IP-Masquerading

1 Masquerading ?

1.1 About this document

This document has one reason for existing, to teach something to others.

Who should be reading this document

If you have some computers standing at home and you want to share your internet connection with the rest of the family, or if you like seeing your mail on the screen on the left side of your desk and your irc window on the screen that is standing at the right side of your desk you need ip masquerading. Yes I know there are also modem sharing packets for Microsoft products on the market. But the advantage is that this can be run on a 386 computer and it takes 3 more commands and you can have your own firewall. There are also more providers who offer cable modems and (too) much bandwidth for one computer. I think it is very handy. If I am reading my e-mail and I want to see if one of my friends is on IRC I just have to turn my head. You don't really need a cable modem, it also goes if you have a modem connection (I am the living example of that).

1.2 What do you need ?

Although I haven't explained what masquerading actually is (be patient) I will start by telling you what you need in order to use masquerading. You need: So now you know what you need in order to use masquerading, I can start explaining what masquerading actually is:

What is it

I know that masquerading is a complicated process so before getting all technical I'll start with an example that makes it easier to understand. Person A loves person B but person A isn't at the same school nor has her telephone number. There is also a common friend (person C) someone who knows A and is at the some school of B. So A is going to ask C to talk to B without mentioning who person A is. Pretending the acquired information is for himself.

You will probably wondering why I made that example or on what television show you have seen the same. Well it is quite simple. Person B is the internet, and person A is a masqueraded client and person C is the masqueraded server.

For understanding it I'll first give a short introduction to TCP/IP". TCP/IP stands for Transmission Control Protocol / Internet Protocol. It is widely used for data communication among computers (before TCP/IP, everybody used UUCP = Unix to Unix Copy Protocol). TCP/IP is literally a protocol that controls your communication, it also uses IP numbers. IP-numbers consist out of 12 numbers grouped by 3 (123.456.789.123). Every computer attached to a network (and to the internet) have their own unique IP number. TCP/IP works like the following.
=> I am 1.2.3.4 and i want to contact 1.2.3.3
-> I am 1.2.3.3 did you call me ?
=> I am 1.2.3.4 and I contacted you
-> I am 1.2.3.3 and ready
=> I am 1.2.3.4 and I want that file
-> I am 1.2.3.3 and I am sending the first part to 1.2.3.4
=> I am 1.2.3.4 and I have received it.
-> I am 1.2.3.3 and I am sending the second part to 1.2.3.4
=> I am 1.2.3.4 and I haven't received anything
-> I am 1.2.3.3 and I am sending again
=> I am 1.2.3.4 and I have received it.
-> I am 1.2.3.3 and I am waiting.
=> I am 1.2.3.4 and I am ready, bye
-> I am 1.2.3.3 Bye
I know this may seem a little childish but data communication (and TCP/IP) are working like that.

Now you should be able to understand the image. You see a computer with local IP 10.0.0.1 who is connected to the internet by a telephone line and has achieved an IP number by this ISP (Internet Service Provider) that IP is 11.1.1.4. What does this mean ? If someone on the internet tried to contact 11.1.1.4 they would get a response but if they would try to contact 10.0.0.1 they would not get a response although it is the same computer because the IP 10.0.0.1 isn't recognized worldwide. Then we have 10.0.0.2 till 10.0.0.x who are connected to 10.0.0.1. In this case we could consider 10.0.0.1 as a gateway (a gateway is a sort of exit to another network, a gateway could be a link between 10.0.1.x and 10.0.0.x, but therefore that machine must be recognized by 10.0.1.x and 10.0.0.x or with other words it should have 2 network cards or in this case a modem and a network card). So we could consider it as a gateway but there is one detail, for 10.0.0.1 being a gateway. But it isn't for the simple reason that the internet wouldn't recognize it.
=> I'm 10.0.0.2 and I want to contact you
-> I'm 1.2.3.3 and I have now idea how to reach you, go away (this messages isn't really broadcasted because there is no logical route between the two computers, this is logged)
So what does masquerading actually do ? Well, it gives its own IP (11.1.1.4 this is the IP that is attached to the ISP, giving by DHCP by exemple) to the entire network and remembers which computer requested which packet. Something like:
=> I'm 10.0.0.2 and I want to contact 1.2.3.3
-> I'm 10.0.0.1 and I will be processing your request
-> I'm 14.1.1.4 and I want to contact 1.2.3.3
_> I'm 1.2.3.3 and awaiting your command
I hope this cleared out a lot. So a masqueraded server gives its IP ( in facts it masks the ip's of the network) in order for the other pc's to get on the internet. And the incoming data is being filtered under the 10.0.0.x network.

