ok here is what I have but can you tell me how to get the damn network up or at least to make sure it is, I am using windows networking on my lan and do understand the tcp network but havent got it to work here is what I have on ip > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 27, 1998 2:44 PM > To: [EMAIL PROTECTED] > Subject: IP - Masquerading > > > Hello, > I have been looking for a copy of "How-to IP Masquerading" if > one exists(?) have been to sunsite/docs and the major Linux distributers > etc. looking. > If one exists could someone mail it to me or point me to a location > that has it > > > thks > barry > > > -- > PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES! > http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips > /mailing-lists > To unsubscribe: mail [EMAIL PROTECTED] with > "unsubscribe" as the Subject. > >Title: IP-Masquerade Notes
![[ Small Logo ]](images/unixhelpsmall.jpg)
| Home |
IP-Masquerade Thread Summary
by Michael L. Collins, Ph.D.
This document provides a simple example of a network configuration for IP-Masquerading. The document does not explain IP-Masquerading, but only gives a basic example, which some people may find helpful. Before beginning this procedure, the daemon, pppd, must be installed and working. You should already have a dial-up PPP connection to the Internet. Be prepared to compile a kernel with modules. Only configuration parameters are given for compiling and installing the kernel and modules.
Most likely you already have a reference to IP-Masquerade on your CD-Rom, see /usr/doc/HOWTO/mini/IP-Masquerade. Also, see the man pages for ifconfig, route, netstat, and ipfwadm. Prerequisite reading includes the "The Linux Network Guide Administrator's Guide" by Olaf Kirch, "Linux Net-3 HOWTO" by Terry Dawson, "Firewalling and Proxy Server HOWTO" and The Linux IP Masquerade mini-HOWTO by Ambrose Au .
Network Design
A common use for IP-Masquerade is to provide several workstations or host on a LAN access to the Internet by way of one dial-up PPP connection. Currently, most Internet Service Providers (ISPs) provide dynamically allocated IP addresses, and will charge considerably more to issue enough static IP addresses for a small LAN. The example presented shows the configuration of one gateway machine with one dynamically allocated IP (206.76.0.44) providing communications for two host machines with static local ( non-Internet) addresses. The class A block, 10.0.0.0, has been allocated for private networks that are not connected to the Internet. This example configures the local network as a subnet in this class A.
The network configuration is :
- Box #1 is a linux machine which acts as a router or gateway. It has a modem that dials up and makes a ppp connection. Also, this machine has an ethernet card on the local LAN. Box #1's local address is 10.0.69.1.
- Box #2 is a linux machine which is only a host or workstation. This machine has an ethernet card on the LAN with the IP address of 10.0.69.13.
- Box #3 is a Windows '95 machine, which is a host on the LAN via an ethernet card and address 10.0.69.15.
Kernel on Box #1
Build the kernel after deciding on the configuration parameters you want. Here are the kernel configuration options I used to build the kernel. These settings may be found in your file /usr/src/linux/.config. The settings which seem to be related to IP-Masquerading are highlighted in bold.
