DOCSLIB.ORG

Linux IP Masquerade HOWTO

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Linux IP Masquerade HOWTO Linux IP Masquerade HOWTO David A. Ranch <[email protected]> May 22, 2005 May 22, 2005 This document describes how to enable the Linux IP Masquerade feature on a given Linux host. IP Masquerade is a form of Network Address Translation or NAT which NAT allows internally connected computers that do not have one or more registered Internet IP addresses to communicate to the Internet via the Linux server's Internet IP address. Linux IP Masquerade HOWTO Table of Contents Chapter 1. Introduction......................................................................................................................................1 1.1. Introduction to IP Masquerading or IP MASQ.................................................................................1 1.2. Foreword, Feedback & Credits.........................................................................................................1 1.3. Copyright & Disclaimer....................................................................................................................2 Chapter 2. Background Knowledge..................................................................................................................3 2.1. What is IP Masquerade?...................................................................................................................3 2.2. Current Status...................................................................................................................................3 2.3. Who Can Benefit From IP Masquerade?..........................................................................................4 2.4. Who Doesn't Need IP Masquerade?.................................................................................................4 2.5. How does IP Masquerade Work?.....................................................................................................4 2.6. Requirements for IP Masquerade on Linux 2.4.x.............................................................................6 2.7. Requirements for IP Masquerade on Linux 2.2.x.............................................................................9 2.8. Requirements for IP Masquerade on Linux 2.0.x...........................................................................11 Chapter 3. Setting Up IP Masquerade............................................................................................................13 3.1. Compiling a new kernel if needed..................................................................................................13 3.2. Checking your existing kernel for MASQ functionality.................................................................13 3.2.1. Compiling Linux 2.4.x Kernels.............................................................................................15 3.2.2. Compiling Linux 2.2.x Kernels.............................................................................................25 3.2.3. Compiling Linux 2.0.x Kernels.............................................................................................31 3.3. Assigning Private Network IP Addresses to the Internal LAN......................................................35 3.4. Configuring IP Forwarding Policies...............................................................................................36 3.4.1. Configuring IP Masquerade on Linux 2.6.x and 2.4.x Kernels.............................................36 3.4.2. Configuring IP Masquerade on Linux 2.2.x Kernels............................................................45 3.4.3. Configuring IP Masquerade on Linux 2.0.x Kernels............................................................52 Chapter 4. Configuring the other internal to−be MASQed machines.........................................................60 4.1. Configuring Microsoft Windows 95 and OSR2.............................................................................60 4.2. Configuring Windows NT..............................................................................................................62 4.3. Configuring Windows for Workgroup 3.11....................................................................................62 4.4. Configuring UNIX Based Systems.................................................................................................63 4.5. Configuring DOS using NCSA Telnet package.............................................................................63 4.6. Configuring MacOS Based System Running MacTCP..................................................................64 4.7. Configuring MacOS Based System Running Open Transport.......................................................64 4.8. Configuring Novell network using DNS........................................................................................65 4.9. Configuring OS/2 Warp..................................................................................................................66 4.10. Configuring OS/400 on a IBM AS/400........................................................................................67 4.11. Configuring Other Systems..........................................................................................................67 Chapter 5. Testing IP Masquerade.................................................................................................................68 5.1. Loading up the rc.firewall ruleset...................................................................................................68 5.2. Testing internal MASQ client PC connectivity..............................................................................69 5.3. Testing internal MASQ client to MASQ server connectivity.........................................................69 5.4. Testing internal MASQ server connectivity...................................................................................70 5.5. Testing internal MASQ server to MASQ client connectivity.........................................................70 5.6. Testing External MASQ server Internet connectivity....................................................................71 5.7. Testing internal MASQ client to external MASQ server connectivity...........................................72 i Linux IP Masquerade HOWTO Table of Contents Chapter 5. Testing IP Masquerade 5.8. Testing external MASQ ICMP forwarding.....................................................................................73 