IP Masquerade

IP Masquerade

Post by Kris Jorda » Tue, 18 Aug 1998 04:00:00



In the Linux IP Masquerade mini How-To, it has in the "2.4 Who Doesn't
Need IP Masquerade?" section that:

If you already have assigned addresses for your OTHER machines, then you
don't need IP Masquerade.

I was wondering what it meant by this?  What does it take to have this?

Thanks,

Kris

 
 
 

IP Masquerade

Post by Greg Hughe » Tue, 18 Aug 1998 04:00:00



> In the Linux IP Masquerade mini How-To, it has in the "2.4 Who Doesn't
> Need IP Masquerade?" section that:

> If you already have assigned addresses for your OTHER machines, then you
> don't need IP Masquerade.

> I was wondering what it meant by this?  What does it take to have this?

> Thanks,

> Kris

It means that if you have *real* IP addresses for your other machines
(i.e. they're actually routed to your machines from anywhere in the
world) you don't need to use masquerading.  All you would need to use in
this case would be packet forwarding, and your box directly connected to
the 'Net would act as a simple router.  However, if you *don't* have
*real* IP addresses for your boxes (i.e. they're on a local network and
can't be seen outside that network) then you need to set up IP
masquerading so that all the packets the computers on your local network
send to the Internet are picked up by the "router" machine so it can add
its own IP address to the outgoing packets.  This way, all the other
computers on the Internet think that they're receiving packets from your
"router" (which they are) but in fact, the packets are coming from a
local machine behind the "router".  The router embeds the local
computer's IP address in the packets it sends so that when the
destination system replies, the packets get sent back to the "router"
which then strips out the local machine's IP and sends it along its
way.  It's a really cool process, actually.

--
+--------------------------+--------------------------------+
|       Greg Hughes        | Linux 2.1.115 / Pentium-II 300 |
|    1B CS / Soft. Eng.    |  "The meek shall inherit what  |

+--------------------------+--------------------------------+

 
 
 

IP Masquerade

Post by John Stake » Tue, 18 Aug 1998 04:00:00



> In the Linux IP Masquerade mini How-To, it has in the "2.4 Who Doesn't
> Need IP Masquerade?" section that:

> If you already have assigned addresses for your OTHER machines, then you
> don't need IP Masquerade.

> I was wondering what it meant by this?

If the other workstations on your network have real internet addresses
assigned to them then they don't need IP Masquerading. IP masquerading is
used if you only have one (or a few, but not enough for all the
workstations) IP address assigned by your ISP but you want the rest of the
network to be able to use the internet also.

Quote:>  What does it take to have this?

Read the Section 3. in the Linux IP Masquerade mini HOWTO. This should
answer all the questions about what needs to be supported by the kernel in
order for it to run.

Quote:

> Thanks,

> Kris

 John Staker
PC-Networks Inc.
 
 
 

IP Masquerade

Post by Quasa » Wed, 19 Aug 1998 04:00:00


I want to add a new question... (Sorry about my english, I am a spanish
one).

    I have 2 linux/w98 computers, in a mini-ethernet network (10 Mbps). They
are normaly standalone machines, so they have a different IP inside internet
(Dinamic IP)...

    The question is: Can I use 2 differents IP's with a single modem? How
can I call the 2nd ISP? I think it is better than IP Masquerading solution,
because I can use the two IP we have.

    I hope it was clear...

Cyou s00n.
Francesc.
http://www.ctv.es/USERS/fleveq

 
 
 

IP Masquerade

Post by vladimip_no$#!&spam » Wed, 19 Aug 1998 04:00:00


.........
Quote:> > If you already have assigned addresses for your OTHER machines, then you
> > don't need IP Masquerade.

> > I was wondering what it meant by this?

> If the other workstations on your network have real internet addresses
> assigned to them then they don't need IP Masquerading. IP masquerading is
> used if you only have one (or a few, but not enough for all the
> workstations) IP address assigned by your ISP but you want the rest of the
> network to be able to use the internet also.

........

Please allow me to (slightly) disagree. I know a number of organizations
where, although they have, say, a class B range of IPs assigned to them,
they still prefer to put everyone behind a firewall and a gateway running
Network Address Translation (known as 'NAT' in router documentaion, or
known as 'IP masquesrading' among Linux users) and give every subnet
some unused range like 172.16.x.x or 10.0.x.x for extra security, because
those are IPs not reacheable from the other side. That is especially the case
with highly vulnerable Windows-based workstations which go into BSOD state
because of a malicious packet easily created on outside.

--
     Vlad Petersen       |     <vladimip at uniserve dot com>
 #include <disclaimer.h> |   *Good pings come in small packets*
     Vancouver, BC       |    Windows: for IQs smaller than 95
      SIGSIG -- signature too long (core dumped)

 
 
 

IP Masquerade

Post by richa » Thu, 20 Aug 1998 04:00:00


Sorry to ask yet another ip masquerading question, but I can't get it to work.
I have a win95 box networked (ethernet) to a linux box.  All other networking
functions seems to work well.  I've followed the HOWTO and many of the messages
in this newsgroup (including compiling all the ip_masq options in the kernel,
making and installing modules, making sure ip_forward is on, adding ipfwadm
commands to rc.local).  I'm using Redhat 5.1, btw.

all seems ok on the linux end:

[richard]~$ cat /proc/sys/net/ipv4/ip_forward
1
[richard]~$ /sbin/ipfwadm -F -l
IP firewall forward rules, default policy: accept
type  prot source               destination          ports
acc/m all  192.168.1.0/24       anywhere             n/a
[richard]~$ /sbin/route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
255.255.255.255 *               255.255.255.255 UH    0      0        0 eth0
ts9.interport.n *               255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     *               255.255.255.0   U     0      0        2 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         ts9.interport.n 0.0.0.0         UG    0      0        1 ppp0
[richard]~$ ping yahoo.com
PING yahoo.com (204.71.177.35): 56 data bytes
64 bytes from 204.71.177.35: icmp_seq=0 ttl=246 time=359.0 ms
64 bytes from 204.71.177.35: icmp_seq=1 ttl=246 time=310.2 ms

on the win95 end, I can telnet to linux, my gateway is set to 192.168.1.1 (the
address of the linux box), but whenever I try to access the internet (including
through netscape or ping, using names or ip addresses), I get "host unreachable"
or the like.

Any suggestions?

 
 
 

IP Masquerade

Post by Miguel Cr » Fri, 21 Aug 1998 04:00:00



Quote:>Please allow me to (slightly) disagree. I know a number of organizations
>where, although they have, say, a class B range of IPs assigned to them,
>they still prefer to put everyone behind a firewall and a gateway running
>Network Address Translation (known as 'NAT' in router documentaion, or
>known as 'IP masquesrading' among Linux users) and give every subnet
>some unused range like 172.16.x.x or 10.0.x.x for extra security, because
>those are IPs not reacheable from the other side.

I hope they're going to return these unused Class B nets if they're masqing
their whole local network. That's a lot of wasted space.

NAT and IP Masquerading are not the same thing; the latter is a subset of
the former.

If they have firewalls, why would their systems be reachable from the
outside? Isn't setting up RFC 1597 addresses as much work as just learning
how to configure their firewalls properly? And if they're just NATting
straight to these addresses, then what's protected anyway?

miguel

 
 
 

IP Masquerade

Post by JM » Fri, 21 Aug 1998 04:00:00


If you are running RH 5.1 then you do NOT need to compile anything to get IP
Masquerading working. It's already compiled into the kernel.

However you DO need to load at least on of the ip_masq_  modules to get it to
work...

in your rc.local file add

/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_cuseeme

etc...

Go to your client and make sure you can ping both sides of your connection...

I.E..

ping 192.168.1.1

and

ping ts9.interport.n <- which you might want to replace with the correct IP
address...

RH5.1 works out of the box with IP Masq...

-JMS



>Sorry to ask yet another ip masquerading question, but I can't get it to work.
>I have a win95 box networked (ethernet) to a linux box.  All other networking
>functions seems to work well.  I've followed the HOWTO and many of the messages
>in this newsgroup (including compiling all the ip_masq options in the kernel,
>making and installing modules, making sure ip_forward is on, adding ipfwadm
>commands to rc.local).  I'm using Redhat 5.1, btw.

>all seems ok on the linux end:

>[richard]~$ cat /proc/sys/net/ipv4/ip_forward
>1
>[richard]~$ /sbin/ipfwadm -F -l
>IP firewall forward rules, default policy: accept
>type  prot source               destination          ports
>acc/m all  192.168.1.0/24       anywhere             n/a
>[richard]~$ /sbin/route
>Kernel IP routing table
>Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
>255.255.255.255 *               255.255.255.255 UH    0      0        0 eth0
>ts9.interport.n *               255.255.255.255 UH    0      0        0 ppp0
>192.168.1.0     *               255.255.255.0   U     0      0        2 eth0
>127.0.0.0       *               255.0.0.0       U     0      0        0 lo
>default         ts9.interport.n 0.0.0.0         UG    0      0        1 ppp0
>[richard]~$ ping yahoo.com
>PING yahoo.com (204.71.177.35): 56 data bytes
>64 bytes from 204.71.177.35: icmp_seq=0 ttl=246 time=359.0 ms
>64 bytes from 204.71.177.35: icmp_seq=1 ttl=246 time=310.2 ms

>on the win95 end, I can telnet to linux, my gateway is set to 192.168.1.1 (the
>address of the linux box), but whenever I try to access the internet (including
>through netscape or ping, using names or ip addresses), I get "host
> unreachable"
>or the like.

>Any suggestions?

 
 
 

IP Masquerade

Post by Jason Straigh » Sat, 22 Aug 1998 04:00:00


Ok, this should make things happy for you.  I couldn't do it either, then I read
this, and it was working in minutes.

http://www.indyramp.com/mirrors/ipmasq/rh5setup.html


> Sorry to ask yet another ip masquerading question, but I can't get it to work.
> I have a win95 box networked (ethernet) to a linux box.  All other networking
> functions seems to work well.  I've followed the HOWTO and many of the messages
> in this newsgroup (including compiling all the ip_masq options in the kernel,
> making and installing modules, making sure ip_forward is on, adding ipfwadm
> commands to rc.local).  I'm using Redhat 5.1, btw.

> all seems ok on the linux end:

> [richard]~$ cat /proc/sys/net/ipv4/ip_forward
> 1
> [richard]~$ /sbin/ipfwadm -F -l
> IP firewall forward rules, default policy: accept
> type  prot source               destination          ports
> acc/m all  192.168.1.0/24       anywhere             n/a
> [richard]~$ /sbin/route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 255.255.255.255 *               255.255.255.255 UH    0      0        0 eth0
> ts9.interport.n *               255.255.255.255 UH    0      0        0 ppp0
> 192.168.1.0     *               255.255.255.0   U     0      0        2 eth0
> 127.0.0.0       *               255.0.0.0       U     0      0        0 lo
> default         ts9.interport.n 0.0.0.0         UG    0      0        1 ppp0
> [richard]~$ ping yahoo.com
> PING yahoo.com (204.71.177.35): 56 data bytes
> 64 bytes from 204.71.177.35: icmp_seq=0 ttl=246 time=359.0 ms
> 64 bytes from 204.71.177.35: icmp_seq=1 ttl=246 time=310.2 ms

> on the win95 end, I can telnet to linux, my gateway is set to 192.168.1.1 (the
> address of the linux box), but whenever I try to access the internet (including
> through netscape or ping, using names or ip addresses), I get "host unreachable"
> or the like.

> Any suggestions?

