1 / 20

IP Masquerade

IP Masquerade Andy Wilson UNC Chapel Hill February 16, 2000 What’s IP Masquerade? Why would you want it? How it works What you’ll need Setting up Testing Outline Network Address Translation (NAT) under Linux almost, but not quite, the same as firewalling

Audrey
Download Presentation

IP Masquerade

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IP Masquerade Andy Wilson UNC Chapel Hill February 16, 2000

  2. What’s IP Masquerade? Why would you want it? How it works What you’ll need Setting up Testing Outline

  3. Network Address Translation (NAT) under Linux almost, but not quite, the same as firewalling Allows several networked computers to talk to the Internet through a single IP address What’s IP Masquerade?

  4. Connectivity for a home network Many ISPs only allow one IP address Security Hide machines containing sensitive information Allow access only to specific services on specific machines Why would you want it?

  5. How it works: Network Structure Frodo 192.168.0.100 Internet Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Bilbo 192.168.0.101 Home Network Pippin 192.168.0.102

  6. How it works: Example slashdot.org 209.207.224.40 Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Frodo 192.168.0.100 New connection: 192.168.0.100:1234 to 209.207.224.40:80

  7. How it works: Example www.slashdot.org 209.207.224.40 Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Frodo 192.168.0.100 New connection: 11.22.33.44:5432 to 209.207.224.40:80 Connected: 192.168.0.100:1234 to 209.207.224.40:80 Port map: 5432 -> Frodo:1234

  8. How it works: Example www.slashdot.org 209.207.224.40 Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Frodo 192.168.0.100 Connected: 11.22.33.44:5432 to 209.207.224.40:80 Connection opened: from 11.22.33.44:5432 to 209.207.224.40:80 Connected: 192.168.0.100:1234 to 209.207.224.40:80 Port map: 5432 -> Frodo:1234

  9. How it works: Example www.slashdot.org 209.207.224.40 Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Frodo 192.168.0.100 Data received: 11.22.33.44:5432 from 209.207.224.40:80 Connection opened: from 11.22.33.44:5432 to 209.207.224.40:80 Connected: 192.168.0.100:1234 to 209.207.224.40:80 Port map: 5432 -> Frodo:1234

  10. How it works: Example www.slashdot.org 209.207.224.40 Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Frodo 192.168.0.100 Data received: 11.22.33.44:5432 from 209.207.224.40:80 Connection opened: from 11.22.33.44:5432 to 209.207.224.40:80 Data received: 192.168.0.100:1234 from 209.207.224.40:80 Port map: 5432 -> Frodo:1234

  11. Two computers (at least) Local LAN Outside connection (ISP) One machine running kernel 2.2.x (x > 13) 2.0.34 is possible but not recommended (see HOWTO for details) What you’ll need

  12. Build a kernel with the right options enabled Configure your LAN Configure your ISP connection Configure IPCHAINS Reboot and test Celebrate Setting Up: Overview

  13. If this is your first time compiling a kernel: DON’T PANIC. Read the Kernel-HOWTO for instructions. It’s quite simple. After that... Setting Up: Compiling the Kernel

  14. Enable incomplete/development drivers Enable networking, firewalls, TCP/IP Enable firewalling (again) Enable masquerading, always defragment Enable ICMP masquerade Enable IP forwarding Disable ipautofw Enable TCP syncookies Enable /proc filesystem Enable PPP (if your ISP connection is a dialup) Don’t forget a driver for your Ethernet card! Setting Up: Kernel Options

  15. IANA Reserved Network Numbers 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 Select IP addresses from one of these blocks Default gateway should be firewall machine Consider running a nameserver on firewall Setting Up: LAN configuration

  16. Example Network Frodo 192.168.0.100 Internet Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Bilbo 192.168.0.101 Home Network Pippin 192.168.0.102

  17. Create /etc/rc.d/rc.firewall (or add to rc.local) Setting Up: IPCHAINS #!/bin/sh # Enable IP forwarding (hopefully disabled at boot by default) echo “1” > /proc/sys/net/ipv4/ip_forward # Set masquerade timeouts (2 hours for TCP, 10sec for connection closing, # 160 sec for UDP (like ICQ)) /sbin/ipchains -M -S 7200 10 160 # Set up masquerade policies # by default, deny everything /sbin/ipchains -P forward DENY # but masquerade for just this one network /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ

  18. Configure connection to the outside world as usual diald is useful! Make sure rc.firewall gets run at boot time chmod 700 /etc/rc.d/rc.firewall in /etc/rc.d/rc.local: /etc/rc.d/rc.firewall Setting Up: IPCHAINS

  19. From firewall: Connect to ISP and ping outside world Ping a machine inside your network From your network: Ping firewall machine Ping outside world by IP number Ping outside world by name Visit your favorite Web site Testing

  20. IP Masquerade Resource: http://ipmasq.cjb.net HOWTO (at www.linuxdoc.org) Kernel IP masquerade Networking overview Ethernet Learning More

More Related