(version 1.1) - learn what IP Masquerading is, and what is it good for anyway.
1.1 About this document
This document has one reason for existing, to teach something to others.
Who should be reading this document
If you have some computers standing at home and you want to share your internet
connection with the rest of the family, or if you like seeing your mail
on the screen on the left side of your desk and your irc window on the screen
that is standing at the right side of your desk you need ip masquerading.
Yes I know there are also modem sharing packets for Microsoft products on
the market. But the advantage is that this can be run on a 386 computer
and it takes 3 more commands and you can have your own firewall. There are
also more providers who offer cable modems and (too) much bandwidth for
one computer. I think it is very handy. If I am reading my e-mail and I
want to see if one of my friends is on IRC I just have to turn my head.
You don't really need a cable modem, it also goes
if you have a modem connection (I am the living example of that).
1.2 What do you need ?
Although I haven't explained what masquerading actually is (be patient)
I will start by telling you what you need in order to use masquerading.
You need:
Multiple (>2) computers
A network connecting these computers
Different ip-numbers assigned to all computers
One pc who has a modem and an internet connection
The Linux os with a 2.2.x or higher kernel running on that machine
Half an hour of time (in the worst case)
Something to eat
So now you know what you need in order to use masquerading, I can start
explaining what masquerading actually is:
What is it
I know that masquerading is a complicated process so before getting all
technical I'll start with an example that makes it easier to understand.
Person A loves person B but person A isn't at the same school nor has her
telephone number. There is also a common friend (person C) someone who knows
A and is at the some school of B. So A is going to ask C to talk to B without
mentioning who person A is. Pretending the acquired information is for himself.
You will probably wondering why I made that example or on what television
show you have seen the same. Well it is quite simple. Person B is the internet,
and person A is a masqueraded client and person C is the masqueraded server.
For understanding it I'll first give a short introduction to TCP/IP".
TCP/IP stands for Transmission Control Protocol / Internet Protocol. It
is widely used for data communication among computers (before TCP/IP,
everybody used UUCP = Unix to Unix Copy Protocol). TCP/IP is literally
a protocol that controls your communication, it also uses IP numbers.
IP-numbers consist out of 12 numbers grouped by 3 (123.456.789.123). Every
computer attached to a network (and to the internet) have their own unique
IP number. TCP/IP works like the following.
=> I am 1.2.3.4 and i want to contact 1.2.3.3
-> I am 1.2.3.3 did you call me ?
=> I am 1.2.3.4 and I contacted you
-> I am 1.2.3.3 and ready
=> I am 1.2.3.4 and I want that file
-> I am 1.2.3.3 and I am sending the first part to 1.2.3.4
=> I am 1.2.3.4 and I have received it.
-> I am 1.2.3.3 and I am sending the second part to 1.2.3.4
=> I am 1.2.3.4 and I haven't received anything
-> I am 1.2.3.3 and I am sending again
=> I am 1.2.3.4 and I have received it.
-> I am 1.2.3.3 and I am waiting.
=> I am 1.2.3.4 and I am ready, bye
-> I am 1.2.3.3 Bye
I know this may seem a little childish but data communication (and TCP/IP)
are working like that.
Now you should be able to understand the image. You see a computer with
local IP 10.0.0.1 who is connected to the internet by a telephone line
and has achieved an IP number by this ISP (Internet Service Provider)
that IP is 11.1.1.4. What does this mean ? If someone on the internet
tried to contact 11.1.1.4 they would get a response but if they would
try to contact 10.0.0.1 they would not get a response although it is the
same computer because the IP 10.0.0.1 isn't recognized worldwide. Then
we have 10.0.0.2 till 10.0.0.x who are connected to 10.0.0.1. In this
case we could consider 10.0.0.1 as a gateway (a gateway is a sort of exit
to another network, a gateway could be a link between 10.0.1.x and 10.0.0.x,
but therefore that machine must be recognized by 10.0.1.x and 10.0.0.x
or with other words it should have 2 network cards or in this case a modem
and a network card). So we could consider it as a gateway but there is
one detail, for 10.0.0.1 being a gateway. But it isn't for the simple
reason that the internet wouldn't recognize it.
=> I'm 10.0.0.2 and I want to contact you
-> I'm 1.2.3.3 and I have now idea how to reach you, go away (this
messages isn't really broadcasted because there is no logical route between
the two computers, this is logged)
So what does masquerading actually do ? Well, it gives its own IP (11.1.1.4
this is the IP that is attached to the ISP, giving by DHCP by exemple)
to the entire network and remembers which computer requested which packet.
Something like:
=> I'm 10.0.0.2 and I want to contact 1.2.3.3
-> I'm 10.0.0.1 and I will be processing your request
-> I'm 14.1.1.4 and I want to contact 1.2.3.3
_> I'm 1.2.3.3 and awaiting your command
I hope this cleared out a lot. So a masqueraded server gives its IP (
in facts it masks the ip's of the network) in order for the other pc's
to get on the internet. And the incoming data is being filtered under
the 10.0.0.x network.
