Sidebar: IP Masquerading
One of the new features in the Linux kernel is IP masquerading.
This
feature enables you to "hide" local systems
behind one IP address. Its
workings are best explained by means of an example.
If you look at Figure 2, the machine called "firewall"
will connect to
the Internet, using IP address 194.109.13.150. This
is the address
assigned to me by the Internet Service Provider. These
addresses are
single node addresses, which means that they cannot
be used for routing
traffic. So, the firewall cannot run routed to announce
routes to the
machines host1 or host2.
So, if we want to connect to the Internet from host1
or host2, we need
to do something extra. Usually, we would install application
proxies on
the firewall. The local hosts will then connect to these
proxies, which
in turn will connect to the Internet.
IP masquerading, however, enables the firewall to modify
the IP
addresses in the IP packets sent by host1 or host2.
For host1 and host2,
the machine firewall is a "normal" gateway.
So, all nonlocal IP traffic
from host1 or host2 will be sent to this firewall at
address
193.78.174.33. The firewall will then replace the source
address, either
193.78.174.34 or 193.78.174.35, with the IP address
of the firewall (in
this case 194.109.13.150). Furthermore, it will store
enough information
from the IP packet in its internal administration to
reconstruct the
answer received. When the destination on the Internet
sends a reply, the
firewall will replace the destination address 194.109.13.150
with the
address of the original sender, either 193.78.174.34
or 193.78.174.35.
This masquerading feature is configured with the ipfwadm
program. You
can specify which source addresses should be masqueraded.
You only have
to specify the outgoing route, from the local network
to the Internet.
The reverse is automatically done by the kernel.
Masquerading has some advantages over routing. First,
you are able to
completely hide the local network (and thus the local
addresses) from
the outside world. You only need to make one IP address
publicly known,
which is an added security benefit. Second, you don't
need to configure
a routing daemon. This will save you some trouble and
avoid a potential
security hazard. Third, you do not need to install proxy
daemons on the
firewall. This will also avoid a potential security
hazard; the fewer
daemons running on the firewall, the better. With masquerading,
it is
even possible to completely dispense with inetd. This
limits the number
of open ports on your firewall and, thus, the number
of holes a hacker
can probe to try to get in.
|