Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andy Wilson - IP Masquerade - February 2000 IP Masquerade Andy Wilson UNC Chapel Hill February 16, 2000.

Published byChester Wood Modified over 9 years ago

Similar presentations

Presentation on theme: "Andy Wilson - IP Masquerade - February 2000 IP Masquerade Andy Wilson UNC Chapel Hill February 16, 2000."— Presentation transcript:

1 Andy Wilson - IP Masquerade - February 2000 IP Masquerade Andy Wilson UNC Chapel Hill February 16, 2000

2 Andy Wilson - IP Masquerade - February 2000 Outline What’s IP Masquerade?What’s IP Masquerade? Why would you want it?Why would you want it? How it worksHow it works What you’ll needWhat you’ll need Setting upSetting up TestingTesting

3 Andy Wilson - IP Masquerade - February 2000 What’s IP Masquerade? Network Address Translation (NAT) under LinuxNetwork Address Translation (NAT) under Linux –almost, but not quite, the same as firewalling Allows several networked computers to talk to the Internet through a single IP addressAllows several networked computers to talk to the Internet through a single IP address

4 Andy Wilson - IP Masquerade - February 2000 Why would you want it? Connectivity for a home networkConnectivity for a home network –Many ISPs only allow one IP address SecuritySecurity –Hide machines containing sensitive information –Allow access only to specific services on specific machines

5 Andy Wilson - IP Masquerade - February 2000 How it works: Network Structure Frodo 192.168.0.100 Bilbo 192.168.0.101 Pippin 192.168.0.102 Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Internet Home Network

6 Andy Wilson - IP Masquerade - February 2000 How it works: Example slashdot.org 209.207.224.40 Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Frodo 192.168.0.100 New connection: 192.168.0.100:1234 to 209.207.224.40:80

7 Andy Wilson - IP Masquerade - February 2000 How it works: Example www.slashdot.org 209.207.224.40 Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Frodo 192.168.0.100 Connected: 192.168.0.100:1234 to 209.207.224.40:80 New connection: 11.22.33.44:5432 to 209.207.224.40:80 Port map: 5432 -> Frodo:1234

8 Andy Wilson - IP Masquerade - February 2000 How it works: Example www.slashdot.org 209.207.224.40 Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Frodo 192.168.0.100 Connected: 192.168.0.100:1234 to 209.207.224.40:80 Connected: 11.22.33.44:5432 to 209.207.224.40:80 Port map: 5432 -> Frodo:1234 Connection opened: from 11.22.33.44:5432 to 209.207.224.40:80

9 Andy Wilson - IP Masquerade - February 2000 How it works: Example www.slashdot.org 209.207.224.40 Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Frodo 192.168.0.100 Connected: 192.168.0.100:1234 to 209.207.224.40:80 Data received: 11.22.33.44:5432 from 209.207.224.40:80 Port map: 5432 -> Frodo:1234 Connection opened: from 11.22.33.44:5432 to 209.207.224.40:80

10 Andy Wilson - IP Masquerade - February 2000 How it works: Example www.slashdot.org 209.207.224.40 Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Frodo 192.168.0.100 Data received: 192.168.0.100:1234 from 209.207.224.40:80 Data received: 11.22.33.44:5432 from 209.207.224.40:80 Port map: 5432 -> Frodo:1234 Connection opened: from 11.22.33.44:5432 to 209.207.224.40:80

11 Andy Wilson - IP Masquerade - February 2000 What you’ll need Two computers (at least)Two computers (at least) Local LANLocal LAN Outside connection (ISP)Outside connection (ISP) One machine running kernel 2.2.x (x > 13)One machine running kernel 2.2.x (x > 13) –2.0.34 is possible but not recommended »(see HOWTO for details)

12 Andy Wilson - IP Masquerade - February 2000 Setting Up: Overview Build a kernel with the right options enabledBuild a kernel with the right options enabled Configure your LANConfigure your LAN Configure your ISP connectionConfigure your ISP connection Configure IPCHAINSConfigure IPCHAINS Reboot and testReboot and test CelebrateCelebrate

13 Andy Wilson - IP Masquerade - February 2000 Setting Up: Compiling the Kernel If this is your first time compiling a kernel:If this is your first time compiling a kernel: DON’T PANIC.DON’T PANIC. Read the Kernel-HOWTO for instructions. It’s quite simple. After that...Read the Kernel-HOWTO for instructions. It’s quite simple. After that...

14 Andy Wilson - IP Masquerade - February 2000 Setting Up: Kernel Options Enable incomplete/development drivers Enable incomplete/development drivers Enable networking, firewalls, TCP/IP Enable networking, firewalls, TCP/IP Enable firewalling (again) Enable firewalling (again) Enable masquerading, always defragment Enable masquerading, always defragment Enable ICMP masquerade Enable ICMP masquerade Enable IP forwarding Enable IP forwarding  Disable ipautofw Enable TCP syncookies Enable TCP syncookies Enable /proc filesystem Enable /proc filesystem Enable PPP (if your ISP connection is a dialup) Enable PPP (if your ISP connection is a dialup) Don’t forget a driver for your Ethernet card! Don’t forget a driver for your Ethernet card!

