Next Previous Contents

3. Setting Up IP Masquerade

If your private network contains any vital information, think carefully before using IP Masquerade. This may be a GATEWAY for you to get to the Internet, and vice versa for someone on the other side of the world to get into your network.

3.1 Compiling the Kernel for IP Masquerade Support

If your Linux distribution already has the required features and modules compiled (most modular kernels will have all you need) mentioned below, then you do not have to re-compile the kernel. Reading this section is still highly recommended as it contains other useful informaiton.

Linux 2.2.x Kernels

Linux 2.0.x Kernels

3.2 Assigning Private Network IP Address

Since all OTHER machines do not have official assigned addressees, there must be a right way to allocate address to those machines.

From IP Masquerade FAQ:

There is an RFC (#1597, probably obsolete by now) on which IP addresses are to be used on a non-connected network. There are 3 blocks of numbers set aside specifically for this purpose. One which I use is 255 Class-C subnets at 192.168.1.n to 192.168.255.n . 

From RCF 1597:

Section 3: Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private networks:

              10.0.0.0        -   10.255.255.255
              172.16.0.0      -   172.31.255.255
              192.168.0.0     -   192.168.255.255

We will refer to the first block as "24-bit block", the second as
"20-bit block", and to the third as "16-bit" block".  Note that the
first block is nothing but a single class A network number, while the
second block is a set of 16 contiguous class B network numbers, and
third block is a set of 255 contiguous class C network numbers.
So, if you're using a class C network, you should name your machines as 192.168.1.1, 1.92.168.1.2, 1.92.168.1.3, ..., 192.168.1.x

192.168.1.1 is usually the gateway machine, which is your Linux host connecting to the Internet. Notice that 192.168.1.0 and 192.168.1.255 are the Network and Broadcast address respectively, which are reserved. Avoid using these addresses on your machines.

3.3 Configuring the OTHER machines

Besides setting the appropriate IP address for each machine, you should also set the appropriate gateway. In general, it is rather straight forward. You simply enter the address of your Linux host (usually 192.168.1.1) as the gateway address.

For the Domain Name Service, you can add in any DNS available. The most apparent one should be the one that your Linux is using. You can optionally add any domain search suffix as well.

After you have reconfigured those IP addresses, remember to restart the appropriate services or reboot your systems.

The following configuration instructions assume that you are using a Class C network with 192.168.1.1 as your Linux host's address. Please note that 192.168.1.0 and 192.168.1.255 are reserved.

Configuring Windows 95

  1. If you haven't installed your network card and adapter driver, do so now.
  2. Go to 'Control Panel'/'Network'.
  3. Add 'TCP/IP protocol' if you don't already have it.
  4. In 'TCP/IP properties', goto 'IP Address' and set IP Address to 192.168.1.x, (1 < x < 255), and then set Subnet Mask to 255.255.255.0
  5. Add 192.168.1.1 as your gateway under 'Gateway'.
  6. Under 'DNS Configuration'/'DNS Server search order' add your the DNS that your Linux host uses (usually find in /etc/resolv.conf). Optionally, you can add the appropriate domain search suffix.
  7. Leave all the other settings as they are unless you know what you're doing.
  8. Click 'OK' on all dialog boxes and restart system.
  9. Ping the linux box to test the network connection: 'Start/Run', type: ping 192.168.1.1
    (This is only a LAN connection testing, you can't ping the outside world yet.)
  10. You can optionally create a HOSTS file in the windows directory so that you can use hostname of the machines on your LAN. There is an example called HOSTS.SAM in the windows directory.

Configuring Windows for Workgroup 3.11

  1. If you haven't installed your network card and adapter driver, do so now.
  2. Install the TCP/IP 32b package if you don't have it already.
  3. In 'Main'/'Windows Setup'/'Network Setup', click on 'Drivers'.
  4. Highlight 'Microsoft TCP/IP-32 3.11b' in the 'Network Drivers' section, click 'Setup'.
  5. Set IP Address to 192.168.1.x (1 < x < 255), then set Subnet Mask to 255.255.255.0 and Default Gateway to 192.168.1.1
  6. Do not enable 'Automatic DHCP Configuration' and put anything in those 'WINS Server' input areas unless you're in a Windows NT domain and you know what you're doing.
  7. Click 'DNS', fill in the appropriate information mentioned in STEP 6 of section 3.3.1, then click 'OK' when you're done with it.
  8. Click 'Advanced', check 'Enable DNS for Windows Name Resolution' and 'Enable LMHOSTS lookup' if you're using a look up host file, similar to the one mentioned in STEP 10 of section 3.3.1
  9. Click 'OK' on all dialog boxes and restart system.
  10. Ping the linux box to test the network connection: 'File/Run', type: ping 192.168.1.1
    (This is only a LAN connection testing, you can't ping the outside world yet.)

