Linux IP Masquerade mini HOWTO: Setting Up IP Masquerade

prev-1989125 next-3262313 toc-9330169

If your private network contains any vital information, think twice before using IP Masquerade. This may be a GATEWAY for you to get to the Internet, and vice versa for someone on the other side of the world to get into your network.

3.1 Compiling the Kernel for IP Masquerade Support

  • First of all, you need the kernel source (preferably stable kernel version 2.0.0 or above)
  • If this is your first time compiling the kernel, don’t be scared. In fact, it’s rather easy and it’s covered in Linux Kernel HOWTO.
  • Unpack the kernel source to /usr/src/ with a command: tar xvzf linux-2.0.x.tar.gz -C /usr/src, where x is the patch level beyond 2.0
    (make sure there is a directory or symbolic link called linux )
  • Apply appropriate patches. Since new patches are coming out, details will not be included here. Please refer to IP Masquerade Resources for up-to-date information.
  • Refer to the Kernel HOWTO and the README file in the kernel source directory for further instructions on compiling a kernel
  • Here are the options that you need to compile in:

    Say YES to the following,

    
      * Prompt for development and/or incomplete code/drivers 
        CONFIG_EXPERIMENTAL 
        - this will allow you to select experimental ip_masq code compiled 
          into the kernel 
    
      * Enable loadable module support 
        CONFIG_MODULES 
        - allows you to load modules 
    
      * Networking support 
        CONFIG_NET 
    
      * Network firewalls 
        CONFIG_FIREWALL 
    
      * TCP/IP networking 
        CONFIG_INET 
    
      * IP: forwarding/gatewaying 
        CONFIG_IP_FORWARD 
    
      * IP: firewalling 
        CONFIG_IP_FIREWALL 
    
      * IP: masquerading (EXPERIMENTAL) 
        CONFIG_IP_MASQUERADE 
        - although it is experimental, it is a *MUST*
    
      * IP: always defragment
        CONFIG_IP_ALWAYS_DEFRAG 
        - highly recommended
    
      * Dummy net driver support
        CONFIG_DUMMY 
        - recommended
    

    NOTE: These are just the component you need for ip_masq, select whatever other options you need for your specific setup.

  • After compiling the kernel, you should compile and install the modules:
    
    make modules; make modules_install
    
  • Then you should add a few lines into your /etc/rc.d/rc.local file (or any file you think is appropriate) to load the required modules reside in /lib/modules/2.0.x/ipv4/ automatically during each reboot:
    
            .
            .
            .
    /sbin/depmod -a
    /sbin/modprobe ip_masq_ftp
    /sbin/modprobe ip_masq_raudio
    /sbin/modprobe ip_masq_irc
    (and other modules such as ip_masq_cuseeme, ip_masq_vdolive 
     if you have applied the patches)
            .
            .
            .
    

Note: You can also load it manually before using ip_masq, but DON’T use kerneld for this, it will NOT work!

3.2 Assigning Private Network IP Address

Since all OTHER machines do not have official assigned addressees, there must be a right way to allocate address to those machines.

From IP Masquerade FAQ:

There is an RFC (#1597) on which IP addresses are to be used on a non-connected network. There are 3 blocks of numbers set aside specifically for this purpose. One which I use is 255 Class-C subnets at 192.168.1.n to 192.168.255.n .


From RCF 1597:

Section 3: Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private networks:

              10.0.0.0        -   10.255.255.255
              172.16.0.0      -   172.31.255.255
              192.168.0.0     -   192.168.255.255

We will refer to the first block as "24-bit block", the second as
"20-bit block", and to the third as "16-bit" block".  Note that the
first block is nothing but a single class A network number, while the
second block is a set of 16 contiguous class B network numbers, and
third block is a set of 255 contiguous class C network numbers.

So, if you’re using a class C network, you should name your machines as 192.168.1.1, 1.92.168.1.2, 1.92.168.1.3, …, 192.168.1.x

192.168.1.1 is usually the gateway machine, which is your Linux host connecting to the Internet. Notice that 192.168.1.0 and 192.168.1.255 are the Network and Broadcast address respectively, which are reserved. Avoid using these addresses on your machines.