| # # Code maturity level options # CONFIG_EXPERIMENTAL=y # # Loadable module support # CONFIG_MODULES=y # CONFIG_MODVERSIONS is not set CONFIG_KERNELD=y # # General setup # # CONFIG_MATH_EMULATION is not set CONFIG_NET=y # CONFIG_MAX_16M is not set CONFIG_PCI=y # CONFIG_PCI_OPTIMIZE is not set CONFIG_SYSVIPC=y CONFIG_BINFMT_AOUT=y CONFIG_BINFMT_ELF=y # CONFIG_BINFMT_JAVA is not set CONFIG_KERNEL_ELF=y # CONFIG_M386 is not set # CONFIG_M486 is not set CONFIG_M586=y # CONFIG_M686 is not set # # Floppy, IDE, and other block devices # CONFIG_BLK_DEV_FD=y CONFIG_BLK_DEV_IDE=y # # Please see Documentation/ide.txt for help/info on IDE drives # # CONFIG_BLK_DEV_HD_IDE is not set CONFIG_BLK_DEV_IDECD=y # CONFIG_BLK_DEV_IDETAPE is not set # CONFIG_BLK_DEV_IDEFLOPPY is not set # CONFIG_BLK_DEV_IDESCSI is not set # CONFIG_BLK_DEV_IDE_PCMCIA is not set CONFIG_BLK_DEV_CMD640=y # CONFIG_BLK_DEV_CMD640_ENHANCED is not set # CONFIG_BLK_DEV_RZ1000 is not set CONFIG_BLK_DEV_TRITON=y # CONFIG_IDE_CHIPSETS is not set # # Additional Block Devices # CONFIG_BLK_DEV_LOOP=m # CONFIG_BLK_DEV_MD is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_INITRD=y # CONFIG_BLK_DEV_XD is not set # CONFIG_BLK_DEV_HD is not set # # Networking options # CONFIG_FIREWALL=y CONFIG_NET_ALIAS=y CONFIG_INET=y CONFIG_IP_FORWARD=y # CONFIG_IP_MULTICAST is not set # CONFIG_SYN_COOKIES is not set # CONFIG_RST_COOKIES is not set CONFIG_IP_FIREWALL=y CONFIG_IP_FIREWALL_VERBOSE=y CONFIG_IP_MASQUERADE=y # # Protocol-specific masquerading support will be built as modules. # CONFIG_IP_MASQUERADE_IPAUTOFW=y CONFIG_IP_MASQUERADE_ICMP=y CONFIG_IP_TRANSPARENT_PROXY=y CONFIG_IP_ALWAYS_DEFRAG=y # CONFIG_IP_ACCT is not set CONFIG_IP_ROUTER=y CONFIG_NET_IPIP=m CONFIG_IP_ALIAS=m # # (it is safe to leave these untouched) # # CONFIG_INET_PCTCP is not set CONFIG_INET_RARP=m # CONFIG_NO_PATH_MTU_DISCOVERY is not set CONFIG_IP_NOSR=y CONFIG_SKB_LARGE=y # # # CONFIG_IPX=y # CONFIG_ATALK is not set # CONFIG_AX25 is not set # CONFIG_BRIDGE is not set # CONFIG_NETLINK is not set # # SCSI support # # CONFIG_SCSI is not set # # Network device support # CONFIG_NETDEVICES=y CONFIG_DUMMY=m CONFIG_EQUALIZER=m # CONFIG_DLCI is not set # CONFIG_PLIP is not set CONFIG_PPP=y |
# # CCP compressors for PPP are only built as modules. # # CONFIG_SLIP is not set # CONFIG_NET_RADIO is not set CONFIG_NET_ETHERNET=y CONFIG_NET_VENDOR_3COM=y CONFIG_EL1=m CONFIG_EL2=m # CONFIG_ELPLUS is not set # CONFIG_EL16 is not set CONFIG_EL3=y # CONFIG_VORTEX is not set # CONFIG_LANCE is not set # CONFIG_NET_VENDOR_SMC is not set # CONFIG_NET_ISA is not set CONFIG_NET_EISA=y # CONFIG_AC3200 is not set # CONFIG_APRICOT is not set # CONFIG_EEXPRESS_PRO100B is not set # CONFIG_DE4X5 is not set # CONFIG_DEC_ELCP is not set # CONFIG_DGRS is not set # CONFIG_ZNET is not set # CONFIG_NET_POCKET is not set # CONFIG_TR is not set # CONFIG_FDDI is not set # CONFIG_ARCNET is