerade on Linux 2.4.x"
|
|
HREF="kernel-2.4.x-requirements.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux IP Masquerade HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="ipmasq-background2.4.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 2. Background Knowledge</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="kernel-2.4.x-requirements.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="IPMASQ-BACKGROUND2.5"
|
|
></A
|
|
>2.5. How does IP Masquerade Work?</H1
|
|
><P
|
|
>Based from the original IP Masquerade FAQ by Ken Eves:
|
|
Here is a drawing of the most simplistic setup:</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>PPP/ETH/etc. +------------+ +-------------+
|
|
to ISP provider | Linux #1 | PPP/ETH/etc. | Anybox |
|
|
| | | |
|
|
<---------- modem1| |modem2 ----------- modem3| |
|
|
| | | |
|
|
111.222.121.212 | | 192.168.0.100 | |
|
|
+------------+ +-------------+</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>
|
|
In the above drawing, a Linux box with IP_MASQUERADING is installed as Linux
|
|
#1 and is connected to the Internet via PPP, Ethernet, etc. It has an
|
|
assigned public IP address of 111.222.121.212. It also has another network
|
|
interface (e.g. modem2) connected to allow incoming network traffic be it
|
|
from a PPP connection, Ethernet connection, etc.</P
|
|
><P
|
|
>The second system (which does not need to be Linux) connects into the
|
|
Linux #1 box and starts its network traffic to the Internet. This second
|
|
machine does NOT have a publicly assigned IP address from the Internet, so it
|
|
uses an
|
|
<A
|
|
HREF="http://www.ietf.org/rfc/rfc1918.txt?number=1918"
|
|
TARGET="_top"
|
|
>RFC1918 private address</A
|
|
>, say 192.168.0.100. (see below for more info)</P
|
|
><P
|
|
> With IP Masquerade and the routing configured properly, this second machine
|
|
"Anybox" can interact with the Internet as if it was directly connected to
|
|
the Internet with a few small exceptions [noted later].</P
|
|
><P
|
|
>Quoting Pauline Middelink (the founder of Linux's IPMASQ):</P
|
|
><P
|
|
>"Do not forget to mention that the "ANYBOX" machine should have the Linux #1
|
|
box configured as its default gateway (whether it be the default route or
|
|
just a subnet is no matter). If the "ANYBOX" machine is connected via a PPP
|
|
or SLIP connection, the Linux #1 machine should be configured to support
|
|
proxy arp for all routed addresses. But, the setup and configuration of
|
|
proxy arp is beyond the scope of this document. Please see the <A
|
|
HREF="http://www.tldp.org/HOWTO/PPP-HOWTO/index.html"
|
|
TARGET="_top"
|
|
>PPP-HOWTO</A
|
|
>
|
|
for more details."</P
|
|
><P
|
|
>The following is an excerpt on how IPMASQ briefly works though this will be
|
|
explained in more detail later. This short text is based from a previous post
|
|
on comp.os.linux.networking which has been edited to match the names used in
|
|
the above example:</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> o I tell machine ANYBOX that my PPP or Ethernet connected Linux box is its
|
|
gateway.
|
|
|
|
o When a packet comes into the Linux box from ANYBOX, it will assign the
|
|
packet to a new TCP/IP source port number and insert its own IP address
|
|
inside the packet header, saving the originals. The MASQ server will
|
|
then send the modified packet over the PPP/ETH interface onto the
|
|
Internet.
|
|
|
|
o When a packet returns from the Internet into the Linux box, Linux
|
|
examines if the port number is one of those ports that was assigned
|
|
above. If so, the MASQ server will then take the original port and
|
|
IP address, put them back in the returned packet header, and send
|
|
the packet to ANYBOX.
|
|
|
|
o The host that sent the packet will never know the difference. </PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
><EM
|
|
>Another IP Masquerading Example:</EM
|
|
></P
|
|
><P
|
|
>A typical example is given in the diagram below:</P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> Ethernet
|
|
192.168.0.x
|
|
+----------+
|
|
| |
|
|
| A-box |::::::
|
|
| |.2 :
|
|
+----------+ :
|
|
: +----------+ PPP/ETH
|
|
+----------+ : .1 | Linux | link
|
|
| | :::::::| Masq-Gate|:::::::::::::::::::>> Internet
|
|
| B-box |:::::: | | 111.222.121.212
|
|
| |.3 : +----------+
|
|
+----------+ :
|
|
:
|
|
+----------+ :
|
|
| | :
|
|
| C-box |::::::
|
|
| |.4
|
|
+----------+
|
|
|
|
|
|
| | | >
|
|
| <-Internal Network--> | | <- External Network ----> >
|
|
| connected via an | | Connected from the >
|
|
| Ethernet hub or | | Linux server to your >
|
|
| switch | | Internet connection ></PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>In this example, there are (4) computer systems that we are concerned about.
