IP Masquerading Homes and Businesses: When you only have one IP but you have LOTS of machines

The problem Extra IPs are an additional cost of you internet service. –Masquerading lets you hook up multiple machines to the same IP Some companies want TCP/IP services and set up a network not connected to the internet to use internal services such as www. –Eventually they want to connect and don’t want to have to reconfigure the entire network.

Unconnected Network If the network is configured with IPs defined for unconnected service (like x.x), masquerading lets you connect with minimal changes. Those special IPs should never directly use the internet as others might also be using the same numbers. Masquerading maps the numbers

Multiple machine to ONE IP Basically the same problem as unconnected networks. Use the special IPs and have a program translate your special IPs into real IPs.

How does it work? Focus on FROM (not TO) of request TO is same for both sides of the request Router Internal Machine Internal Machine From :100 (use same entry for reverse traffic) From :34567 To :34567 To :100 OUTSIDE NEVER SEES NET x, only ! :100 -> :34567

Problem/Considerations Ports range Internal machine Ports range Internal machine Ports range Router 2*65536 ports ports Not a problem only because the internal machines seldom use a large number of the available ports

Problem/Considerations Waiting on port 80 Internal SERVER (www) Gateway To :80 -> NO SUCH SERVICE To :80 -> ILLEGAL ADDRESS No way to access the service. -> Can’t provide external services from the inside. (you can but it requires some extra effort and another software package … more later)

How do you set it up? It’s actually packaged in a firewall solution which effectively does –packet level filtering AND –masquerading This will be explained in the section concerning setting up a firewall. In linux –ipchains or –iptables