Linux IP Masquerade mini HOWTO: Background Knowledge

IP Masquerade is a networking function in Linux. If a Linux host is connected to the Internet with IP Masquerade enabled, then computers connecting to it (either on the same LAN or connected with modems) can reach the Internet as well, even though they have no official assigned IP addresses.

This allows a set of machines to invisibly access the Internet hidden behind a gateway system, which appears to be the only system using the Internet. Breaking the security of a well set-up masquerading system should be considerably more difficult than breaking a good packet filter based firewall (assuming there are no bugs in either).

2.2 Current Status

IP Masquerade had been out for several years and is maturing as Linux heads into the 2.2.x stage. Kernels since 1.3.x had built-in support already. Many individuals and even busnesses are using it, with satisfactory results.

Browsing web pages and telnet are reported to work well over IP Masquerade. FTP, IRC and listening to Real Audio are working with certain modules loaded. Other network streaming audio such as True Speech and Internet Wave work too. Some fellow users on the mailing list even tried video conferencing software. Ping is now working, with the newly available ICMP patch

Please refer to section 4.3 for a more complete listing of software supported.

IP Masquerade works well with 'client machines' on several different OS and platforms. There are successful cases with systems using Unix, Windows 95, Windows NT, Windows for Workgroup(with TCP/IP package), OS/2, Macintosh System's OS with Mac TCP, Mac Open Transport, DOS with NCSA Telnet package, VAX, Alpha with Linux, and even Amiga with AmiTCP or AS225-stack. The list goes on and on, the point is, if your OS platform talks TCP/IP, it should work with IP Masquerade.

2.3 Who Can Benefit From IP Masquerade?

If you have a Linux host connected to the Internet, and
if you have some computers running TCP/IP connected to that Linux box on a local subnet, and/or
if your Linux host has more than one modem and acts as a PPP or SLIP server connecting to others, which
those OTHER machines do not have official assigned IP addresses. (these machines are represented by OTHER machines hereby)
And of course, if you want those OTHER machines to make it onto the Internet without spending extra bucks :)

2.4 Who Doesn't Need IP Masquerade?

If your machine is a stand-alone Linux host connected to the Internet, then it is pointless to have IP Masquerade running, or
if you already have assigned addresses for your OTHER machines, then you don't need IP Masquerade,
and of course, if you don't like the idea of a 'free ride'.

2.5 How IP Masquerade Works?

From IP Masquerade FAQ by Ken Eves:

  Here is a drawing of the most simple setup:

     SLIP/PPP         +------------+                         +-------------+
     to provider      |  Linux     |       SLIP/PPP          | Anybox      |
    <---------- modem1|            |modem2 ----------- modem |             |
      111.222.333.444 |            |           192.168.1.100 |             |
                      +------------+                         +-------------+

    In the above drawing a Linux box with ip_masquerading installed and
  running is connected to the Internet via SLIP/or/PPP using modem1.  It has
  an assigned IP address of 111.222.333.444.  It is setup that modem2 allows 
  callers to login and start a SLIP/or/PPP connection.

    The second system (which doesn't have to be running Linux) calls into the
  Linux box and starts a SLIP/or/PPP connection.  It does NOT have an assigned 
  IP address on the Internet so it uses 192.168.1.100. (see below)

    With ip_masquerade and the routing configured properly the machine
  Anybox can interact with the Internet as if it was really connected (with a
  few exceptions).

Quoting Pauline Middelink:
  Do not forget to mention the ANYBOX should have the Linux box
  as its gateway (whether is be the default route or just a subnet
  is no matter). If the ANYBOX can not do this, the Linux machine
  should do a proxy arp for all routed address, but the setup of
  proxy arp is beyond the scope of the document.

The following is an excerpt from a post on comp.os.linux.networking which
has been edited to match the names used in the above example:
   o I tell machine ANYBOX that my slipped linux box is its gateway.
   o When a packet comes into the linux box from ANYBOX, it will assign it 
     new source port number, and slap its own ip address in the packet
     header, saving the originals.  It will then send the modified packet
     out over the SLIP/or/PPP interface to the Internet.
   o When a packet comes from the Internet to the linux box, if the port
     number is one of those assigned above, it will get the original
     port and ip address, put them back in the packet header, and send the
     packet to ANYBOX.
   o The host that sent the packet will never know the difference.

An IP Masquerading Example

typical example is given in the diagram below:-


    +----------+
    |          |  Ethernet
    | abox     |::::::
    |          |2    :192.168.1.x
    +----------+     :
                     :   +----------+   PPP   
    +----------+     :  1|  Linux   |   link
    |          |     ::::| masq-gate|:::::::::// Internet
    | bbox     |::::::   |          |
    |          |3    :   +----------+
    +----------+     :
                     :
    +----------+     :
    |          |     :
    | cbox     |::::::
    |          |4    
    +----------+  
                

    <-Internal Network->

In this example there are 4 computer systems that we are concerned about (there is presumably also something on the far right that your IP connection to the internet comes through, and there is something (far off the page) on the internet that you are interested in exchanging information with). The Linux system masq-gate is the masquerading gateway for the internal network of machines abox, bbox and cbox to get to the internet. The internal network uses one of the assigned private network addresses, in this case the class C network 192.168.1.0, with the linux box having address 192.168.1.1 and the other systems having addresses on that network.

The three machines abox, bbox and cbox (which can, by the way, be running any operating system as long as they can speak IP - such as Windows 95, Macintosh MacTCP or even another linux box) can connect to other machines on the internet, however the masquerading system masq-gate converts all of their connections so that they appear to originate from masq-gate, and arranges that data coming back in to a masqueraded connection is relayed back to the originating system - so the systems on the internal network see a direct route to the internet and are unaware that their data is being masqueraded.

2.6 Requirements for Using IP Masquerade on Linux 2.2.x

** Please refer to IP Masquerade Resource for the latest information. **

Kernel 2.2.x source available from http://www.kernel.org/
(Most of the modern Linux dributions such as Redhat 5.2 - shipped with 2.0.36 kernel - has modular kernel with all IP Masquerade kernel options compiled. In such cases, there is no need to compile again. If you are upgrading kernel, then you should be aware of what you need, mentioned later in the HOWTO.)
Loadable kernel modules, preferably 2.1.121 or newer
A well set up TCP/IP network
covered in Linux NET-3 HOWTO and the Network Administrator's Guide
Also check out the Trinity OS Doc, a very compreshensive guide on Linux networking.
Connectivity to Internet for your Linux host
covered in Linux ISP Hookup HOWTO, Linux PPP HOWTO, Linux DHCP mini-HOWTO and Linux Cable Modem mini-HOWTO
IP Chains 1.3.8 or newer available from http://www.rustcorp.com/linux/ipchains/
more information on version requirement is on the Linux IP Firewalling Chains page
For other options, please see Linux IP Masquerade Resource

2.7 Requirements for Using IP Masquerade on Linux 2.0.x