15 Andy Wilson - IP Masquerade - February 2000 Setting Up: LAN configuration IANA Reserved Network NumbersIANA Reserved Network Numbers –10.0.0.0/8 –172.16.0.0/16 –192.168.0.0/16 Select IP addresses from one of these blocksSelect IP addresses from one of these blocks Default gateway should be firewall machineDefault gateway should be firewall machine Consider running a nameserver on firewallConsider running a nameserver on firewall

16 Andy Wilson - IP Masquerade - February 2000 Example Network Frodo 192.168.0.100 Bilbo 192.168.0.101 Pippin 192.168.0.102 Gateway PPP: 11.22.33.44 Enet: 192.168.0.1 Internet Home Network

17 Andy Wilson - IP Masquerade - February 2000 Setting Up: IPCHAINS Create /etc/rc.d/rc.firewall (or add to rc.local)Create /etc/rc.d/rc.firewall (or add to rc.local) #!/bin/sh # Enable IP forwarding (hopefully disabled at boot by default) echo “1” > /proc/sys/net/ipv4/ip_forward # Set masquerade timeouts (2 hours for TCP, 10sec for connection closing, # 160 sec for UDP (like ICQ)) /sbin/ipchains -M -S 7200 10 160 # Set up masquerade policies # by default, deny everything /sbin/ipchains -P forward DENY # but masquerade for just this one network /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ

18 Andy Wilson - IP Masquerade - February 2000 Setting Up: IPCHAINS Configure connection to the outside world as usualConfigure connection to the outside world as usual –diald is useful! Make sure rc.firewall gets run at boot timeMake sure rc.firewall gets run at boot time –chmod 700 /etc/rc.d/rc.firewall –in /etc/rc.d/rc.local: »/etc/rc.d/rc.firewall

19 Andy Wilson - IP Masquerade - February 2000 Testing From firewall:From firewall: –Connect to ISP and ping outside world –Ping a machine inside your network From your network:From your network: –Ping firewall machine –Ping outside world by IP number –Ping outside world by name –Visit your favorite Web site

20 Andy Wilson - IP Masquerade - February 2000 Learning More IP Masquerade Resource:IP Masquerade Resource: –http://ipmasq.cjb.net HOWTO (at www.linuxdoc.org)HOWTO (at www.linuxdoc.org) –Kernel –IP masquerade –Networking overview –Ethernet

Download ppt "Andy Wilson - IP Masquerade - February 2000 IP Masquerade Andy Wilson UNC Chapel Hill February 16, 2000."

Similar presentations

1 Linux IP Masquerading Brian Vargyas XNet Information Systems.

1 Linux IP Masquerading Brian Vargyas XNet Information Systems.
Configuring Internet Access for a Network. Overview Options for Connecting a Network to the Internet Configuring Internet Access by Using a Router Configuring.

Configuring Internet Access for a Network. Overview Options for Connecting a Network to the Internet Configuring Internet Access by Using a Router Configuring.
AOC-2406n Operation Mode configuration guide

AOC-2406n Operation Mode configuration guide
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
IP Masquerading Homes and Businesses: When you only have one IP but you have LOTS of machines.

IP Masquerading Homes and Businesses: When you only have one IP but you have LOTS of machines.
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.

IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Basic Network Concepts And Troubleshooting. A Simple Computer Network for File Sharing.

Basic Network Concepts And Troubleshooting. A Simple Computer Network for File Sharing.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Transparent Caching The art of caching network traffic without requiring user / browser side configuration.

Transparent Caching The art of caching network traffic without requiring user / browser side configuration.
Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.

Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.
Small Office Service Serial Router Connects Internal Stations to Shared Broadband Access Service Small Office Serial Router Shared Broadband Line ISP.

Small Office Service Serial Router Connects Internal Stations to Shared Broadband Access Service Small Office Serial Router Shared Broadband Line ISP.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.

1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.
Scaling Service Requests Linux: ipvsadm & iptoip.

Scaling Service Requests Linux: ipvsadm & iptoip.
Wi-Fi Structures.

Wi-Fi Structures.
Module 10 Linux Gateway (NAT) 10.1 – Introduction 10.2 – Official website and list 10.3 – Two types of NAT 10.4 – Controlling what to NAT 10.5 – How to.

Module 10 Linux Gateway (NAT) 10.1 – Introduction 10.2 – Official website and list 10.3 – Two types of NAT 10.4 – Controlling what to NAT 10.5 – How to.
Computer Network (MASQ/NAT/PROXY)

Computer Network (MASQ/NAT/PROXY)
Andrew Smith 1 NAT and DHCP ( Network Address Translation and Dynamic Host Configuration Protocol )

Andrew Smith 1 NAT and DHCP ( Network Address Translation and Dynamic Host Configuration Protocol )

Similar presentations

Ads by Google