5.9. Testing MASQ functionality without DNS....................................................................................74 5.10. Testing MASQ functionality with DNS resolution......................................................................75 5.11. Testing more MASQ functionality with DNS..............................................................................75 5.12. Any remaining functional, performance, etc. issues.....................................................................76 Chapter 6. Other IP Masquerade Issues and Software Support..................................................................77 6.1. Problems with IP Masquerade........................................................................................................77 6.2. Incoming services...........................................................................................................................77 6.3. Supported Client Software and Other Setup Notes.........................................................................77 6.3.1. Network Clients that −Work− with IP Masquerade..............................................................77 6.3.2. Clients that do not have full support in IP MASQ:...............................................................80 6.4. Stronger firewall rulesets to run after initial testing.......................................................................80 6.4.1. Stronger IP Firewall (IPTABLES) rulesets...........................................................................80 6.4.2. Stronger IP Firewall (IPCHAINS) rulesets...........................................................................90 6.4.3. Stronger IP Firewall (IPFWADM) Rulesets.........................................................................98 6.5. IP Masquerading multiple internal networks................................................................................104 6.5.1. iptables support for multiple internal lans...........................................................................104 6.5.2. ipchains support for multiple internal lans..........................................................................104 6.5.3. ipfwadm support for multiple internal lans.........................................................................105 6.6. IP Masquerade and Dial−on−Demand Connections.....................................................................105 6.7. IPPORTFW, IPMASQADM, IPAUTOFW, REDIR, UDPRED, and other Port Forwarding tools.....................................................................................................................................................105 6.7.1. 2.4.x PORTFWD'ing: Using IPTABLE's PREROUTING option for 2.4.x kernels...........107 6.7.2. 2.2.x PORTFWD'ing: Using IPMASQADM with 2.2.x kernels........................................109 6.7.3. 2.0.x PORTFWD'ing: Using IPPORTFW on 2.0.x kernels................................................111 6.8. CU−SeeMe and Linux IP−Masquerade........................................................................................113 6.9.
Load more

Recommended publications
  • The Linux Kernel Module Programming Guide
    The Linux Kernel Module Programming Guide Peter Jay Salzman Michael Burian Ori Pomerantz Copyright © 2001 Peter Jay Salzman 2007−05−18 ver 2.6.4 The Linux Kernel Module Programming Guide is a free book; you may reproduce and/or modify it under the terms of the Open Software License, version 1.1. You can obtain a copy of this license at http://opensource.org/licenses/osl.php. This book is distributed in the hope it will be useful, but without any warranty, without even the implied warranty of merchantability or fitness for a particular purpose. The author encourages wide distribution of this book for personal or commercial use, provided the above copyright notice remains intact and the method adheres to the provisions of the Open Software License. In summary, you may copy and distribute this book free of charge or for a profit. No explicit permission is required from the author for reproduction of this book in any medium, physical or electronic. Derivative works and translations of this document must be placed under the Open Software License, and the original copyright notice must remain intact. If you have contributed new material to this book, you must make the material and source code available for your revisions. Please make revisions and updates available directly to the document maintainer, Peter Jay Salzman <[email protected]>. This will allow for the merging of updates and provide consistent revisions to the Linux community. If you publish or distribute this book commercially, donations, royalties, and/or printed copies are greatly appreciated by the author and the Linux Documentation Project (LDP).
    [Show full text]
  • Linux on the Road
    Linux on the Road Linux with Laptops, Notebooks, PDAs, Mobile Phones and Other Portable Devices Werner Heuser <wehe[AT]tuxmobil.org> Linux Mobile Edition Edition Version 3.22 TuxMobil Berlin Copyright © 2000-2011 Werner Heuser 2011-12-12 Revision History Revision 3.22 2011-12-12 Revised by: wh The address of the opensuse-mobile mailing list has been added, a section power management for graphics cards has been added, a short description of Intel's LinuxPowerTop project has been added, all references to Suspend2 have been changed to TuxOnIce, links to OpenSync and Funambol syncronization packages have been added, some notes about SSDs have been added, many URLs have been checked and some minor improvements have been made. Revision 3.21 2005-11-14 Revised by: wh Some more typos have been fixed. Revision 3.20 2005-11-14 Revised by: wh Some typos have been fixed. Revision 3.19 2005-11-14 Revised by: wh A link to keytouch has been added, minor changes have been made. Revision 3.18 2005-10-10 Revised by: wh Some URLs have been updated, spelling has been corrected, minor changes have been made. Revision 3.17.1 2005-09-28 Revised by: sh A technical and a language review have been performed by Sebastian Henschel. Numerous bugs have been fixed and many URLs have been updated. Revision 3.17 2005-08-28 Revised by: wh Some more tools added to external monitor/projector section, link to Zaurus Development with Damn Small Linux added to cross-compile section, some additions about acoustic management for hard disks added, references to X.org added to X11 sections, link to laptop-mode-tools added, some URLs updated, spelling cleaned, minor changes.