Configuring Windows NT

  1. If you haven't installed your network card and adapter driver, do so now.
  2. Go to 'Main'/'Control Panel'/'Network'
  3. Add the TCP/IP Protocol and Related Component from the 'Add Software' menu if you don't have TCP/IP service installed already.
  4. Under 'Network Software and Adapter Cards' section, highlight 'TCP/IP Protocol' in the 'Installed Network Software' selection box.
  5. In 'TCP/IP Configuration', select the appropriate adapter, e.g. [1]Novell NE2000 Adapter. Then set the IP Address to 192.168.1.x (1 < x < 255), then set Subnet Mask to 255.255.255.0 and Default Gateway to 192.168.1.1
  6. Do not enable 'Automatic DHCP Configuration' and put anything in those 'WINS Server' input areas unless you're in a Windows NT domain and you know what you're doing.
  7. Click 'DNS', fill in the appropriate information mentioned in STEP 6 of section 3.3.1, then click 'OK' when you're done with it.
  8. Click 'Advanced', check 'Enable DNS for Windows Name Resolution' and 'Enable LMHOSTS lookup' if you're using a look up host file, similar to the one mentioned in STEP 10 of section 3.3.1
  9. Click 'OK' on all dialog boxes and restart system.
  10. Ping the linux box to test the network connection: 'File/Run', type: ping 192.168.1.1
    (This is only a LAN connection testing, you can't ping the outside world yet.)

Configuring UNIX Based Systems

  1. If you haven't installed your network card and recompile your kernel with the appropriate adapter driver, do so now.
  2. Install TCP/IP networking, such as the nettools package, if you don't have it already.
  3. Set IPADDR to 192.168.1.x (1 < x < 255), then set NETMASK to 255.255.255.0, GATEWAY to 192.168.1.1, and BROADCAST to 192.168.1.255
    For example, you can edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file on a Red Hat Linux system, or simply do it through the Control Panel.
    (it's different in SunOS, BSDi, Slackware Linux, etc...)
  4. Add your domain name service (DNS) and domain search suffix in /etc/resolv.conf
  5. You may want to update your /etc/networks file depending on your settings.
  6. Restart the appropriate services, or simply restart your system.
  7. Issue a ping command: ping 192.168.1.1 to test the connection to your gateway machine.
    (This is only a LAN connection testing, you can't ping the outside world yet.)

Configuring DOS using NCSA Telnet package

  1. If you haven't installed your network card, do so now.
  2. Load the appropriate packet driver. For an NE2000 card, issue nwpd 0x60 10 0x300, with your network card set to IRQ 10 and hardware address at 0x300
  3. Make a new directory, and then unpack the NCSA Telnet package: pkunzip tel2308b.zip
  4. Use a text editor to open the config.tel file
  5. Set myip=192.168.1.x (1 < x < 255), and netmask=255.255.255.0
  6. In this example, you should set hardware=packet, interrupt=10, ioaddr=60
  7. You should have at least one individual machine specification set as the gateway, i.e. the Linux host: 
    name=default
host=yourlinuxhostname
hostip=192.168.1.1
gateway=1
  8. Have another specification for a domain name service: 
    name=dns.domain.com ; hostip=123.123.123.123; nameserver=1
    Note: substitute the appropriate information about the DNS that your Linux host uses
  9. Save your config.tel file
  10. Telnet to the linux box to test the network connection: telnet 192.168.1.1