2 I hate theory I want to type something

2.1 Preparing your system

I am supposing that you all have a computer with Linux OS installed on it and that you have configured your internet account (if not, check the help pages by your provider). And know some Linux basics like compiling your own kernel. This entire site is only valid if you have a 2.2.x kernel. Because masquerading went thru some changes lately. If you have not got a 2.2.x kernel running, I suggest you upgrade. Because older kernels might contain bugs, might not support your newest hardware and make your system vulnerable to attacks. You can get the latest kernel from ftp.kernel.org (I will explain short the kernel basics here)
[GoMoRRaH@SaTaN GoMoRRaH]$ mv mykernel.tar.gz /usr/src/
[GoMoRRaH@SaTaN GoMoRRaH]$ cd /usr/src
[GoMoRRaH@SaTaN src]$ rm linux (removes the symbolic link to your old sources)
[GoMoRRaH@SaTaN src]$ tar -zxvf mykernel.tar.gz
(your kernel is now being extracted default in the directory linux)
[GoMoRRaH@SaTaN src]$ cd linux
[GoMoRRaH@SaTaN linux]$ make menuconfig
(you can choose, type: make config for text based, type: make menuconfig for graphical and type: make xconfig under X-windows)
Now you can see all the options you can use, this is different for each system so, * stands for support and M stand for modules, modules are pieces of kernel code that can be compiled in at any time, later on) But however you have to say YES to the following:

=> Prompt for development and or incomplete code / drivers
=>Enable loadable module support
=>Networking support
=>Network firewalls
=>TCP/IP Networking
=>IP:forwarding/gatewaying
=>IP:firewalling
=>IP:masquerading
=>IP:ipportfw masq support
=>IP:ipautofw masq support
=>IP:ICMP masquerading
=>IP:always defragment
=>Dummy net driver support
=>IP:ip fwmark masq-forwarding support

Note that the above options are required for ip masquerading so you still need other codes in your kernel. When you are finished you will be prompted to save changes. The following commands do the actual compiling and may take a from 10 - 40 minutes and will show many characters which you may not understand on your screen, don't worry it is normal.
[GoMoRRaH@SaTaN linux]$ make dep
[GoMoRRaH@SaTaN linux]$ make clean
[GoMoRRaH@SaTaN linux]$ make bzImage
[GoMoRRaH@SaTaN linux]$ cp /usr/src/linux/arch/i386/boot/bzImage /boot/kernel
[GoMoRRaH@SaTaN linux]$ make modules
[GoMoRRaH@SaTaN linux]$ make modules_install
At this point you should edit your /etc/lilo.conf file. You should add something like
image=/boot/kernel
label=masqkernel
root=/dev/hdax (replace this by your root filesystem, harddisk, partition, ..)
read-only
This makes your boot manager find your new kernel at boot. So if your see the lilo prompt the next time you should type masqkernel
[GoMoRRaH@SaTaN linux]$ lilo
added linux-2.2.5-15 *
added dos
added masqkernel
Now you should edit your /etc/rc.d/rc.local file so the modules needed are automatically loaded at boot
.
.
/sbin/depmode -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
.
.
These modules are needed for ftp, real audio and irc. There is only one thing to do besides rebooting and that is enabling your IPV4 forwarding.
[GoMoRRaH@SaTaN linux] echo "1" > /proc/sys/net/ip_forward(ing) Now you should reboot your system with your newly made kernel, see if everything boots properly, if not you should redo the above steps. Until you have a properly working kernel.

Start up your masquerade

In fact there isn't much to do once you've got your kernel right. It is a matter of dialing in with you provider, and typing 2 commands. They are used to set your forwarding policies. [GoMoRRaH@SaTaN GoMoRRaH]$ ipchains -P forward DENY
[GoMoRRaH@SaTaN GoMoRRaH]$ ipchains -A forward -s 10.0.0.0/4 -j MASQ
In order for this to work on your local network the only thing you have to adjust is the -s parameter. 10.0.0.0 is your network address and the 4 is the highest ip number that is masqueraded. Your server should work now. And yeah, that's really it, you have a lot of theory and a lot of preparation with your kernel and you have to type 2 lines to get your server up and running.

Configuring your clients

You have a server but what is a server without clients ? What is a supermarket without customers ? Not that you have to do so much configuring no not at all. There is only one little thing that you have to take care of, (if it isn't already done). Your clients should have as a gateway the IP of your masqueraded server (here 10.0.0.1) This is located near your networking options it shouldn't be hard to find.

3 General

Other information sources
If you want to know more about Linux networking or Linux in general you should read documents that are published by the LDP (Linux documentation Project). They have published a Network administrators guide, a system administrators guide, a programmers guide and several HOWTO's. They come with each Linux distribution and are really worth reading.

For any further questions, you can mail GoMoRRaH, a member of Black Sun Research Facility