3.3 Configuring the OTHER machines

Besides setting the appropriate IP address for each machine, you should also set the appropriate gateway. In general, it is rather straight forward. You simply enter the address of your Linux host (usually 192.168.1.1) as the gateway address.

For the Domain Name Service, you can add in any DNS available. The most apparent one should be the one that your Linux is using. You can optionally add any domain search suffix as well.

After you have reconfigured those IP addresses, remember to restart the appropriate services or reboot your systems.

The following configuration instructions assume that you are using a Class C network with 192.168.1.1 as your Linux host’s address. Please note that 192.168.1.0 and 192.168.1.255 are reserved.

Configuring Windows 95

  1. If you haven’t installed your network card and adapter driver, do so now.
  2. Go to ‘Control Panel’/’Network’.
  3. Add ‘TCP/IP protocol’ if you don’t already have it.
  4. In ‘TCP/IP properties’, goto ‘IP Address’ and set IP Address to 192.168.1.x, (1 < x < 255), and then set Subnet Mask to 255.255.255.0
  5. Add 192.168.1.1 as your gateway under ‘Gateway’.
  6. Under ‘DNS Configuration’/’DNS Server search order’ add your the DNS that your Linux host uses (usually find in /etc/resolv.conf). Optionally, you can add the appropriate domain search suffix.
  7. Leave all the other settings as they are unless you know what you’re doing.
  8. Click ‘OK’ on all dialog boxes and restart system.
  9. Ping the linux box to test the network connection: ‘Start/Run’, type: ping 192.168.1.1
    (This is only a LAN connection testing, you can’t ping the outside world yet.)
  10. You can optionally create a HOSTS file in the windows directory so that you can use hostname of the machines on your LAN. There is an example called HOSTS.SAM in the windows directory.
READ  Streaming4iPhone

Configuring Windows for Workgroup 3.11

  1. If you haven’t installed your network card and adapter driver, do so now.
  2. Install the TCP/IP 32b package if you don’t have it already.
  3. In ‘Main’/’Windows Setup’/’Network Setup’, click on ‘Drivers’.
  4. Highlight ‘Microsoft TCP/IP-32 3.11b’ in the ‘Network Drivers’ section, click ‘Setup’.
  5. Set IP Address to 192.168.1.x (1 < x < 255), then set Subnet Mask to 255.255.255.0 and Default Gateway to 192.168.1.1
  6. Do not enable ‘Automatic DHCP Configuration’ and put anything in those ‘WINS Server’ input areas unless you’re in a Windows NT domain and you know what you’re doing.
  7. Click ‘DNS’, fill in the appropriate information mentioned in STEP 6 of section 3.3.1, then click ‘OK’ when you’re done with it.
  8. Click ‘Advanced’, check ‘Enable DNS for Windows Name Resolution’ and ‘Enable LMHOSTS lookup’ if you’re using a look up host file, similar to the one mentioned in STEP 10 of section 3.3.1
  9. Click ‘OK’ on all dialog boxes and restart system.
  10. Ping the linux box to test the network connection: ‘File/Run’, type: ping 192.168.1.1
    (This is only a LAN connection testing, you can’t ping the outside world yet.)

Configuring Windows NT 3.51

  1. If you haven’t installed your network card and adapter driver, do so now.
  2. Go to ‘Main’/’Control Panel’/’Network’
  3. Add the TCP/IP Protocol and Related Component from the ‘Add Software’ menu if you don’t have TCP/IP service installed already.
  4. Under ‘Network Software and Adapter Cards’ section, highlight ‘TCP/IP Protocol’ in the ‘Installed Network Software’ selection box.
  5. In ‘TCP/IP Configuration’, select the appropriate adapter, e.g. [1]Novell NE2000 Adapter. Then set the IP Address to 192.168.1.x (1 < x < 255), then set Subnet Mask to 255.255.255.0 and Default Gateway to 192.168.1.1
  6. Do not enable ‘Automatic DHCP Configuration’ and put anything in those ‘WINS Server’ input areas unless you’re in a Windows NT domain and you know what you’re doing.
  7. Click ‘DNS’, fill in the appropriate information mentioned in STEP 6 of section 3.3.1, then click ‘OK’ when you’re done with it.
  8. Click ‘Advanced’, check ‘Enable DNS for Windows Name Resolution’ and ‘Enable LMHOSTS lookup’ if you’re using a look up host file, similar to the one mentioned in STEP 10 of section 3.3.1
  9. Click ‘OK’ on all dialog boxes and restart system.
  10. Ping the linux box to test the network connection: ‘File/Run’, type: ping 192.168.1.1
    (This is only a LAN connection testing, you can’t ping the outside world yet.)

