Ip masquerade
Download
1 / 20

IP Masquerade - PowerPoint PPT Presentation


  • 230 Views
  • Uploaded on

IP Masquerade. Andy Wilson UNC Chapel Hill February 16, 2000. What’s IP Masquerade? Why would you want it? How it works What you’ll need Setting up Testing. Outline. Network Address Translation (NAT) under Linux almost, but not quite, the same as firewalling

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'IP Masquerade' - magar


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Ip masquerade

IP Masquerade

Andy Wilson

UNC Chapel Hill

February 16, 2000


Outline

What’s IP Masquerade?

Why would you want it?

How it works

What you’ll need

Setting up

Testing

Outline


What s ip masquerade

Network Address Translation (NAT) under Linux

almost, but not quite, the same as firewalling

Allows several networked computers to talk to the Internet through a single IP address

What’s IP Masquerade?


Why would you want it

Connectivity for a home network

Many ISPs only allow one IP address

Security

Hide machines containing sensitive information

Allow access only to specific services on specific machines

Why would you want it?


How it works network structure
How it works: Network Structure

Frodo

192.168.0.100

Internet

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Bilbo

192.168.0.101

Home Network

Pippin

192.168.0.102


How it works example
How it works: Example

slashdot.org

209.207.224.40

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Frodo

192.168.0.100

New connection:

192.168.0.100:1234

to

209.207.224.40:80


How it works example1
How it works: Example

www.slashdot.org

209.207.224.40

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Frodo

192.168.0.100

New connection:

11.22.33.44:5432

to

209.207.224.40:80

Connected:

192.168.0.100:1234

to

209.207.224.40:80

Port map:

5432 -> Frodo:1234


How it works example2
How it works: Example

www.slashdot.org

209.207.224.40

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Frodo

192.168.0.100

Connected:

11.22.33.44:5432

to

209.207.224.40:80

Connection opened:

from 11.22.33.44:5432

to 209.207.224.40:80

Connected:

192.168.0.100:1234

to

209.207.224.40:80

Port map:

5432 -> Frodo:1234


How it works example3
How it works: Example

www.slashdot.org

209.207.224.40

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Frodo

192.168.0.100

Data received:

11.22.33.44:5432

from

209.207.224.40:80

Connection opened:

from 11.22.33.44:5432

to 209.207.224.40:80

Connected:

192.168.0.100:1234

to

209.207.224.40:80

Port map:

5432 -> Frodo:1234


How it works example4
How it works: Example

www.slashdot.org

209.207.224.40

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Frodo

192.168.0.100

Data received:

11.22.33.44:5432

from

209.207.224.40:80

Connection opened:

from 11.22.33.44:5432

to 209.207.224.40:80

Data received:

192.168.0.100:1234

from

209.207.224.40:80

Port map:

5432 -> Frodo:1234


What you ll need

Two computers (at least)

Local LAN

Outside connection (ISP)

One machine running kernel 2.2.x (x > 13)

2.0.34 is possible but not recommended

(see HOWTO for details)

What you’ll need


Setting up overview

Build a kernel with the right options enabled

Configure your LAN

Configure your ISP connection

Configure IPCHAINS

Reboot and test

Celebrate

Setting Up: Overview


Setting up compiling the kernel

If this is your first time compiling a kernel:

DON’T PANIC.

Read the Kernel-HOWTO for instructions. It’s quite simple. After that...

Setting Up: Compiling the Kernel


Setting up kernel options

Enable incomplete/development drivers

Enable networking, firewalls, TCP/IP

Enable firewalling (again)

Enable masquerading, always defragment

Enable ICMP masquerade

Enable IP forwarding

Disable ipautofw

Enable TCP syncookies

Enable /proc filesystem

Enable PPP (if your ISP connection is a dialup)

Don’t forget a driver for your Ethernet card!

Setting Up: Kernel Options


Setting up lan configuration

IANA Reserved Network Numbers

10.0.0.0/8

172.16.0.0/16

192.168.0.0/16

Select IP addresses from one of these blocks

Default gateway should be firewall machine

Consider running a nameserver on firewall

Setting Up: LAN configuration


Example network
Example Network

Frodo

192.168.0.100

Internet

Gateway

PPP: 11.22.33.44

Enet: 192.168.0.1

Bilbo

192.168.0.101

Home Network

Pippin

192.168.0.102


Setting up ipchains

Create /etc/rc.d/rc.firewall (or add to rc.local)

Setting Up: IPCHAINS

#!/bin/sh

# Enable IP forwarding (hopefully disabled at boot by default)

echo “1” > /proc/sys/net/ipv4/ip_forward

# Set masquerade timeouts (2 hours for TCP, 10sec for connection closing,

# 160 sec for UDP (like ICQ))

/sbin/ipchains -M -S 7200 10 160

# Set up masquerade policies

# by default, deny everything

/sbin/ipchains -P forward DENY

# but masquerade for just this one network

/sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ


Setting up ipchains1

Configure connection to the outside world as usual

diald is useful!

Make sure rc.firewall gets run at boot time

chmod 700 /etc/rc.d/rc.firewall

in /etc/rc.d/rc.local:

/etc/rc.d/rc.firewall

Setting Up: IPCHAINS


Testing

From firewall:

Connect to ISP and ping outside world

Ping a machine inside your network

From your network:

Ping firewall machine

Ping outside world by IP number

Ping outside world by name

Visit your favorite Web site

Testing


Learning more

IP Masquerade Resource:

http://ipmasq.cjb.net

HOWTO (at www.linuxdoc.org)

Kernel

IP masquerade

Networking overview

Ethernet

Learning More