linux ip masquerading
DESCRIPTION
Linux IP Masquerading. Brian Vargyas XNet Information Systems. Agenda. What is IP Masquerade How does it work Example Setting Up IP Masquerade References. What not to expect. Teaching you how to set up Redhat Linux 5.1 How to compile and install a new kernel. Why is IP Masquerading HOT?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/1.jpg)
1
Linux IP Masquerading
Brian VargyasXNet Information Systems
![Page 2: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/2.jpg)
2
Agenda
• What is IP Masquerade
• How does it work
• Example
• Setting Up IP Masquerade
• References
![Page 3: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/3.jpg)
3
What not to expect
• Teaching you how to set up Redhat Linux 5.1
• How to compile and install a new kernel
![Page 4: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/4.jpg)
4
Why is IP Masquerading HOT?
• Demand to share a single Internet address across multiple machines.
• Demand to save Internet IPv4 address space.
• Demand for better internal network security.
![Page 5: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/5.jpg)
5
Emerging Applications
• Network Hiding
• Cable Modem Solutions
• xDSL Solutions
• Dial on Demand Internet
![Page 6: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/6.jpg)
6
So what is it?
• A Developing networking function built in to RedHat Linux 5.1
• Allows machines connected to the Linux system to access the Internet as if they were coming from a single IP address.
• Provides a secure way of hiding internal networks.
![Page 7: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/7.jpg)
7
A Simple Setup
Linux Gateway
ISPISDN
204.248.50.100/32Dynamic IP Address
10.0.0.0/8Static Class A Network
eth0
![Page 8: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/8.jpg)
8
How it works
• Translation Tables Manage Inside to Outside Address Translation
• IPFWADM (IP Firewall Administration)
• IPPORTFW (IP Port Forwarding)
• Loadable kernel modules for special IP services like FTP, IRC, QUAKE.
![Page 9: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/9.jpg)
9
IP Translation Tables
10.0.0.1 2310.0.0.2 8010.0.0.3 25
Net
100.0.0.1 2000100.0.0.1 2001100.0.0.1 2002
Inside Addresses Outside Address
Address / Source Port PairsAddress / Dest. Port Pairs
• Maintains IP Address Source/Dest. Port Pairs.
• Pool of 4096 Ports.
![Page 10: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/10.jpg)
10
IPFWADM (Firewall)
• Manages Permit/Deny Firewall Access Lists
• Controls which networks are allowed to IP Masquerade
• Deny access to all other networks.
![Page 11: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/11.jpg)
11
IPPORTFW (Port Forwarding)
• Controls mapping of incoming port requests to a inside address.
• Lets you run mail/web server on another host inside your network.
• Provides complete flexibility on where to place IP services.
• Not included in standard Redhat 5 distribution.
![Page 12: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/12.jpg)
12
Loadable Kernel Modules
• Lets special IP services such as FTP operate correctly. I.E. Back Channel Data (Not Passive).
• Only loads into memory if needed
• Some services not supported.
• PPTP Patches.
![Page 13: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/13.jpg)
14
Example (My Home)
• 3 Machines needs Internet access
• 1 DHCP dynamic address provided from Cable Company.
• Backup ISDN dialup
• Windows NT web/mail server
![Page 14: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/14.jpg)
Example Config
15
Linux Gateway
ISPISDN
10.0.0.0/8Static Class A Network
eth0
CableNetwork
eth1Cable
Modem
![Page 15: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/15.jpg)
15
• Configure all system interfaces. Make sure you can ping remote machines. Verify connectivity to your ISP is working.
• Install IPPORTFW Kernel Patches, Rebuilt Kernel, Install and Reboot. (Kernel 2.0.33/2.0.34) Compile IPPORTFW utility and install in /bin.
• Edit your /etc/rc.d/rc2.d/S99local file and include the necessary IPFWADM and IPPORTFW configuration.
• Make sure you have a default route (0.0.0.0/0) pointed at your ISP Interface.
Setup Procedure
![Page 16: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/16.jpg)
16
Setup Configuration (S99local)
# S99local
echo "1" > /proc/sys/net/ipv4/ip_forwarding
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S 10.0.0.0/24 -D 0.0.0.0/0
/sbin/ipportfw -A -t 24.131.169.80/80 -R 10.0.0.3/80
/sbin/ipportfw -A -t 24.131.169.80/25 -R 10.0.0.3/25
route add default 24.131.169.1
![Page 17: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/17.jpg)
17
Verify Configuration
[root@bv-gw /]# netstat -M
IP masquerading entries, free ports: UDP 4095 TCP 4096
prot expire source destination ports
udp 4:52.95 10.0.0.3 204.91.243.41 1085 -> 4000 (61058)
[root@bv-gw /]# ipfwadm -F -l
IP firewall forward rules, default policy: deny
type prot source destination ports
acc/m all 10.0.0.0/24 anywhere n/a
[root@bv-gw /]# ipportfw -L
Prot Local Addr/Port > Remote Addr/Port
TCP 24.131.169.80/25 > 10.0.0.3/25
TCP 24.131.169.80/80 > 10.0.0.3/80
![Page 18: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/18.jpg)
18
Problems
• Not every IP protocol works
• Difficult to run web/mail when you have a DHCP address that keeps changing.
• DNS needs to be hosted by ISP
![Page 19: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/19.jpg)
19
Private IP Address Space (RFC 1918)
• Must use following address space for internal networks:
• 10.0.0.0/8 255.0.0.0
• 172.16.0.0/12 255.240.0.0
• 192.168.0.0/16 255.255.0.0
![Page 20: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/20.jpg)
20
Illegal Address Space Issues
• Problems getting to the network being used. (DNS Related Issues)
• Need to use another vendor implementation to solve problem
• IP NAT Overlapping (CISCO)
![Page 21: Linux IP Masquerading](https://reader035.vdocuments.us/reader035/viewer/2022070405/56813e31550346895da8162c/html5/thumbnails/21.jpg)
21
References
• IP Masquerade Web Page http://ipmasq.home.ml.org/
• Port Forwarding Web Page http://www.ox.compsoc.org.uk/~steve/portforwarding.html
• My Web Page http://www.xnet.com/~brianv