Configuring UNIX Based Systems

  1. If you haven’t installed your network card and recompile your kernel with the appropriate adapter driver, do so now.
  2. Install TCP/IP networking, such as the nettools package, if you don’t have it already.
  3. Set IPADDR to 192.168.1.x (1 < x < 255), then set NETMASK to 255.255.255.0, GATEWAY to 192.168.1.1, and BROADCAST to 192.168.1.255
    For example, you can edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file on a Red Hat Linux system, or simply do it through the Control Panel.
    (it’s different in SunOS, BSDi, Slackware Linux, etc…)
  4. Add your domain name service (DNS) and domain search suffix in /etc/resolv.conf
  5. You may want to update your /etc/networks file depending on your settings.
  6. Restart the appropriate services, or simply restart your system.
  7. Issue a ping command: ping 192.168.1.1 to test the connection to your gateway machine.
    (This is only a LAN connection testing, you can’t ping the outside world yet.)

Configuring DOS using NCSA Telnet package

  1. If you haven’t installed your network card, do so now.
  2. Load the appropriate packet driver. For an NE2000 card, issue nwpd 0x60 10 0x300, with your network card set to IRQ 10 and hardware address at 0x300
  3. Make a new directory, and then unpack the NCSA Telnet package: pkunzip tel2308b.zip
  4. Use a text editor to open the config.tel file
  5. Set myip=192.168.1.x (1 < x < 255), and netmask=255.255.255.0
  6. In this example, you should set hardware=packet, interrupt=10, ioaddr=60
  7. You should have at least one individual machine specification set as the gateway, i.e. the Linux host:
    
    name=default
    host=yourlinuxhostname
    hostip=192.168.1.1
    gateway=1
    
  8. Have another specification for a domain name service:
    
    name=dns.domain.com ; hostip=123.123.123.123; nameserver=1
    

    Note: substitute the appropriate information about the DNS that your Linux host uses

  9. Save your config.tel file
  10. Telnet to the linux box to test the network connection: telnet 192.168.1.1

Configuring MacOS Based System Running MacTCP

  1. If you haven’t installed the appropriate driver software for your Ethernet adapter, now would be a very good time to do so.
  2. Open the MacTCP control panel. Select the appropriate network driver (Ethernet, NOT EtherTalk) and click on the ‘More…’ button.
  3. Under ‘Obtain Address:’, click ‘Manually’.
  4. Under ‘IP Address:’, select class C from the popup menu. Ignore the rest of this section of the dialog box.
  5. Fill in the appropriate information under ‘Domain Name Server Information:’.
  6. Under ‘Gateway Address:’, enter 192.168.1.1
  7. Click ‘OK’ to save the settings. In the main window of the MacTCP control panel, enter the IP address of your Mac (192.168.1.x, 1 < x < 255) in the ‘IP Address:’ box.
  8. Close the MacTCP control panel. If a dialog box pops up notifying you to do so, restart the system.
  9. You may optionally ping the Linux box to test the network connection. If you have the freeware program MacTCP Watcher, click on the ‘Ping’ button, and enter the address of your Linux box (192.168.1.1) in the dialog box that pops up. (This is only a LAN connection testing, you can’t ping the outside world yet.)
  10. You can optionally create a Hosts file in your System Folder so that you can use the hostnames of the machines on your LAN. The file should already exist in your System Folder, and should contain some (commented-out) sample entries which you can modify according to your needs.