Configuring MacOS Based System Running MacTCP

  1. If you haven't installed the appropriate driver software for your Ethernet adapter, now would be a very good time to do so.
  2. Open the MacTCP control panel. Select the appropriate network driver (Ethernet, NOT EtherTalk) and click on the 'More...' button.
  3. Under 'Obtain Address:', click 'Manually'.
  4. Under 'IP Address:', select class C from the popup menu. Ignore the rest of this section of the dialog box.
  5. Fill in the appropriate information under 'Domain Name Server Information:'.
  6. Under 'Gateway Address:', enter 192.168.1.1
  7. Click 'OK' to save the settings. In the main window of the MacTCP control panel, enter the IP address of your Mac (192.168.1.x, 1 < x < 255) in the 'IP Address:' box.
  8. Close the MacTCP control panel. If a dialog box pops up notifying you to do so, restart the system.
  9. You may optionally ping the Linux box to test the network connection. If you have the freeware program MacTCP Watcher, click on the 'Ping' button, and enter the address of your Linux box (192.168.1.1) in the dialog box that pops up. (This is only a LAN connection testing, you can't ping the outside world yet.)
  10. You can optionally create a Hosts file in your System Folder so that you can use the hostnames of the machines on your LAN. The file should already exist in your System Folder, and should contain some (commented-out) sample entries which you can modify according to your needs.

Configuring MacOS Based System Running Open Transport

  1. If you haven't installed the appropriate driver software for your Ethernet adapter, now would be a very good time to do so.
  2. Open the TCP/IP Control Panel and choose 'User Mode ...' from the Edit menu. Make sure the user mode is set to at least 'Advanced' and click the 'OK' button.
  3. Choose 'Configurations...' from the File menu. Select your 'Default' configuration and click the 'Duplicate...' button. Enter 'IP Masq' (or something to let you know that this is a special configuration) in the 'Duplicate Configuration' dialog, it will probably say something like 'Deafault copy'. Then click the 'OK' button, and the 'Make Active' button
  4. Select 'Ethernet' from the 'Connect via:' pop-up.
  5. Select the appropriate item from the 'Configure:' pop-up. If you don't know which option to choose, you probably should re-select your 'Default' configuration and quit. I use 'Manually'.
  6. Enter the IP address of your Mac (192.168.1.x, 1 < x < 255) in the 'IP Address:' box.
  7. Enter 255.255.255.0 in the 'Subnet mask:' box.
  8. Enter 192.168.1.1 in the 'Router address:' box.
  9. Enter the IP addresses of your domain name servers in the 'Name server addr.:' box.
  10. Enter the name of your Internet domain (e.g. 'microsoft.com') in the 'Starting domain name' box under 'Implicit Search Path:'.
  11. The following procedures are optional. Incorrect values may cause erratic behavior. If your not sure, it's probably better to leave them blank, unchecked and/or un- selected. Remove any information from those fields, if necessary. As far as I know there is no way through the TCP/IP dialogs, to tell the system not to use a previously select alternate "Hosts" file. If you know, I would be interested.
    Check the '802.3' if your network requires 802.3 frame types.
  12. Click the 'Options...' button to make sure that the TCP/IP is active. I use the 'Load only when needed' option. If you run and quit TCP/IP applications many times without rebooting your machine, you may find that unchecking the 'Load only when needed' option will prevent/reduce the effects on your machines memory management. With the item unchecked the TCP/IP protocol stacks are always loaded and available for use. If checked, the TCP/IP stacks are automatically loaded when needed and un- loaded when not. It's the loading and unloading process that can cause your machines memory to become fragmented.
  13. You may ping the Linux box to test the network connection. If you have the freeware program MacTCP Watcher, click on the 'Ping' button, and enter the address of your Linux box (192.168.1.1) in the dialog box that pops up. (This is only a LAN connection testing, you can't ping the outside world yet.)
  14. You can create a Hosts file in your System Folder so that you can use the hostnames of the machines on your LAN. The file may or may not already exist in your System Folder. If so, it should contain some (commented-out) sample entries which you can modify according to your needs. If not, you can get a copy of the file from a system running MacTCP, or just create your own (it follows a subset of the Unix /etc/hosts file format, described on RFC952). Once you've created the file, open the TCP/IP control panel, click on the 'Select Hosts File...' button, and open the Hosts file.
  15. Click the close box or choose 'Close' or 'Quit' from the File menu, and then click the 'Save' button to save the changes you have made.
  16. The changes take effect immediately, but rebooting the system won't hurt.