|
|
There is also presumably something on the far right that your PPP/ETH
|
|
connection to the Internet comes through (modem server, DSL DSLAM, Cablemodem
|
|
router, etc.). Out on the Internet, there exists some remote host (very far
|
|
off to the right of the page) that you are interested in communicating with).
|
|
The Linux system named <EM
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>Masq-Gate</TT
|
|
></EM
|
|
> is
|
|
the IP Masquerading gateway for ALL internal networked machines. In this
|
|
example, the machines <EM
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>A-box</TT
|
|
></EM
|
|
>, <EM
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>B-box</TT
|
|
></EM
|
|
>, and <EM
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>C-box</TT
|
|
></EM
|
|
> would have to go through the Masq-Gate to reach the Internet. The
|
|
internal network uses one of several
|
|
<A
|
|
HREF="http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1918.html"
|
|
TARGET="_top"
|
|
>RFC-1918 assigned private network addresses</A
|
|
>, where in this case, would
|
|
be the Class-C network 192.168.0.0. If you aren't familiar with RFC1918, it
|
|
is encouraged to read the first few chapters of the RFC but the jist of it is
|
|
that the TCP/IP addresses 10.0.0.0/8, 172.16-31.0.0/12, and 192.168.0.0/16
|
|
are reserved. When we say "reserved", we mean that anyone can use these
|
|
addresses as long as they aren't routed over the Internet. ISPs are even
|
|
allowed to use this private addressing space as long as they keep these
|
|
addresses within their own networks and NOT advertise them to other ISPs.
|
|
Unfortunately, this isn't always the case but thats beyond the scope of
|
|
this HOWTO.</P
|
|
><P
|
|
>Anyway, the Linux box in the diagram above has the TCP/IP address 192.168.0.1
|
|
while the other systems has the addresses:</P
|
|
><P
|
|
> <P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>A-Box: 192.168.0.2</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>B-Box: 192.168.0.3</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>C-Box: 192.168.0.4</P
|
|
></LI
|
|
></UL
|
|
> </P
|
|
><P
|
|
>The three machines, <TT
|
|
CLASS="LITERAL"
|
|
>A-box</TT
|
|
>, <TT
|
|
CLASS="LITERAL"
|
|
>B-box</TT
|
|
> and
|
|
<TT
|
|
CLASS="LITERAL"
|
|
>C-box</TT
|
|
>, can have any one of several operating systems, just
|
|
as long as they can speak TCP/IP. Some such as <EM
|
|
>Windows
|
|
95</EM
|
|
>, <EM
|
|
>Macintosh MacTCP or OpenTransport </EM
|
|
>, or
|
|
even another <EM
|
|
>Linux box</EM
|
|
> have the ability to connect to
|
|
other machines on the Internet. When running the IP Masquerade, the
|
|
masquerading system or <TT
|
|
CLASS="LITERAL"
|
|
>MASQ-gate</TT
|
|
> converts all of these
|
|
internal connections so that they appear to originate from the
|
|
<TT
|
|
CLASS="LITERAL"
|
|
>masq-gate</TT
|
|
> itself. MASQ then arranges so that the data
|
|
coming back to a masqueraded connection is relayed to the proper originating
|
|
system. Therefore, the systems on the internal network are only able to see
|
|
a direct route to the internet and are unaware that their data is being
|
|
masqueraded. This is called a "Transparent" connection.</P
|
|
><P
|
|
>NOTE: Please see <A
|
|
HREF="faq.html"
|
|
>Chapter 7</A
|
|
> for more details on topics such as:</P
|
|
><P
|
|
> <P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>The differences between NAT, MASQ, and Proxy servers.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>How packet firewalls work</P
|
|
></LI
|
|
></UL
|
|
> </P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="ipmasq-background2.4.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="kernel-2.4.x-requirements.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Who Doesn't Need IP Masquerade?</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="ipmasq-background2.0.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Requirements for IP Masquerade on Linux 2.4.x</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |