Very Computer

In the Linux IP Masquerade mini How-To, it has in the "2.4 Who Doesn't
Need IP Masquerade?" section that:

If you already have assigned addresses for your OTHER machines, then you
don't need IP Masquerade.

I was wondering what it meant by this?  What does it take to have this?

Thanks,

Kris

It means that if you have *real* IP addresses for your other machines
(i.e. they're actually routed to your machines from anywhere in the
world) you don't need to use masquerading.  All you would need to use in
this case would be packet forwarding, and your box directly connected to
the 'Net would act as a simple router.  However, if you *don't* have
*real* IP addresses for your boxes (i.e. they're on a local network and
can't be seen outside that network) then you need to set up IP
masquerading so that all the packets the computers on your local network
send to the Internet are picked up by the "router" machine so it can add
its own IP address to the outgoing packets.  This way, all the other
computers on the Internet think that they're receiving packets from your
"router" (which they are) but in fact, the packets are coming from a
local machine behind the "router".  The router embeds the local
computer's IP address in the packets it sends so that when the
destination system replies, the packets get sent back to the "router"
which then strips out the local machine's IP and sends it along its
way.  It's a really cool process, actually.

--
+--------------------------+--------------------------------+
|       Greg Hughes        | Linux 2.1.115 / Pentium-II 300 |
|    1B CS / Soft. Eng.    |  "The meek shall inherit what  |

+--------------------------+--------------------------------+

If the other workstations on your network have real internet addresses
assigned to them then they don't need IP Masquerading. IP masquerading is
used if you only have one (or a few, but not enough for all the
workstations) IP address assigned by your ISP but you want the rest of the
network to be able to use the internet also.

Quote:>  What does it take to have this?

Read the Section 3. in the Linux IP Masquerade mini HOWTO. This should
answer all the questions about what needs to be supported by the kernel in
order for it to run.

Quote:

> Thanks,

> Kris

 John Staker
PC-Networks Inc.

I want to add a new question... (Sorry about my english, I am a spanish
one).

    I have 2 linux/w98 computers, in a mini-ethernet network (10 Mbps). They
are normaly standalone machines, so they have a different IP inside internet
(Dinamic IP)...

    The question is: Can I use 2 differents IP's with a single modem? How
can I call the 2nd ISP? I think it is better than IP Masquerading solution,
because I can use the two IP we have.

    I hope it was clear...

Cyou s00n.
Francesc.
http://www.ctv.es/USERS/fleveq

.........

Quote:> > If you already have assigned addresses for your OTHER machines, then you
> > don't need IP Masquerade.

> > I was wondering what it meant by this?

> If the other workstations on your network have real internet addresses
> assigned to them then they don't need IP Masquerading. IP masquerading is
> used if you only have one (or a few, but not enough for all the
> workstations) IP address assigned by your ISP but you want the rest of the
> network to be able to use the internet also.

........

Please allow me to (slightly) disagree. I know a number of organizations
where, although they have, say, a class B range of IPs assigned to them,
they still prefer to put everyone behind a firewall and a gateway running
Network Address Translation (known as 'NAT' in router documentaion, or
known as 'IP masquesrading' among Linux users) and give every subnet
some unused range like 172.16.x.x or 10.0.x.x for extra security, because
those are IPs not reacheable from the other side. That is especially the case
with highly vulnerable Windows-based workstations which go into BSOD state
because of a malicious packet easily created on outside.

--
     Vlad Petersen       |     <vladimip at uniserve dot com>
 #include <disclaimer.h> |   *Good pings come in small packets*
     Vancouver, BC       |    Windows: for IQs smaller than 95
      SIGSIG -- signature too long (core dumped)

Sorry to ask yet another ip masquerading question, but I can't get it to work.
I have a win95 box networked (ethernet) to a linux box.  All other networking
functions seems to work well.  I've followed the HOWTO and many of the messages
in this newsgroup (including compiling all the ip_masq options in the kernel,
making and installing modules, making sure ip_forward is on, adding ipfwadm
commands to rc.local).  I'm using Redhat 5.1, btw.

all seems ok on the linux end:

[richard]~$ cat /proc/sys/net/ipv4/ip_forward
1
[richard]~$ /sbin/ipfwadm -F -l
IP firewall forward rules, default policy: accept
type  prot source               destination          ports
acc/m all  192.168.1.0/24       anywhere             n/a
[richard]~$ /sbin/route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
255.255.255.255 *               255.255.255.255 UH    0      0        0 eth0
ts9.interport.n *               255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     *               255.255.255.0   U     0      0        2 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         ts9.interport.n 0.0.0.0         UG    0      0        1 ppp0
[richard]~$ ping yahoo.com
PING yahoo.com (204.71.177.35): 56 data bytes
64 bytes from 204.71.177.35: icmp_seq=0 ttl=246 time=359.0 ms
64 bytes from 204.71.177.35: icmp_seq=1 ttl=246 time=310.2 ms

on the win95 end, I can telnet to linux, my gateway is set to 192.168.1.1 (the
address of the linux box), but whenever I try to access the internet (including
through netscape or ping, using names or ip addresses), I get "host unreachable"
or the like.

Any suggestions?

Quote:>Please allow me to (slightly) disagree. I know a number of organizations
>where, although they have, say, a class B range of IPs assigned to them,
>they still prefer to put everyone behind a firewall and a gateway running
>Network Address Translation (known as 'NAT' in router documentaion, or
>known as 'IP masquesrading' among Linux users) and give every subnet
>some unused range like 172.16.x.x or 10.0.x.x for extra security, because
>those are IPs not reacheable from the other side.

I hope they're going to return these unused Class B nets if they're masqing
their whole local network. That's a lot of wasted space.

NAT and IP Masquerading are not the same thing; the latter is a subset of
the former.

If they have firewalls, why would their systems be reachable from the
outside? Isn't setting up RFC 1597 addresses as much work as just learning
how to configure their firewalls properly? And if they're just NATting
straight to these addresses, then what's protected anyway?

miguel

If you are running RH 5.1 then you do NOT need to compile anything to get IP
Masquerading working. It's already compiled into the kernel.

However you DO need to load at least on of the ip_masq_  modules to get it to
work...

in your rc.local file add

/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_cuseeme

etc...

Go to your client and make sure you can ping both sides of your connection...

I.E..

ping 192.168.1.1

and

ping ts9.interport.n <- which you might want to replace with the correct IP
address...

RH5.1 works out of the box with IP Masq...

-JMS

Ok, this should make things happy for you.  I couldn't do it either, then I read
this, and it was working in minutes.

http://www.indyramp.com/mirrors/ipmasq/rh5setup.html

--
Jason Straight

ICQ 1796276

Your routing table is screwd. The first entry is totaly wrong.
Get rid of it:

route del 255.255.255.255

Check wehere it is added and remove this too.

--
Juergen P. Meier
______________________________________________________

XEmacs is my Operating System, Linux my device driver.
--------------------------------------------------------------------------
Anyone sending unwanted advertising e-mail to this address will be charged
$25 for network traffic and computing time. By extracting my address from
this message or its header, you agree to these terms.