--
Jason Straight

ICQ 1796276
 
 
 

IP Masquerade

Post by Juergen P. Mei » Tue, 25 Aug 1998 04:00:00



> Sorry to ask yet another ip masquerading question, but I can't get it to work.
> I have a win95 box networked (ethernet) to a linux box.  All other networking
> functions seems to work well.  I've followed the HOWTO and many of the messages
> in this newsgroup (including compiling all the ip_masq options in the kernel,
> making and installing modules, making sure ip_forward is on, adding ipfwadm
> commands to rc.local).  I'm using Redhat 5.1, btw.

> all seems ok on the linux end:

> [richard]~$ cat /proc/sys/net/ipv4/ip_forward
> 1
> [richard]~$ /sbin/ipfwadm -F -l
> IP firewall forward rules, default policy: accept
> type  prot source               destination          ports
> acc/m all  192.168.1.0/24       anywhere             n/a
> [richard]~$ /sbin/route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 255.255.255.255 *               255.255.255.255 UH    0      0        0 eth0
> ts9.interport.n *               255.255.255.255 UH    0      0        0 ppp0
> 192.168.1.0     *               255.255.255.0   U     0      0        2 eth0
> 127.0.0.0       *               255.0.0.0       U     0      0        0 lo
> default         ts9.interport.n 0.0.0.0         UG    0      0        1 ppp0
> [richard]~$ ping yahoo.com
> PING yahoo.com (204.71.177.35): 56 data bytes
> 64 bytes from 204.71.177.35: icmp_seq=0 ttl=246 time=359.0 ms
> 64 bytes from 204.71.177.35: icmp_seq=1 ttl=246 time=310.2 ms

> on the win95 end, I can telnet to linux, my gateway is set to 192.168.1.1 (the
> address of the linux box), but whenever I try to access the internet (including
> through netscape or ping, using names or ip addresses), I get "host unreachable"
> or the like.

> Any suggestions?

Your routing table is screwd. The first entry is totaly wrong.
Get rid of it:

route del 255.255.255.255

Check wehere it is added and remove this too.

--
Juergen P. Meier
______________________________________________________

XEmacs is my Operating System, Linux my device driver.
--------------------------------------------------------------------------
Anyone sending unwanted advertising e-mail to this address will be charged
$25 for network traffic and computing time. By extracting my address from
this message or its header, you agree to these terms.

 
 
 

1. IP Masquerading works, but does not masquerade from within the local network

I've got a box running Redhat 6.1 working as a gateway for our home network.
It's connected to a cable modem, and we've only got one IP address, so it's
doing IP forwarding and masquerading for us.

Now, consider this situation: I've got a webcam running on one of my windows
boxes, whose IP address is 192.168.0.1 (for instance). The webcam is on port
8888, and I've got the linux box set up to forward this port along from
port, say, 9999, using a line much like

ipmasqadm portfw -a -P tcp -L xxx.xxx.xxx.xxx 9999 -R 192.168.0.1 8888

in my rc.local.

This works very well for people connecting in from outside - they'd use a
URL like:

http://xxx.xxx.xxx.xxx:9999/video/frame

but if I try and use that URL from inside the local network, it doesn't
connect, I'd have to use:

http://192.168.0.1:8888/video/frame

which is rather annoying as it makes it difficult to test things (I have to
VNC out to work and boot up a browser there)

I'm fairly sure the problem isn't with the webcam software - I've had the
same problem when trying to connected to an apache server inside the network
as well.

any ideas?

cheers,

Tim


2. ActiveLinux Project

3. IP MASQuerading NOT Masquerading?

4. Apache bug? AddDescription in .htaccess doesn't work

5. LM79 support?

6. Backup scripts, IP firewalling and IP masquerading

7. Promise 2300+ EIDE and Serial IRQ's

8. IP NAT and IP Masquerading

9. IP-Chains vs. IP-Masquerade

10. IP Masquerade , IP Chains

11. proxy route gateway ip masquerading ip chains ?

12. IP masquerading wint RH 5.2 multiple IP