ip masquerade l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
IP Masquerade PowerPoint Presentation
Download Presentation
IP Masquerade

Loading in 2 Seconds...

play fullscreen
1 / 20

IP Masquerade - PowerPoint PPT Presentation


  • 347 Views
  • Uploaded on

IP Masquerade Andy Wilson UNC Chapel Hill February 16, 2000 What’s IP Masquerade? Why would you want it? How it works What you’ll need Setting up Testing Outline Network Address Translation (NAT) under Linux almost, but not quite, the same as firewalling

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'IP Masquerade' - Audrey


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ip masquerade

IP Masquerade

Andy Wilson

UNC Chapel Hill

February 16, 2000

outline
What’s IP Masquerade?

Why would you want it?

How it works

What you’ll need

Setting up

Testing

Outline
what s ip masquerade
Network Address Translation (NAT) under Linux

almost, but not quite, the same as firewalling

Allows several networked computers to talk to the Internet through a single IP address

What’s IP Masquerade?
why would you want it
Connectivity for a home network

Many ISPs only allow one IP address

Security

Hide machines containing sensitive information

Allow access only to specific services on specific machines

Why would you want it?
how it works network structure
How it works: Network Structure

Frodo

192.168.0.100

Internet

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Bilbo

192.168.0.101

Home Network

Pippin

192.168.0.102

how it works example
How it works: Example

slashdot.org

209.207.224.40

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Frodo

192.168.0.100

New connection:

192.168.0.100:1234

to

209.207.224.40:80

how it works example7
How it works: Example

www.slashdot.org

209.207.224.40

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Frodo

192.168.0.100

New connection:

11.22.33.44:5432

to

209.207.224.40:80

Connected:

192.168.0.100:1234

to

209.207.224.40:80

Port map:

5432 -> Frodo:1234

how it works example8
How it works: Example

www.slashdot.org

209.207.224.40

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Frodo

192.168.0.100

Connected:

11.22.33.44:5432

to

209.207.224.40:80

Connection opened:

from 11.22.33.44:5432

to 209.207.224.40:80

Connected:

192.168.0.100:1234

to

209.207.224.40:80

Port map:

5432 -> Frodo:1234

how it works example9
How it works: Example

www.slashdot.org

209.207.224.40

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Frodo

192.168.0.100

Data received:

11.22.33.44:5432

from

209.207.224.40:80

Connection opened:

from 11.22.33.44:5432

to 209.207.224.40:80

Connected:

192.168.0.100:1234

to

209.207.224.40:80

Port map:

5432 -> Frodo:1234

how it works example10
How it works: Example

www.slashdot.org

209.207.224.40

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Frodo

192.168.0.100

Data received:

11.22.33.44:5432

from

209.207.224.40:80

Connection opened:

from 11.22.33.44:5432

to 209.207.224.40:80

Data received:

192.168.0.100:1234

from

209.207.224.40:80

Port map:

5432 -> Frodo:1234

what you ll need
Two computers (at least)

Local LAN

Outside connection (ISP)

One machine running kernel 2.2.x (x > 13)

2.0.34 is possible but not recommended

(see HOWTO for details)

What you’ll need
setting up overview
Build a kernel with the right options enabled

Configure your LAN

Configure your ISP connection

Configure IPCHAINS

Reboot and test

Celebrate

Setting Up: Overview
setting up compiling the kernel
If this is your first time compiling a kernel:

DON’T PANIC.

Read the Kernel-HOWTO for instructions. It’s quite simple. After that...

Setting Up: Compiling the Kernel
setting up kernel options
Enable incomplete/development drivers

Enable networking, firewalls, TCP/IP

Enable firewalling (again)

Enable masquerading, always defragment

Enable ICMP masquerade

Enable IP forwarding

Disable ipautofw

Enable TCP syncookies

Enable /proc filesystem

Enable PPP (if your ISP connection is a dialup)

Don’t forget a driver for your Ethernet card!

Setting Up: Kernel Options
setting up lan configuration
IANA Reserved Network Numbers

10.0.0.0/8

172.16.0.0/16

192.168.0.0/16

Select IP addresses from one of these blocks

Default gateway should be firewall machine

Consider running a nameserver on firewall

Setting Up: LAN configuration
example network
Example Network

Frodo

192.168.0.100

Internet

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Bilbo

192.168.0.101

Home Network

Pippin

192.168.0.102

setting up ipchains
Create /etc/rc.d/rc.firewall (or add to rc.local)Setting Up: IPCHAINS

#!/bin/sh

# Enable IP forwarding (hopefully disabled at boot by default)

echo “1” > /proc/sys/net/ipv4/ip_forward

# Set masquerade timeouts (2 hours for TCP, 10sec for connection closing,

# 160 sec for UDP (like ICQ))

/sbin/ipchains -M -S 7200 10 160

# Set up masquerade policies

# by default, deny everything

/sbin/ipchains -P forward DENY

# but masquerade for just this one network

/sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ

setting up ipchains18
Configure connection to the outside world as usual

diald is useful!

Make sure rc.firewall gets run at boot time

chmod 700 /etc/rc.d/rc.firewall

in /etc/rc.d/rc.local:

/etc/rc.d/rc.firewall

Setting Up: IPCHAINS
testing
From firewall:

Connect to ISP and ping outside world

Ping a machine inside your network

From your network:

Ping firewall machine

Ping outside world by IP number

Ping outside world by name

Visit your favorite Web site

Testing
learning more
IP Masquerade Resource:

http://ipmasq.cjb.net

HOWTO (at www.linuxdoc.org)

Kernel

IP masquerade

Networking overview

Ethernet

Learning More