not set # # ISDN subsystem # CONFIG_ISDN=y CONFIG_ISDN_PPP=y CONFIG_ISDN_PPP_VJ=y CONFIG_ISDN_MPP=y # CONFIG_ISDN_AUDIO is not set CONFIG_ISDN_DRV_ICN=m CONFIG_ISDN_DRV_PCBIT=m # CONFIG_ISDN_DRV_HISAX is not set # CONFIG_ISDN_DRV_SC is not set # CONFIG_ISDN_DRV_AVMB1 is not set # # CD-ROM drivers (not for SCSI or IDE/ATAPI drives) # CONFIG_CD_NO_IDESCSI=y # CONFIG_AZTCD is not set CONFIG_GSCD=m CONFIG_SBPCD=m CONFIG_MCD=m CONFIG_MCDX=m # CONFIG_OPTCD is not set # CONFIG_CM206 is not set # CONFIG_SJCD is not set CONFIG_CDI_INIT=y # CONFIG_ISP16_CDI is not set CONFIG_CDU31A=m CONFIG_CDU535=m # # Filesystems # # CONFIG_QUOTA is not set CONFIG_MINIX_FS=m # CONFIG_EXT_FS is not set CONFIG_EXT2_FS=y CONFIG_XIA_FS=m CONFIG_FAT_FS=y CONFIG_MSDOS_FS=m CONFIG_VFAT_FS=y # CONFIG_UMSDOS_FS is not set CONFIG_PROC_FS=y CONFIG_NFS_FS=y # CONFIG_ROOT_NFS is not set # CONFIG_SMB_FS is not set CONFIG_NCP_FS=y CONFIG_ISO9660_FS=y # CONFIG_HPFS_FS is not set # CONFIG_SYSV_FS is not set CONFIG_AUTOFS_FS=m # CONFIG_AFFS_FS is not set # CONFIG_UFS_FS is not set # # Character devices # CONFIG_SERIAL=y # CONFIG_DIGI is not set # CONFIG_CYCLADES is not set # CONFIG_STALDRV is not set # CONFIG_RISCOM8 is not set CONFIG_PRINTER=y # CONFIG_SPECIALIX is not set # CONFIG_MOUSE is not set # CONFIG_UMISC is not set # CONFIG_QIC02_TAPE is not set # CONFIG_FTAPE is not set # CONFIG_APM is not set # CONFIG_WATCHDOG is not set # CONFIG_RTC is not set # # Sound # # CONFIG_SOUND is not set # # Kernel hacking # CONFIG_PROFILE=y CONFIG_PROFILE_SHIFT=2 |
System Files for Box #1
The default for the kernel is IP-Forwarding off, even when compiled with the configuration parameter set. I was able to turn it ON by modifying the file /etc/sysconfig/network. Here is my file:
File: /etc/sysconfig/network
:NETWORKING=yes
# FORWARD_IPV4=false mlc 2/18/98
FORWARD_IPV4=yes
HOSTNAME=box1.your.dom
DOMAINNAME=your.dom
# mlc 2/18/98 rem out 2 GATE* lines was sufficient to remove default gate
# GATEWAY=10.0.69.21
# GATEWAYDEV=eth0
Notice forwarding has been turned on, and the default gateway has been turned off.
If the FORWARD_IPV4=yes is read successfully during boot, the file
/proc/sys/net/ipv4/ip_forwad will contain a one (1), otherwise it will contain a zero (0).
If it does not get set at boot time, you may set it to one with the command line:
echo '1' > /proc/sys/net/ipv4/ip_forward
This turns ip forwarding on.
File: /etc/hosts :
127.0.0.1 localhost box1.your.dom #this is the loopback address
10.0.69.1 box1 box1.your.dom #this is the linux gateway
10.0.69.13 box2 box2.your.dom #this is the linux workstation
10.0.69.15 box3 box3.your.dom #this is the Win'95 machine
File: /etc/resolv.conf :
Domain your.dom # e.g. agenci.com or airmail.net
Search your.dom # this is usually not your ISP's domain
nameserver 192.36.148.17 # change this to your nameserver addr.
nameserver 192.5.5.241 # change this to your nameserver addr.
