[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] IP Masquerading on Linux



Having read myriads of explanations about this subject and others on Linux,
let me just say that when it comes to help...

YOU THE MAN!

That was awesome!  i come from the GUI world of WinNT where help files are
abundant.  I am really enjoting using Linux, but it has one problem...the
help and manuals that I HAVE SEEN stink!

Have you considered joining the Linux documentation project?

In my opinion, they could really use your help!

-Matthew Brown


-----Original Message-----
 From: Byron A Jeff <byron at cc.gatech.edu>
To: Courtney Thomas <ccthomas at flash.net>
Cc: ale at cc.gatech.edu <ale at cc.gatech.edu>
Date: Tuesday, October 06, 1998 4:05 PM
Subject: Re: [ale] IP Masquerading on Linux


>>
>> Greetings !
>>
>> Thanks to the many for all previous help.
>>
>> I am running RedHat4.2 and would like to implement IPMasq. I've read
>> Doctor Linux Mini-HowTo and am even more confused.
>>
>> How does it work ?
>
>The basic idea is to hide your internal network behind a single external
>interface. A quick example:
>
>1) You have a linux box and a SCO box on your internal network. Say they
have
>IPs of 192.168.0.1 and 192.168.0.2. BTW these two are out of a set of
special
>'internal network' addresses that no properly configured router would route
>through the internet.
>
>2) The Linux box calls your ISP via PPP. You get an address of
206.15.192.200
>for your PPP interface. PPP also sets up your default route to your ISP.
>
>3) OK at this point the Linux box is set. It can connect to the internet
and
>do stuff. The SCO box still needs work.
>
>4) First off the Linux box is a gateway, So you have to compile in and
enable
>IP Forwarding in the kernel. What this is is set it up so that any packet
that
>the Linux box receives on one interface (internal ethernet) will be
forwarded
>on the other interface (PPP). So we do this and set the default route of
the
>SCO box to the Linux box. But it still doesn't work. Here's why...
>
>The SCO box tries to get to the ISP web server (206.15.192.10). So it sends
>a packet out on the ethernet to its default gateway (the Linux box). When
the
>Linux box gets it, it'll forward it to the PPP connection. The problem is
that
>the destination is still set to the SCO box (192.168.0.2) which when
received
>by the ISP's web server, it has no clue how to send a response back since
that
>internal network address for the SCO box isn't routable. Enter IP
Masqerading..
>
>5) Turn on masquerading on the Linux box. You get the same sequence except
>with one significant difference...
>
>The SCO box tries to get to the ISP web server (206.15.192.10). So it sends
>a packet out on the ethernet to its default gateway (the Linux box). When
the
>Linux box gets it, it'll forward it to the PPP connection. Except now that
>masquerading is on, the Linux box will change the destination for the
response
>to its own internet IP address (206.15.192.200). When the ISP's web server
>gets the requirest it'll send a response back to the Linux box, when it
turn
>will change the destination back to the address of the SCO box, and drop
the
>packet back onto the internal network. So the SCO box receives the response
>from the web server and all is well.
>
>So the bottom line is to set up the following:
>
>1) Your PPP connection to your ISP.
>2) Forwarding in your Linux gateway.
>3) IP Masquerading in your Linux gateway.
>4) Use a configuration tool (I use ipfwadm on my old Slackware box) to
>   configure the masquerading. Here are my two configuration lines:
>
>/usr/local/sbin/ipfwadm -F -p deny
>/usr/local/sbin/ipfwadm -F -a m -S 10.192.143.0/24 -D 0.0.0.0/0
>
>The first says as a default not to forward anything. The second says to
>masquerade all packets on my internal net going out onto the external net.
>
>
>
>
>>
>> What do I need to do to be able to dial out from a SCO machine through
>> Linux ?
>>
>> Are there choices about how to do this ?
>
>Dial-out is a different tool altogether. Here are your choices:
>
>1) telnet to the Linux box and start the connection by hand.
>2) Use diald, which is a tool that will monitor for network traffic and
>establish a link whenever a request for traffic comes along.
>3) Use a late model of PPP (which your 4.2 probablydoes not have) which has
>the same functionality as diald.
>
>Personally I use 2. diald works for me.
>
>Hope this helps,
>
>BAJ (typing this from a masqueraded Linux box in the middle of a sleepless
>night)