Configuring Novell network using DNS

  1. If you haven't installed the appropriate driver software for your Ethernet adapter, now would be a very good time to do so.
  2. Downloaded tcpip16.exe from 
  3. edit c:\nwclient\startnet.bat
    : (here is a copy of mine) 
    SET NWLANGUAGE=ENGLISH
LH LSL.COM
LH KTC2000.COM
LH IPXODI.COM
LH tcpip
LH VLM.EXE
F:

  4. edit c:\nwclient\net.cfg
    : (change link driver to yours i.e. NE2000) 
    Link Driver KTC2000
        Protocol IPX 0 ETHERNET_802.3    
        Frame ETHERNET_802.3     
        Frame Ethernet_II        
        FRAME Ethernet_802.2

NetWare DOS Requester
           FIRST NETWORK DRIVE = F
           USE DEFAULTS = OFF
           VLM = CONN.VLM
           VLM = IPXNCP.VLM
           VLM = TRAN.VLM
           VLM = SECURITY.VLM
           VLM = NDS.VLM
           VLM = BIND.VLM
           VLM = NWP.VLM
           VLM = FIO.VLM
           VLM = GENERAL.VLM
           VLM = REDIR.VLM
           VLM = PRINT.VLM
           VLM = NETX.VLM

Link Support
        Buffers 8 1500
        MemPool 4096

Protocol TCPIP
        PATH SCRIPT     C:\NET\SCRIPT
        PATH PROFILE    C:\NET\PROFILE
        PATH LWP_CFG    C:\NET\HSTACC
        PATH TCP_CFG    C:\NET\TCP
        ip_address      xxx.xxx.xxx.xxx
        ip_router       xxx.xxx.xxx.xxx
  5. and finally created 
    c:\bin\resolv.cfg
    : 
    SEARCH DNS HOSTS SEQUENTIAL
NAMESERVER 207.103.0.2
NAMESERVER 207.103.11.9
  6. I hope this helps some people get their Novell Nets online, BTW this can be done using Netware 3.1x or 4.x

Configuring OS/2 Warp

  1. If you haven't installed the appropriate driver software for your Ethernet adapter, now would be a very good time to do so.
  2. Install the TCP/IP protocoll if you don't have it already.
  3. Go to Programms/TCP/IP (LAN) / TCP/IP Settings
  4. In 'Network' add your TCP/IP Address and set your Netmask (255.255.255.0)
  5. Under 'Routing' press 'Add'. Set the Type to 'default' and type the IP Address of your Linux Box in the Field 'Router Address'. (192.168.1.1).
  6. Set the same DNS (Nameserver) Address that your Linux host uses in 'Hosts'.
  7. Close the TCP/IP control panel. Say yes to the following question(s).
  8. Reboot your system
  9. You may ping the Linux box to test the network configuration. Type 'ping 192.168.1.1' in a 'OS/2 Command prompt Window'. When ping packets are received all is ok.

Configuring Other Systems

The same logic should apply to setting up other platforms. Consult the sections above. If you're interested in writing about any of systems that have not been covered yet, please send a detail setup instruction to ambrose@writeme.com and dranch@trinnet.net.

3.4 Configuring IP Forwarding Policies

At this point, you should have your kernel and other required packages installed, as well as your modules loaded. Also, the IP addresses, gateway, and DNS should be all set on the OTHER machines.

Now, the only thing left to do is to use the IP firewalling tools to forward appropriate packets to the appropriate machine:

** This can be accomplished in many different ways. The following suggestions and examples worked for me, but you may have different ideas, please refer to section 4.4 and the ipchains(2.2.x) / ipfwadm(2.0.x) manpages for details. **

** This section ONLY provides you with the bare minimum rule set to get IP Masquerade working while security issue is not being considered. It is highly recomended that you spend some time to apply appropriate firewall rules to tighten security. **

Linux 2.2.x Kernels

ipfwadm is no longer the tool for manipulating ipmasq rules for 2.2.x kernels, please use ipchains. 