2
I hate theory I want to type something |
2.1 Preparing your system
I am supposing that you all have a computer with Linux OS installed on
it and that you have configured your internet account (if not, check the
help pages by your provider). And know some Linux basics like compiling
your own kernel. This entire site is only valid if you have a 2.2.x kernel.
Because masquerading went thru some changes lately. If you have not got
a 2.2.x kernel running, I suggest you upgrade. Because older kernels might
contain bugs, might not support your newest hardware and make your system
vulnerable to attacks. You can get the latest kernel from ftp.kernel.org
(I will explain short the kernel basics here)
[GoMoRRaH@SaTaN GoMoRRaH]$ mv mykernel.tar.gz /usr/src/
[GoMoRRaH@SaTaN GoMoRRaH]$ cd /usr/src
[GoMoRRaH@SaTaN src]$ rm linux (removes the symbolic link to your old
sources)
[GoMoRRaH@SaTaN src]$ tar -zxvf mykernel.tar.gz
(your kernel is now being extracted default in the directory linux)
[GoMoRRaH@SaTaN src]$ cd linux
[GoMoRRaH@SaTaN linux]$ make menuconfig
(you can choose, type: make config for text based, type: make menuconfig
for graphical and type: make xconfig under X-windows)
Now you can see all the options you can use, this is different for each
system so, * stands for support and M stand for modules, modules are pieces
of kernel code that can be compiled in at any time, later on) But however
you have to say YES to the following:
=> Prompt for development and or incomplete code / drivers
=>Enable loadable module support
=>Networking support
=>Network firewalls
=>TCP/IP Networking
=>IP:forwarding/gatewaying
=>IP:firewalling
=>IP:masquerading
=>IP:ipportfw masq support
=>IP:ipautofw masq support
=>IP:ICMP masquerading
=>IP:always defragment
=>Dummy net driver support
=>IP:ip fwmark masq-forwarding support
Note that the above options are required for ip masquerading so you still
need other codes in your kernel. When you are finished you will be prompted
to save changes. The following commands do the actual compiling and may
take a from 10 - 40 minutes and will show many characters which you may
not understand on your screen, don't worry it is normal.
[GoMoRRaH@SaTaN linux]$ make dep
[GoMoRRaH@SaTaN linux]$ make clean
[GoMoRRaH@SaTaN linux]$ make bzImage
[GoMoRRaH@SaTaN linux]$ cp /usr/src/linux/arch/i386/boot/bzImage /boot/kernel
[GoMoRRaH@SaTaN linux]$ make modules
[GoMoRRaH@SaTaN linux]$ make modules_install
At this point you should edit your /etc/lilo.conf file. You should add
something like
image=/boot/kernel
label=masqkernel
root=/dev/hdax (replace this by your root filesystem, harddisk, partition,
..)
read-only
This makes your boot manager find your new kernel at boot. So if your
see the lilo prompt the next time you should type masqkernel
[GoMoRRaH@SaTaN linux]$ lilo
added linux-2.2.5-15 *
added dos
added masqkernel
Now you should edit your /etc/rc.d/rc.local file so the modules needed
are automatically loaded at boot
.
.
/sbin/depmode -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
.
.
These modules are needed for ftp, real audio and irc. There is only one
thing to do besides rebooting and that is enabling your IPV4 forwarding.
[GoMoRRaH@SaTaN linux] echo "1" > /proc/sys/net/ip_forward(ing)
Now you should reboot your system with your newly made kernel, see if
everything boots properly, if not you should redo the above steps. Until
you have a properly working kernel.
Start up your masquerade
In fact there isn't much to do once you've got your kernel right. It is
a matter of dialing in with you provider, and typing 2 commands. They
are used to set your forwarding policies. [GoMoRRaH@SaTaN GoMoRRaH]$ ipchains
-P forward DENY
[GoMoRRaH@SaTaN GoMoRRaH]$ ipchains -A forward -s 10.0.0.0/4 -j MASQ
In order for this to work on your local network the only thing you have
to adjust is the -s parameter. 10.0.0.0 is your network address and the
4 is the highest ip number that is masqueraded. Your server should work
now. And yeah, that's really it, you have a lot of theory and a lot of
preparation with your kernel and you have to type 2 lines to get your
server up and running.
Configuring your clients
You have a server but what is a server without clients ? What is a supermarket
without customers ? Not that you have to do so much configuring no not
at all. There is only one little thing that you have to take care of,
(if it isn't already done). Your clients should have as a gateway the
IP of your masqueraded server (here 10.0.0.1) This is located near your
networking options it shouldn't be hard to find.
Other information sources
If you want to know more about Linux networking or Linux in general you
should read documents that are published by the LDP (Linux documentation
Project). They have published a Network administrators guide, a system
administrators guide, a programmers guide and several HOWTO's. They come
with each Linux distribution and are really worth reading.
|