    [Show full text]
  • Redbooks Paper Linux on IBM Zseries and S/390
    Redbooks Paper Simon Williams Linux on IBM zSeries and S/390: TCP/IP Broadcast on z/VM Guest LAN Preface This Redpaper provides information to help readers plan for and exploit Internet Protocol (IP) broadcast support that was made available to z/VM Guest LAN environments with the introduction of the z/VM 4.3 Operating System. Using IP broadcast support, Linux guests can for the first time use DHCP to lease an IP address dynamically from a DHCP server in a z/VM Guest LAN environment. This frees the administrator from the previous method of having to hardcode an IP address for every Linux guest in the system. This new feature enables easier deployment and administration of large-scale Linux environments. Objectives The objectives of this paper are to: Review the z/VM Guest LAN environment Explain IP broadcast Introduce the Dynamic Host Configuration Protocol (DHCP) Explain how DHCP works in a z/VM Guest LAN Describe how to implement DHCP in a z/VM Guest LAN environment © Copyright IBM Corp. 2003. All rights reserved. ibm.com/redbooks 1 z/VM Guest LAN Attention: While broadcast support for z/VM Guest LANs was announced with the base z/VM 4.3 operating system, the user must apply the PTF for APAR VM63172. This APAR resolves several issues which have been found to inhibit the use of DHCP by Linux-based applications running over the z/VM Guest LAN (in simulated QDIO mode). Introduction Prior to z/VM 4.2, virtual connectivity options for connecting one or more virtual machines (VM guests) was limited to virtual channel-to-channel adapters (CTCA) and the Inter-User Communications Vehicle (IUCV) facility.
    [Show full text]
  • Version 7.8-Systemd
    Linux From Scratch Version 7.8-systemd Created by Gerard Beekmans Edited by Douglas R. Reno Linux From Scratch: Version 7.8-systemd by Created by Gerard Beekmans and Edited by Douglas R. Reno Copyright © 1999-2015 Gerard Beekmans Copyright © 1999-2015, Gerard Beekmans All rights reserved. This book is licensed under a Creative Commons License. Computer instructions may be extracted from the book under the MIT License. Linux® is a registered trademark of Linus Torvalds. Linux From Scratch - Version 7.8-systemd Table of Contents Preface .......................................................................................................................................................................... vii i. Foreword ............................................................................................................................................................. vii ii. Audience ............................................................................................................................................................ vii iii. LFS Target Architectures ................................................................................................................................ viii iv. LFS and Standards ............................................................................................................................................ ix v. Rationale for Packages in the Book .................................................................................................................... x vi. Prerequisites
    [Show full text]
  • Firewalld ↔ Iptables (Continued)
    firewalld ↔ iptables (continued) Or, better said as, Understanding Linux Firewall Changes and Tools A firewall evolution and system management process Presented to SLUUG By David Forrest August 9, 2017 Bio I am David Forrest, a businessman in the housing and construction materials industry. Always keen to use the open and supportable solution even if it means getting my hands dirty. I was there, I did that, I have the t-shirt. And, I'm retired so now I can work on the “bleeding edge” - so on to the testing kernel! Why tonight? Why should we switch to firewalld? I felt a continuation was in order to address the problems that are caused by the virtual world and the interaction of processes within today's machines. Our various distributions seem to be jumping to the systemd init setup as it appears to offer better administration control to Linux Kernel machines. Firewalld just one of many efforts to see the future. In recent years, operating system virtualization has taken the industry by storm. But I'm still on CentOS7 and it uses firewalld as its default firewall along with systemd https://wiki.debian.org/Debate/initsystem/systemd firewalld It's a daemon and a command line interface to all the backends! One can start it as a service with a default setup and change it dynamically with a command line or with the daemon using D-Bus or NetworkManager. And with the new nftables release, we'll be able to combine several rules in one rich rule. The firewalld Architecture Firewalld and nft Systems have also moved toward Software Defined Networking (SDN) and system density has increased.