Script Files for Box #1
I wrote a script called rc.serial to set the parameters for the serial port and modem, which I run during boot. Then run my script called rc.route to setup the routing tables and firewall rules. Finally I run my script called ppp.connect which dials, makes the ppp connection, and sets up the dynamic IP in the routing table. File, rc.route is described below. You already have the equivalent of rc.serial and the ppp connect file from setting up pppd. Let us look at the commands ifconfig, route, and ipfwadm, which are used in rc.route.
The Command ifconfig
When this command is executed without parameters, it shows the current configuration:
lo Link encap:Local Loopback
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1
RX packets:6749 errors:0 dropped:0 overruns:0
TX packets:6749 errors:0 dropped:0 overruns:0
eth0 Link encap:10Mbps Ethernet HWaddr 00:20:78:13:59:72
inet addr:10.0.69.1 Bcast:10.0.69.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:279448 errors:0 dropped:0 overruns:0
TX packets:407321 errors:0 dropped:0 overruns:0
Interrupt:11 Base address:0x6000
ppp0 Link encap:Point-Point Protocol
inet addr:206.76.0.44 P-t-P:206.76.0.41 Mask:255.255.255.0
UP POINTOPOINT RUNNING MTU:1500 Metric:1
RX packets:25477 errors:1366 dropped:1366 overruns:0
TX packets:22898 errors:0 dropped:0 overruns:0
Before the route table is established, the ports are configured with ifconfig.
ifconfig lo 127.0.0.1 netmask 255.0.0.0 up
ifconfig eth0 10.0.69.1 netmask 255.255.255.0 up
These commands are included in your script rc.route for box #1.
Route Tables on Box #1
Route tables are established with the route command, ordinarily. In the case of a PPP connection, pppd also contributes to the route table. If you are not familiar with subnetting, and even if you are familiar, you should review the concepts of subnetting and routing in a TCP/IP text.
Here is what Box #1 route table looks like:
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 206.76.0.41 0.0.0.0 255.255.255.255 UH 1500 0 0 ppp0 10.0.69.0 0.0.0.0 255.255.255.0 U 1500 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 3584 0 0 lo 0.0.0.0 206.76.0.41 0.0.0.0 UG 1500 0 0 ppp0
The destination column may be a host or a subnet. In this case, all but one entry is for a subnet. The gateway column has 0.0.0.0, if the destination can be reached on the local network. If the route goes through a router or gateway to get to the listed destination, then there is an IP address in the gateway column. Every subnet must have the same netmask for each interface entry on that subnet. Any one machine may have different netmask in its table, but all machines have the same mask for any given subnet. All entries have the U, indicating Up and running. The gateway has a G, and the host has H. There is no problem having more than one entry for an interface. IP 206.76.0.41 is the remote interface on the PPP connection. The daemon pppd will provide the IP for you.
Here are the commands I used in rc.route to produce this table, not including pppd.
ifconfig lo 127.0.0.1 netmask 255.0.0.0 up route add -net 127.0.0.0 netmask 255.0.0.0 lo ifconfig eth0 10.0.69.1 netmask 255.255.255.0 up route add -net 10.0.69.0 netmask 255.255.255.0 eth0 # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.69.0 0.0.0.0 255.255.255.0 U 1500 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 3584 0 0 lo
Note there is not a default gateway, until after pppd is ran.
The Command ipfwadm
The firewall policy commands can be executed in the same script as the above routing commands. I suggest you start with the following commands, which lets every thing through the firewall. After verifying that the masquerading is working, then go back and change these to provide some security.
#
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
ipfwadm -Ip accept
ipfwadm -Op accept
ipfwadm -Fp masquerade
Read the online programmers' manual by executing "man ipfwadm" for a description of these options.
The command ipfwadm -F -l will verify this configuration with:
IP firewall forward rules, default policy: accept/masquerade
The command ipfwadm -M -l seems to provide no relevant information.
