IP masquerading

IP masquerading

IP masquerade is the name given to one type of network address translation that allows all of the hosts on a private network to use the Internet at the price of a single IP address.

IP masquerading allows you to use a private (reserved) IP network address on your LAN and have your Linux-based router perform some clever, real-time translation of IP addresses and ports. When it receives a datagram from a computer on the LAN, it takes note of the type of datagram it is, "TCP," "UDP," "ICMP," etc., and modifies the datagram so that it looks like it was generated by the router machine itself (and remembers that it has done so). It then transmits the datagram onto the Internet with its single connected IP address. When the destination host receives this datagram, it believes the datagram has come from the routing host and sends any reply datagrams back to that address. When the Linux masquerade router receives a datagram from its Internet connection, it looks in its table of established masqueraded connections to see if this datagram actually belongs to a computer on the LAN, and if it does, it reverses the modification it did on the forward path and transmits the datagram to the LAN computer.

The following ipfwadm commands are all that are required to make masquerading work in her configuration:

# ipfwadm -F -p deny
# ipfwadm -F -a accept -m -S 192.168.1.0/24 -D 0/0
or with ipchains:

# ipchains -P forward -j deny
# ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ
or with iptables:

# iptables -t nat -P POSTROUTING DROP
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
Now whenever any of the LAN hosts try to connect to a service on a remote host, their datagrams will be automatically masqueraded by the Linux masquerade router. The first rule in each example prevents the Linux machine from routing any other datagrams and also adds some security.

To list the masquerade rules you have created, use the -l argument to the ipfwadm command, as we described in earlier while discussing firewalls.

To list the rule we created earlier we use:

# ipfwadm -F -l -e
which should display something like:

# ipfwadm -F -l -e
IP firewall forward rules, default policy: accept
pkts bytes type prot opt tosa tosx ifname ifaddress ...
0 0 acc/m all ---- 0xFF 0x00 any any ...
The "/m" in the output indicates this is a masquerade rule.

To list the masquerade rules with the ipchains command, use the -L argument. If we list the rule we created earlier with ipchains, the output will look like:

# ipchains -L
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
target prot opt source destination ports
MASQ all ------ 192.168.1.0/24 anywhere n/a

Chain output (policy ACCEPT):

Any rules with a target of MASQ are masquerade rules.

Finally, to list the rules using iptables you need to use:

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy DROP)
target prot opt source destination
MASQUERADE all -- anywhere anywhere MASQUERADE

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Again, masquerade rules appear with a target of MASQUERADE.

For further reading,

http://www.oreilly.com/openbook/linag2/book/ch11.html

Leave a comment