Configuring MacOS Based System Running Open Transport

  1. If you haven’t installed the appropriate driver software for your Ethernet adapter, now would be a very good time to do so.
  2. Open the TCP/IP Control Panel and choose ‘User Mode …’ from the Edit menu. Make sure the user mode is set to at least ‘Advanced’ and click the ‘OK’ button.
  3. Choose ‘Configurations…’ from the File menu. Select your ‘Default’ configuration and click the ‘Duplicate…’ button. Enter ‘IP Masq’ (or something to let you know that this is a special configuration) in the ‘Duplicate Configuration’ dialog, it will probably say something like ‘Deafault copy’. Then click the ‘OK’ button, and the ‘Make Active’ button
  4. Select ‘Ethernet’ from the ‘Connect via:’ pop-up.
  5. Select the appropriate item from the ‘Configure:’ pop-up. If you don’t know which option to choose, you probably should re-select your ‘Default’ configuration and quit. I use ‘Manually’.
  6. Enter the IP address of your Mac (192.168.1.x, 1 < x < 255) in the ‘IP Address:’ box.
  7. Enter 255.255.255.0 in the ‘Subnet mask:’ box.
  8. Enter 192.168.1.1 in the ‘Router address:’ box.
  9. Enter the IP addresses of your domain name servers in the ‘Name server addr.:’ box.
  10. Enter the name of your Internet domain (e.g. ‘microsoft.com’) in the ‘Starting domain name’ box under ‘Implicit Search Path:’.
  11. The following procedures are optional. Incorrect values may cause erratic behavior. If your not sure, it’s probably better to leave them blank, unchecked and/or un- selected. Remove any information from those fields, if necessary. As far as I know there is no way through the TCP/IP dialogs, to tell the system not to use a previously select alternate « Hosts » file. If you know, I would be interested.
    Check the ‘802.3’ if your network requires 802.3 frame types.
  12. Click the ‘Options…’ button to make sure that the TCP/IP is active. I use the ‘Load only when needed’ option. If you run and quit TCP/IP applications many times without rebooting your machine, you may find that unchecking the ‘Load only when needed’ option will prevent/reduce the effects on your machines memory management. With the item unchecked the TCP/IP protocol stacks are always loaded and available for use. If checked, the TCP/IP stacks are automatically loaded when needed and un- loaded when not. It’s the loading and unloading process that can cause your machines memory to become fragmented.
  13. You may ping the Linux box to test the network connection. If you have the freeware program MacTCP Watcher, click on the ‘Ping’ button, and enter the address of your Linux box (192.168.1.1) in the dialog box that pops up. (This is only a LAN connection testing, you can’t ping the outside world yet.)
  14. You can create a Hosts file in your System Folder so that you can use the hostnames of the machines on your LAN. The file may or may not already exist in your System Folder. If so, it should contain some (commented-out) sample entries which you can modify according to your needs. If not, you can get a copy of the file from a system running MacTCP, or just create your own (it follows a subset of the Unix /etc/hosts file format, described on page 33 of RFC 1035). Once you’ve created the file, open the TCP/IP control panel, click on the ‘Select Hosts File…’ button, and open the Hosts file.
  15. Click the close box or choose ‘Close’ or ‘Quit’ from the File menu, and then click the ‘Save’ button to save the changes you have made.
  16. The changes take effect immediately, but rebooting the system won’t hurt.

Configuring Novell network using DNS

  1. If you haven’t installed the appropriate driver software for your Ethernet adapter, now would be a very good time to do so.
  2. Downloaded tcpip16.exe from
  3. edit c:\nwclient\startnet.bat
    

    : (here is a copy of mine)

    SET NWLANGUAGE=ENGLISH
    LH LSL.COM
    LH KTC2000.COM
    LH IPXODI.COM
    LH tcpip
    LH VLM.EXE
    F:
    
  4. edit c:\nwclient\net.cfg
    

    : (change link driver to yours i.e. NE2000)

    Link Driver KTC2000
            Protocol IPX 0 ETHERNET_802.3    
            Frame ETHERNET_802.3     
            Frame Ethernet_II        
            FRAME Ethernet_802.2
    
    NetWare DOS Requester
               FIRST NETWORK DRIVE = F
               USE DEFAULTS = OFF
               VLM = CONN.VLM
               VLM = IPXNCP.VLM
               VLM = TRAN.VLM
               VLM = SECURITY.VLM
               VLM = NDS.VLM
               VLM = BIND.VLM
               VLM = NWP.VLM
               VLM = FIO.VLM
               VLM = GENERAL.VLM
               VLM = REDIR.VLM
               VLM = PRINT.VLM
               VLM = NETX.VLM
    