    [Show full text]
  • Wingate Manual
    Wingate manual So read on to find out what to do after you ve installed WinGate, and how to go about configuring your LAN to get your client machines connecting to the. WinGate is highly capable web proxy software for Windows: caching, intercepting, forward and reverse proxy with https inspection and SSL offload, SOCKS ​WinGate VPN · ​Kaspersky AV for WinGate · ​PureSight for WinGate · ​Lumen. Your license agreement with Qbik New Zealand Limited, which is included with WinGate 3 (“the Software”), specifies the permitted and prohibited uses of the. Install WinGate 7 and have your network up and running in about 5 minutes. This video demonstrates how. WinGate Proxy Server is a sophisticated integrated Internet gateway and Advance => Network => Settings => Manual Proxy Configuration. Control and manage Internet access with WinGate, a sophisticated Internet gateway and communications server designed to meet the control, security and. Wingate Tutorial - Download as Word Doc .doc /.docx), PDF File .pdf), Text Select manual settings Goto edit settings Edit ip settings Set your ip adress as. WinGate is software designed to calibrate canal check gates for flow measurement. WinGate can analyze radial gates and slide gates. The current version is. Manual. WINGATE®. Configuration Tool for UNIGATE®. Deutschmann Automation GmbH & Co. KG | hmann. This manual covers two models - E and E Wingate Option. Watch therefore, for which sections apply to your bike. Monark E and E Wingate. The NCDPI Licensure Form and instructions are also available online at our website under "Forms," then “Licensure” for your convenience. Application. Library LibGuides. Policy Manual Cataloging. Library LibGuides. Policy Manual E-Resources.
    [Show full text]
  • Hardening Linux
    eBooks-IT.org 4444_FM_final.qxd 1/5/05 12:39 AM Page i eBooks-IT.org Hardening Linux JAMES TURNBULL 4444_FM_final.qxd 1/5/05 12:39 AM Page ii eBooks-IT.org Hardening Linux Copyright © 2005 by James Turnbull All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN (pbk): 1-59059-444-4 Printed and bound in the United States of America 987654321 Trademarked names may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. Lead Editor: Jim Sumser Technical Reviewer: Judith Myerson Editorial Board: Steve Anglin, Dan Appleman, Ewan Buckingham, Gary Cornell, Tony Davis, Jason Gilmore, Chris Mills, Dominic Shakeshaft, Jim Sumser Project Manager: Kylie Johnston Copy Edit Manager: Nicole LeClerc Copy Editor: Kim Wimpsett Production Manager: Kari Brooks-Copony Production Editor: Kelly Winquist Compositor: Linda Weidemann Proofreader: Lori Bring Indexer: Kevin Broccoli Artist: Kinetic Publishing Services, LLC Cover Designer: Kurt Krames Manufacturing Manager: Tom Debolski Distributed to the book trade in the United States by Springer-Verlag New York, Inc., 233 Spring Street, 6th Floor, New York, NY 10013, and outside the United States by Springer-Verlag GmbH & Co. KG, Tiergartenstr. 17, 69112 Heidelberg, Germany. In the United States: phone 1-800-SPRINGER, fax 201-348-4505, e-mail [email protected], or visit http://www.springer-ny.com.
    [Show full text]
  • Linux for Zseries: Device Drivers and Installation Commands (March 4, 2002) Summary of Changes
    Linux for zSeries Device Drivers and Installation Commands (March 4, 2002) Linux Kernel 2.4 LNUX-1103-07 Linux for zSeries Device Drivers and Installation Commands (March 4, 2002) Linux Kernel 2.4 LNUX-1103-07 Note Before using this document, be sure to read the information in “Notices” on page 207. Eighth Edition – (March 2002) This edition applies to the Linux for zSeries kernel 2.4 patch (made in September 2001) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright International Business Machines Corporation 2000, 2002. All rights reserved. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Summary of changes .........v Chapter 5. Linux for zSeries Console || Edition 8 changes.............v device drivers............27 Edition 7 changes.............v Console features .............28 Edition 6 changes ............vi Console kernel parameter syntax .......28 Edition 5 changes ............vi Console kernel examples ..........28 Edition 4 changes ............vi Usingtheconsole............28 Edition 3 changes ............vii Console – Use of VInput ..........30 Edition 2 changes ............vii Console limitations ............31 About this book ...........ix Chapter 6. Channel attached tape How this book is organized .........ix device driver ............33 Who should read this book .........ix Tapedriverfeatures...........33 Assumptions..............ix Tape character device front-end........34 Tape block
    [Show full text]
  • Linux Kernel and Driver Development Training Slides
    Linux Kernel and Driver Development Training Linux Kernel and Driver Development Training © Copyright 2004-2021, Bootlin. Creative Commons BY-SA 3.0 license. Latest update: October 9, 2021. Document updates and sources: https://bootlin.com/doc/training/linux-kernel Corrections, suggestions, contributions and translations are welcome! embedded Linux and kernel engineering Send them to [email protected] - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 1/470 Rights to copy © Copyright 2004-2021, Bootlin License: Creative Commons Attribution - Share Alike 3.0 https://creativecommons.org/licenses/by-sa/3.0/legalcode You are free: I to copy, distribute, display, and perform the work I to make derivative works I to make commercial use of the work Under the following conditions: I Attribution. You must give the original author credit. I Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. I For any reuse or distribution, you must make clear to others the license terms of this work. I Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. Document sources: https://github.com/bootlin/training-materials/ - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 2/470 Hyperlinks in the document There are many hyperlinks in the document I Regular hyperlinks: https://kernel.org/ I Kernel documentation links: dev-tools/kasan I Links to kernel source files and directories: drivers/input/ include/linux/fb.h I Links to the declarations, definitions and instances of kernel symbols (functions, types, data, structures): platform_get_irq() GFP_KERNEL struct file_operations - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 3/470 Company at a glance I Engineering company created in 2004, named ”Free Electrons” until Feb.