IP masquerading entries
Configuration Files for Box #2
The files /etc/hosts, /etc/resolv.conf, and /etc/syconfig/network look very similar on box #2 as they are on box #1.
File: /etc/sysconfig/network
:NETWORKING=yes
HOSTNAME=box2.your.dom
DOMAINNAME=your.dom
GATEWAY=10.0.69.1
GATEWAYDEV=eth0
File: /etc/hosts :
127.0.0.1 localhost box1.your.dom #this is the loopback address
10.0.69.1 box1 box1.your.dom #this is the linux gateway
10.0.69.13 box2 box2.your.dom #this is the linux workstation
10.0.69.15 box3 box3.your.dom #this is the Win'95 machine
File: /etc/resolv.conf :
Domain your.dom # e.g. agenci.com or airmail.net
Search your.dom # this is usually not your ISP's domain
nameserver 192.36.148.17 # change this to your nameserver addr.
nameserver 192.5.5.241 # change this to your nameserver addr.
Route Tables on Box #2
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.69.0 0.0.0.0 255.255.255.0 U 1500 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 3584 0 0 lo 0.0.0.0 10.0.69.1 0.0.0.0 UG 1500 0 0 eth0
Script Files for Box #2
This is script rc.route, which sets up the route table.
#!/bin/bash ifconfig lo 127.0.0.1 route add -net 127.0.0.0 netmask 255.0.0.0 lo ifconfig eth0 10.0.69.13 netmask 255.255.255.0 up route add -net 10.0.69.0 netmask 255.255.255.0 eth0 route add -net 0.0.0.0 gw 10.0.69.1 eth0 # the eth0 must be on end of gw entry. netstat -nr
Box # 3
In Windows '95, execute the following:
Start; Settings; Control-Panel; Network; TCPIP->NE2000 Compatable; Properties;
IP Address Tab:
Specify an IP address : (Checked)
IP Address: 10.0.69.15 (This is the IP address for ethernet interface on box #3.)
Subnet Mask: 255.255.255.0
WINS Tab: (Disabled)
Gateway Tab:
Installed gateways 10.0.69.1 (This is the IP address for ethernet interface on box #1.)
DNS Tab: (This is similar to /etc/resolv.conf on linux OS.)
Enable DNS
Host: box3
Domain: your.dom
DNS Server Search Order
192.36.148.17 (Change this to your DNS)
192.5.5.241 (Change this to your DNS)
Domain Suffix Search Order
your.dom ( e.g. agenci.com or airmail.net )
Note that box #1 is not listed here unless it is also your DNS.
File: C:\> \Windows\hosts
This file is used to lookup names of local machines, just like in Linux. You can add your local hosts to this file.
10.0.69.1 box1 box1.your.dom
10.0.69.13 box2 box2.your.dom
10.0.69.15 box3 box3.your.dom
Command: C:\Windows>netstat -rn
This command will show you the routing table, just like in Linux.
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 10.0.69.1 10.0.69.15 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
10.0.69.0 255.255.255.0 10.0.69.15 10.0.69.15 1
10.0.69.15 255.255.255.255 127.0.0.1 127.0.0.1 1
10.0.69.255 255.255.255.255 10.0.69.15 10.0.69.15 1
224.0.0.0 224.0.0.0 10.0.69.15 10.0.69.15 1
255.255.255.255 255.255.255.255 10.0.69.15 10.0.69.15 1
Acknowledgements
This document is the by-product of a large number of people's contribution on the linux email list. I would like to thank all those people who contributed. Please forgive me if I did not get your name on this list, but the document was an after thought and proper records were not kept. Known contributors are: Glynn Clements, Gyepi Sam, Rick Mantooth, Richard Adams, Joe Smith, Mark Constable, Erez Doron, Ben Baston, and Matt Warnock.
Please contact me with any corrections or additions.
Michael L. Collins
[EMAIL PROTECTED]
[EMAIL PROTECTED]
or
Action Net, Inc.
P.O. Box 120268
Tyler, Texas 75712