    Link Support
            Buffers 8 1500
            MemPool 4096
    
    Protocol TCPIP
            PATH SCRIPT     C:\NET\SCRIPT
            PATH PROFILE    C:\NET\PROFILE
            PATH LWP_CFG    C:\NET\HSTACC
            PATH TCP_CFG    C:\NET\TCP
            ip_address      xxx.xxx.xxx.xxx
            ip_router       xxx.xxx.xxx.xxx
    
  5. and finally created
    c:\bin\resolv.cfg
    

    :

    SEARCH DNS HOSTS SEQUENTIAL
    NAMESERVER 207.103.0.2
    NAMESERVER 207.103.11.9
    
  6. I hope this helps some people get their Novell Nets online, BTW this can be done using Netware 3.1x or 4.x

Configuring Other Systems such as OS/2

They should be following the same theory for setup. Check the sections above. If you’re interested in writing about any of these systems such as OS/2, or any variations of UNIX based system, please send a detail setup instruction to achau@wwonline.com.

3.4 Configuring IP Forwarding Policies

At this point, you should have your kernel and other required packages installed, as well as your modules loaded. Also, the IP addresses, gateway, and DNS should be all set on the OTHER machines.

Now, the only thing left to do is to use ipfwadm to forward appropriate packets to the appropriate machine:


ipfwadm -F -p deny 
ipfwadm -F -a m -S yyy.yyy.yyy.yyy/x -D 0.0.0.0/0 

where x is one of the following numbers according to the class of your subnet, and yyy.yyy.yyy.yyy is your network address.


netmask         | x  | Subnet
~~~~~~~~~~~~~~~~|~~~~|~~~~~~~~~~~~~~~
255.0.0.0       | 8  | Class A
255.255.0.0     | 16 | Class B
255.255.255.0   | 24 | Class C
255.255.255.255 | 32 | Point-to-point

For example, if I’m on a class C subnet, I would have entered:


ipfwadm -F -p deny 
ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 

The second command could have either -V 192.168.1.1 or -W eth0 added to it to ensure that the masqueraded packets came in through the appropriate interface of the system – if you are at all security concious (otherwise known as justifiably paranoid) then you will want to do this.

Since bootp request packets comes without valid IP’s once the client knows nothing about it, for people with a bootp server in the masquerade/firewall machine it is necessary to use the following before the deny command:


ipfwadm -I -a accept -S 0/0 68 -D 0/0 67 -W bootp_clients_net_if_name -P udp

You can also do it on a per machine basis. For example, if I want 192.168.1.2 and 192.168.1.8 to have access to the Internet, but not the other machines, I would have entered:


ipfwadm -F -p deny 
ipfwadm -F -a m -S 192.168.1.2/32 -D 0.0.0.0/0 
ipfwadm -F -a m -S 192.168.1.8/32 -D 0.0.0.0/0 

Alternately, you can type the netmask instead of the value, e.g. 192.168.1.0/255.255.255.0

What appears to be a common mistake is to make the first command be this

ipfwadm -F -p masquerade

Do not make your default policy be masquerading – otherwise someone who can manipulate their routing will be able to tunnel straight back through your gateway, using it to masquerade their identity!

Again, you can add these lines to the /etc/rc.local files, one of the rc files you prefer, or do it manually every time you need ip_masq.

Please read section 4.4 for a detail guide on Ipfwadm

3.5 Testing IP Masquerade

It’s time to give it a try, after all these hard work. Make sure the connection of your Linux hosts to the Internet is okay.

You can try browsing some ‘INTERNET!!!’ web sites on your OTHER machines, and see if you get it. I recommend using an IP address rather than a hostname on your first try, because your DNS setup may not be correct.

For example, you can access Netscape’s site http://home.netscape.com with an entry of http://198.95.249.78

If you see that nice sailboat, then congratulations! It’s working! You may then try one with hostname entry, and then telnet, ftp, Real Audio, True Speech, whatever supported by IP Masquerade…..

So far, I have no trouble with the above settings, and it’s full credit to the people who spend their time making this wonderful feature working.

prev-1989125 next-3262313 toc-9330169