    [Show full text]
  • Protokollsupport
    Reference Guide WinRoute Pro 4.1 SE För version 4.1 Build 22 och sinare Tiny Software Inc. Contents Innehållsförteckning Läs mig först 2 Beskrivning av WinRoute 5 WinRoute sammanfattning...................................................................................... 6 Omfattande protokollsupport .................................................................................. 9 NAT-router............................................................................................................ 10 Introduktion i NAT .................................................................................... 11 Hur NAT fungerar...................................................................................... 12 WinRoutes struktur .................................................................................... 13 Att ställa in NAT på båda gränssnitten ...................................................... 15 Portmappning - paketbefordran ................................................................. 18 Portmappning för system med flera hem (flera IP-adresser)...................... 21 Multi-NAT ................................................................................................. 22 Gränssnittstabell......................................................................................... 24 VPN-support .............................................................................................. 24 Brandvägg med paketfilter.................................................................................... 25 Översikt
    [Show full text]
  • Demystifying Internet of Things Security Successful Iot Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M
    Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security: Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Chandler, AZ, USA Chandler, AZ, USA Ned Smith David M. Wheeler Beaverton, OR, USA Gilbert, AZ, USA ISBN-13 (pbk): 978-1-4842-2895-1 ISBN-13 (electronic): 978-1-4842-2896-8 https://doi.org/10.1007/978-1-4842-2896-8 Copyright © 2020 by The Editor(s) (if applicable) and The Author(s) This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this book are included in the book’s Creative Commons license, unless indicated otherwise in a credit line to the material.
    [Show full text]
  • Abusing Transparent Proxies with Flash V2.00
    Abusing Transparent Proxies with Flash v2.00 By Robert Auger PayPal Information Risk Management AppSec DC November 2009 The OWASP Foundation http://www.owasp.org Overview What are transparent and intercepting proxies? When are transparent proxies used? How do they operate? Brief intro to the SOP Flash and the socket policy The abuse case Solutions and mitigations Conclusions OWASP 2 What are transparent and intercepting proxies? Explicit Proxy: A proxy explicitly configured by a client or user system. Also known as a classic web proxy. Transparent Proxy: Proxy which is NOT explicitly configured by the client machine. Intercepting Proxy: A more intrusive version of a transparent proxy. May modify traffic. OWASP 3 When are transparent proxies used? OWASP 4 How traffic gets to transparent proxies Technologies such as WCCP/GRE/IPTables/IPFW are often used to force/redirect traffic to the transparent proxy The user is unaware this is going on Proxy is typically on a dedicated machine, sometimes deployed on the gateway/router itself Often involves rewriting the packet’s destination to the proxies IP address and port (NAT) Some implementations merely sniff the wire and may not terminate to a service If the proxy is listening on all addresses then rewriting shouldn’t be required, although it is unknown how common this approach is OWASP 5 Common transparent proxy architectures OWASP 6 Approach A: Use the destination IP from the client Proxy server determines destination based on original destination-IP address of client request. In this configuration the transparent proxy routes requests much like a standard router by basing its routing decisions off of the network layer (layer 3).
    [Show full text]