ipchains -P forward DENY
ipchains -A forward -s yyy.yyy.yyy.yyy/x -j MASQ
where x is one of the following numbers according to the class of your subnet, and yyy.yyy.yyy.yyy is your network address. 
netmask         | x  | Subnet
~~~~~~~~~~~~~~~~|~~~~|~~~~~~~~~~~~~~~
255.0.0.0       | 8  | Class A
255.255.0.0     | 16 | Class B
255.255.255.0   | 24 | Class C
255.255.255.255 | 32 | Point-to-point

You may also use the format yyy.yyy.yyy.yyy/xxx.xxx.xxx.xxx, where xxx.xxx.xxx.xxx specfies your subnet mask such as 255.255.255.0

For example, if I'm on a class C subnet, I would have entered: 

ipchains -P forward DENY
ipchains -A forward -s 192.168.1.0/24 -j MASQ

or

ipchains -P forward DENY
ipchains -A forward -s 192.168.1.0/255.255.255.0 -j MASQ

You can also do it on a per machine basis. For example, if I want 192.168.1.2 and 192.168.1.8 to have access to the Internet, but not the other machines, I would have entered: 

ipchains -P forward DENY
ipchains -A forward -s 192.168.1.2/32 -j MASQ
ipchains -A forward -s 192.168.1.8/32 -j MASQ

Do not make your default policy be masquerading - otherwise someone who can manipulate their routing will be able to tunnel straight back through your gateway, using it to masquerade their identity!

Again, you can add these lines to the /etc/rc.local files, one of the rc files you prefer, or do it manually every time you need IP Masquerade.

For detail ipchains usage, please refer to the Linux IPCHAINS HOWTO

Linux 2.0.x Kernels

ipfwadm -F -p deny 
ipfwadm -F -a m -S yyy.yyy.yyy.yyy/x -D 0.0.0.0/0 

or 

ipfwadm -F -p deny 
ipfwadm -F -a masquerade -S yyy.yyy.yyy.yyy/x -D 0.0.0.0/0
where x is one of the following numbers according to the class of your subnet, and yyy.yyy.yyy.yyy is your network address. 
netmask         | x  | Subnet
~~~~~~~~~~~~~~~~|~~~~|~~~~~~~~~~~~~~~
255.0.0.0       | 8  | Class A
255.255.0.0     | 16 | Class B
255.255.255.0   | 24 | Class C
255.255.255.255 | 32 | Point-to-point

You may also use the format yyy.yyy.yyy.yyy/xxx.xxx.xxx.xxx, where xxx.xxx.xxx.xxx specfies your subnet mask such as 255.255.255.0

For example, if I'm on a class C subnet, I would have entered: 

ipfwadm -F -p deny 
ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0

Since bootp request packets comes without valid IP's once the client knows nothing about it, for people with a bootp server in the masquerade/firewall machine it is necessary to use the following before the deny command: 

ipfwadm -I -a accept -S 0/0 68 -D 0/0 67 -W bootp_clients_net_if_name -P udp

You can also do it on a per machine basis. For example, if I want 192.168.1.2 and 192.168.1.8 to have access to the Internet, but not the other machines, I would have entered: 

ipfwadm -F -p deny 
ipfwadm -F -a m -S 192.168.1.2/32 -D 0.0.0.0/0 
ipfwadm -F -a m -S 192.168.1.8/32 -D 0.0.0.0/0

What appears to be a common mistake is to make the first command be this 

ipfwadm -F -p masquerade
Do not make your default policy be masquerading - otherwise someone who can manipulate their routing will be able to tunnel straight back through your gateway, using it to masquerade their identity!

Again, you can add these lines to the /etc/rc.local files, one of the rc files you prefer, or do it manually every time you need IP Masquerade.

Please read section 4.4 for a detail guide on Ipfwadm

3.5 Testing IP Masquerade

It's time to give it a try, after all these hard work. Make sure the connection of your Linux hosts to the Internet is okay.

You can try browsing some 'INTERNET!!!' web sites on your OTHER machines, and see if you get it. I recommend using an IP address rather than a hostname on your first try, because your DNS setup may not be correct.

For example, you can access the Linux Documentation Project site http://metalab.unc.edu/mdw/linux.html with an entry of http://152.19.254.81/mdw/linux.html

If you see The Linux Documentation Project homepage, then congratulations! It's working! You may then try one with hostname entry, and then ping, telnet, ssh, ftp, Real Audio, True Speech, whatever supported by IP Masquerade.....

So far, I have no trouble with the above settings, and it's full credit to the people who spend their time making this wonderful feature working.

Next Previous Contents